EU-US Privacy Shield: “Shields Failing”

By | September 2, 2020

Working with geospatial data in the areas I do mean I have to keep up-to-date with the rules and regulations surrounding use of data. There has been an interesting development recently with the EU – US Privacy Shield framework which (until recent) underpinned many data transfers outside of the EU (including for my freelance work). I’m a bit surprised by the lack of coverage there has been.

Like most websites, I have a Privacy Policy which says what personal data I collect, what I do with it, and particularly where I store it. Any data collected by the big four (Google, Facebook, Amazon, Apple) is usually stored in the US and most Privacy Policies (including my own) include this phrase:

“Google are certified under the EU – U.S. Privacy Shield framework (https://cloud.google.com/security/gdpr/).”

However, with a recent Court of Justice of the European Union ruling on data transfers, the EU – US Privacy Shield has essentially been thrown in the bin (BBC). You may have had various emails talking about moving to Standard Contractual Clauses (SCCs), which means that companies are still doing what they are doing with your data, but they are updating their user terms and conditions (which many people don’t read anyway) to gain your consent to transfer your personal data to the US.

The shields are, no longer, holding. (This is the nearest I could find!)
https://giphy.com/gifs/startrek-star-trek-voyager-gjCKzSqLLXmE52XVbJ

I decided to take this opportunity to go through and update my Privacy Policy, which we should do regularly anyway.

I also make a decision to move away from Gmail, which I have been using for my email provision. While Gmail is a great tool, there have always been some question marks about their use of scanning emails to provide ads, and many people are strongly against it, including Mark Hurst, who’s blog I would recommend. My use of Gmail also meant that people emailing me had no choice about whether their details were sent across the pond – which doesn’t really fit with the ethos of GDPR (putting aside the legal issues).

Now I use email hosted by my website provider (AWKE) who are a small, bespoke website consultancy, whose servers are in Telehouse, Docklands, UK & Maidenhead, UK. They use RoundCube which works well in a web based interface, and also offer IMAP access.

Going through my privacy policy, some reliance on US organisations is needed, including MailChimp, Dropbox and Amazon Web Services. However I have managed to move my email away, and if my customers don’t want their details sent over to the US, it now can be done. And if you are particularly paranoid, you can send me an encrypted email using PGP.


Bonus Star Trek thought for the day: