Most of the big Internet companies are US-based, and it’s likely that a lot of “PII” (personally identifiable information) about Europeans crosses the Atlantic for storage and processing in the US. European data controllers (whether a big company or just an ordinary blogger like me) used to be able to rely on the Privacy Shield agreement between the EU and the US to ensure that they were transferring data to US processors in a way that complied with the European GDPR . US data processing companies could sel
The Schrems II judgement of the Court of Justice of the European Union changed all that. Max Schrems, and Austrian privacy campaigner, brought a case against Facebook for transferring his data to the US. Since US privacy laws were much weaker than European ones (in particular the powers of the American intelligence agencies were much greater), the data of Europeans was not adequately protected: the CJEU accepted this argument. This caused a great deal of confusion: in principle, Standard Contractual Clauses
Since Schrems II the EU and US have negotiated a new Data Privacy Framework as a replacement for the Privacy Shield agreement. However this doesn’t fix the fundamental problems with US privacy law and a third Schrems case is expected . As a consequence of all this uncertainty I’ll be reviewing all the data processors that this blog uses and gradually migrating to EU replacements where necessary and possible.