Data knows no boundaries however GDPR enforcement could jeopardize data flows from Europe to the U.S. and EU cannot meet its digital aspirations to be ‘world-class data hub’ if it cannot balance privacy and commerce when it comes to trans-Atlantic data.

EU Data Protection Agencies are vigorously enforcing violations of GDPR against U.S. tech companies, but few changes have been made to their business model of exchanging free services for personal data.

  1. Microsoft moves to complying with EDPB guidance following the CJEU’s Schrems II judgment by the end of 2022 and will allow commercial and public sector customers in the European Union to process and store all their data in the region. This may result in Microsoft to be in non-compliance with the Schrems II judgment from July 2020 until the end of 2022.
  2. Facebook Inc. lost a bid to block a European Union privacy decision that could suspend its ability to send information about European users to U.S. computer servers, opening a pathway toward a precedent-setting interruption of its data flows. Last week Ireland’s High Court dismissed all of Facebook’s procedural complaints about a preliminary decision on data flows that it received in August from the country’s Data Protection Commission. It rejected Facebook’s claims that the privacy regulator had given it too little time to respond or issued a judgment prematurely.
  3. Until recently tech lobbyists suggested that data flows were largely unaffected, with only contractual (BCR) changes necessary. However, this is not the case as EU regulators, have started issuing orders to suspend some data transfers. Last month Portugal’s privacy regulator ordered the national statistics agency to stop sending census data to the U.S., where it was being processed by Cloudflare Inc.

There are several other issues the global tech companies must address to comply with GDPR to defend its data transfers outside of the EU even though it is damaging to end-users and other businesses.

  • That ruling restricts how companies like Facebook could send personal information about Europeans to the U.S., because it found that Europeans had no effective way to challenge American government surveillance.
  • How Ireland and other EU courts enforce the ruling affects EU privacy enforcement for several other big tech companies, which have their European headquarters in the country.

At the next online webinar, the 14th annual GDPR/GRC and IT Security Summit on the 14th of November 2021, we review how major global tech companies must re-engineer (as the step towards being compliant by design) its services to structure and silo privacy data it collects from European users or stop serving them entirely or how the battle over big-tech privacy protections will play out?