undefined | Better HN

0 pointscnorthwood4y ago0 comments

Point 1 isn't true. You've been able to send personal data (PII being the specific US legal term) to the US no problem - as long as you had "standard contractual clauses" (SCCs) as part of your contract with them that the company meets GDPR requirements. This is the same agreement to send data to any country outside the EU where there isn't a pre-existing agreement. I believe this ruling is saying that it's not possible for a US company to comply with the SCCs because US law doesn't allow them to do so.

0 comments

lmkg4y ago

The original ruling was nuanced, and this ruling is clarifying some gray area inside of it.

The ruling on Schrems II (the court case that struck down Privacy Shield) did not state that SCCs on their own would be sufficient. It said that SCCs + "additional safeguards" would be allowable. There have been several rulings already that SCCs on their own are not sufficient.

The "additional safeguards" must include a risk analysis of US access to EU residents' data. Every court case I've seen from Schrems II onward identifies the US CLOUD Act as the privacy risk to address. CNIL is basically ruling that you cannot transfer data to a US company subject to the CLOUD Act, and an SCC cannot deal with that. This still leaves open the possibility of using US services that are not subject to the CLOUD Act. This is consistent with all rulings to date.

fprct4y ago

Wait, wouldn't that imply that EU startups can't host their infra on GCP, AWS or Azure? I'm not even talking about analytics - just about simple user email required to login would be problematic now.

judge20204y ago

Pretty much, it really sounds like Schrems II + this ruling mean that US corporations can't be involved with EU at all besides via licensing software to a completely independent EU corporation (which isn't a given either, though, since the US company could threaten withholding software updates/revoking the software license to pressure the EU corporation to hand over EU citizen data to US Law Enforcement).

altairprime4y ago

Yes, that is correct.

AdriaanvRossum4y ago

Isn't that the same as point 1?

j / k navigate · click thread line to collapse