With the collapse of the EU-US Privacy Shield and the unworkability of SCCs, all subprocessing activities have been onshored to UK/EU data centres only
As of December 2020, Ideal Postcodes has onshored data processing activities to the UK or EU. We took this step after much consideration. We now believe that if any data is processed in the US, it will be virtually impossible to stay GDPR compliant because:
-
The EU-US Privacy Shield is no longer adequate as of July 2020
-
Proposed Standard Contracting Clauses (SCCs) are unworkable. The additional technical measures required make the majority of useful modern data processing tasks impossible
All businesses that process any EU citizen data in the US will also need to address this issue soon. We believe the only way to fully and confidently address this issue is to drop the US as a data processing jurisdiction altogether.
What Happened
In July 2020, the Court of Justice of the European Union (ECJ) ruled that US privacy standards were inadequate with respect to GDPR. The primary issue is the US Government can seize EU citizen stored on its territory without providing sufficient recourse to affected parties. As a result, the EU-US Privacy Shield would no longer be a valid instrument for GDPR compliance.
This ruling was a shock, but not unexpected given the ability and the history of US government interference with local data protection. As early as October 2020, the European Data Protection Supervisor issued advice to avoid transfers of personal data towards the US for new processing operations.
Now deep into 2021, there's no simple way to process your users' data in the US with adequate protection, and there doesn't appear to be a workable, readily adoptable solution on the horizon.
Time is running out before the new ruling is widely applied. Facebook have already been instructed by Ireland's Data Protection Commission to stop processing EU citizen data in its US data centers by Summer 2021 or risk a fine (4% of revenue).
What about Standard Contracting Clauses?
The ECJ suggested it may be possible (with some work) to adopt Standard Contracting Clauses to maintain compliance. However, we found the technical hurdles to achieve this are high and render many data processing activities unworkable.
Global cloud computing providers like AWS, Azure and Google have tried to bridge the Privacy Shield by appending the EC's draft Standard Contractual Clauses to their data processing agreements. But as long as these vendors can decrypt your data (i.e. they handle encryption on your behalf) or can intercept your decryption keys over their network, then US authorities can still seize your data.
Staying compliant using SCCs and additional technical measures are unworkable except for extremely simple use cases.
Our Response
With the collapse of the EU-US Privacy Shield and the unworkability of SCCs, we opted to onshore all our data processing activities to the UK (or EU if not possible). That means any service which is affected an address request, (like logging, telemetry, backups, databases and data aggregation) had to be migrated, reworked or rebuilt so that data would not cross into a non-UK/EU jurisdiction.
We found this issue to be critically important for public sector entities and financial institutions, which place the highest value on adherence to data privacy laws.
We're pleased to say this effort was completed by December 2020. During this process we:
-
Dropped several subprocessors which only had a US presence or US subprocessors
-
Relocated our cloud services to UK/EU datacentres only
-
Developed and stood up in house solutions for the most sensitive data processing activities
Additionally, we're working on onshoring all data processing activities to the UK in light of the possible uncertainty around UK-EU data adequacy.