France’s data regulator CNIL has issued some recommendations for French services that handle health data, as Mediapart first reported. Those services should avoid using American cloud hosting companies altogether, such as Microsoft Azure, Amazon Web Services and Google Cloud.
Those recommandations follow a landmark ruling by Europe’s top court in July. The ruling, dubbed Schrems II, struck down the EU-US Data Privacy Shield. Under the Privacy Shield, companies could outsource data processing from the EU to the US in bulk. Due to concerns over US surveillance laws, that mechanism is no longer allowed.
The CNIL is going one step further by saying that services and companies that handle health data should also avoid doing business with American companies — it’s not just about processing European data in Europe. Once again, this is all about avoiding falling under U.S. regulation and rulings.
The regulator sent those recommendations to one of France’s
A survey of responses from more than 30 companies to questions about how they’re approaching EU-US data transfers in the wake of a landmark ruling (aka Schrems II) by Europe’s top court in July, which struck down the flagship Privacy Shield over US surveillance overreach, suggests most are doing the equivalent of burying their head in the sand and hoping the legal nightmare goes away.
European privacy rights group, noyb, has done most of the groundwork here — rounding up in this 45-page report responses (some in English, others in German) from EU entities of 33 companies to a set of questions about personal data transfers.
It sums up the answers to the questions about companies’ legal basis for transferring EU citizens’ data over the pond post-Schrems II as “astonishing” or AWOL — given some failed to send a response at all.