Data knows no boundaries; however, GDPR enforcement could jeopardize data flows from Europe to the U.S., and the EU cannot meet its digital aspirations to be a ‘world-class data hub’ if it cannot balance privacy and commerce when it comes to trans-Atlantic data.

EU Data Protection Agencies are vigorously enforcing violations of GDPR against U.S. tech companies. Still, few changes have been made to their business model of exchanging free services for personal data.

  1. Microsoft will move to comply with EDPB guidance following the CJEU’s Schrems II judgment by the end of 2022. It will allow commercial and public sector customers to process and store all their data in the region. This may result in Microsoft being non-compliant with the Schrems II judgment until the end of 2022.
  2. Facebook Inc. lost a bid to block a European Union privacy decision that could suspend its ability to send information about European users to U.S. computer servers, opening a pathway toward a precedent-setting interruption of its data flows. Last week Ireland’s High Court dismissed all of Facebook’s procedural complaints about a preliminary decision on data flows that it received in August from the country’s Data Protection Commission. It rejected Facebook’s claims that the privacy regulator had given it too little time to respond or issued a judgment prematurely.
  3. Until recently, tech lobbyists suggested that data flows were largely unaffected, with only contractual (BCR) changes necessary. However, this is not the case as EU regulators have started issuing orders to suspend some data transfers. For example, last month, Portugal’s privacy regulator ordered the national statistics agency to stop sending census data to the U.S. Cloudflare Inc was processing.

There are several other issues the global tech companies must address to comply with GDPR to defend their data transfers outside of the EU even though it is damaging to end-users and other businesses.

  • That ruling restricts how companies like Facebook could send personal information about Europeans to the U.S. because it found that Europeans had no practical way to challenge American government surveillance.
  • How Ireland and other EU courts enforce the ruling affects EU privacy enforcement for several other big tech companies with their European headquarters.

At the next online webinar, the 14th annual GDPR/GRC and IT Security Summit on the 14th of November 2021, we review how major global tech companies must re-engineer (as the step towards being compliant by design) their services to structure and silo privacy data it collects from European users or stop serving them entirely or how the battle over big-tech privacy protections will play out?