After Privacy Shield

Most of the big Internet companies are US-based, and it’s likely that a lot of “PII” (personally identifiable information) about Europeans crosses the Atlantic for storage and processing in the US. European data controllers (whether a big company or just an ordinary blogger like me) used to be able to rely on the Privacy Shield agreement between the EU and the US to ensure that they were transferring data to US processors in a way that complied with the European GDPR. US data processing companies could self-certify that they complied with the principles in the Data Shield agreement and then be considered safe to handle the personal data of European citizens.

The Schrems II judgement of the Court of Justice of the European Union changed all that. Max Schrems, and Austrian privacy campaigner, brought a case against Facebook for transferring his data to the US. Since US privacy laws were much weaker than European ones (in particular the powers of the American intelligence agencies were much greater), the data of Europeans was not adequately protected: the CJEU accepted this argument. This caused a great deal of confusion: in principle, Standard Contractual Clauses were still a valid alternative, but this just passed the buck to individual data controllers, and were open to legal challenge on the same grounds. In order to try and clarify the situation, the European Data Protection Board issued recommendations for the way that data transfers to non-EU countries should be carried out. The recommendations reflect the outcome of Schrems II and have far-reaching implications. In summary, if the third country does not provide protection of privacy equivalent to European law then the data should be encrypted using strong encryption, both in transit and at rest. That effectively means that without an EU adequacy decision recognising that a third country provides sufficient privacy protection, European data can only be exported to passive storage providers in that country, who do not need to interact with the content of the data. In reality it means that the safest solution to acquiring higher-level services is to use EU-based data processors. So, no US hosting, no Mailchimp, no US-based content security etc. etc.

Since Schrems II the EU and US have negotiated a new Data Privacy Framework as a replacement for the Privacy Shield agreement. However this doesn’t fix the fundamental problems with US privacy law and a third Schrems case is expected. As a consequence of all this uncertainty I’ll be reviewing all the data processors that this blog uses and gradually migrating to EU replacements where necessary and possible.