In the summer of 2020, “Schrems II” was issued, an EU ruling that invalidates the data protection agreement between the EU and the US, known as the Privacy Shield agreement. The ruling poses major challenges for the many Swedish companies and authorities that currently rely on American cloud service providers to secure all data subject to the GDPR.
With the American services, you risk violating European legislation.
Many Swedish and European companies and authorities currently use cloud services and other IT services from American providers. Although these providers often have their data centres within the EU, their services are often dependent on the transfer of personal data to the US, for example for the purpose of providing support services. Under the GDPR rules, all EU citizens have an established right to protection of their privacy and personal data. On 16 July 2020, the European Court of Justice ruled that the Privacy Shield agreement between the EU and the US does not provide sufficient protection for personal data when it is transferred to the US.
Privacy Shield was an agreement between the European Commission and the US government on a solution for transatlantic transfers of personal data. Recipients in the US could choose to certify themselves against a set of rules; simply put, companies and other organisations could voluntarily promise to maintain a standard similar to that in the EU. The invalidation of Privacy Shield means that it is no longer permitted for data controllers in the EU to transfer personal data to recipients in the US on the basis of Privacy Shield.
This poses major challenges for Swedish companies and organisations, which now need to evaluate their use of services where they risk violating European legislation by transferring data to the United States. Each data controller must now make its own assessment, based on its own transfers and its own purposes.
There are no generally viable alternatives to the Privacy Shield
Several American operators have responded that they are now switching to standard contractual clauses, a contract-based alternative to Privacy Shield that is signed between the transferor and recipient of personal data. Here, the European Court of Justice states that if standard contractual clauses are to be used to legitimise transfers, the transferor must first assess the legal situation in the recipient country and whether it is sufficiently good to ensure that the transferred personal data is protected. There is still no guidance on whether standard contractual clauses are sufficient to protect personal data transferred to the United States under the GDPR.
The standard contractual clauses therefore remain valid, but a concrete assessment should be made of the rules in the country where the recipient is established. In light of the European Court of Justice's statements in its ruling on the level of protection of personal data in the United States, there is much to suggest that a transfer to the United States based on the model clauses may also be considered unlawful.
Välj it-infrastruktur som är långsiktigt hållbar för er Choose IT infrastructure that is sustainable for your digitalisation in the long term
Cloud infrastructure is the very foundation of digital transformation. Many Swedish companies and organisations now need to evaluate and find long-term sustainable complements and alternatives to American IT support that comply with and protect European laws and values. In the long term, the ruling against Privacy Shield will therefore have positive effects, as it will lead to increased local competition in cloud services and IT operations, a higher level of digital innovation in Sweden and more choices for Swedish cloud buyers.
There are already strong Swedish alternatives on the market today. At Binero, we help companies and organisations with cloud and infrastructure services from our own data centre north of Stockholm.
Contact us and we will tell you more!
