With the risks of revocation or suspension of Privacy Shield now escalating, reliance on Privacy Shield alone is inadvisable. Firms could consider the use of the EU Standard Contractual Clauses, although these are also being challenged in the European courts, or prepare for whatever other methods are approved by the EU regulatory authorities following the Privacy Shield review. A more certain (risk-free) course of action would be to opt for complete data sovereignty (especially for personal data), for example by retaining the data in the UK and using a UK-based service provider for these workloads.
Firms that operate in the US are subject to US law, including FISA and the CLOUD Act, neither of which will easily be incorporated into the next version of Privacy Shield. While they can offer a level of data residency (offering to keep your data in the UK), the CLOUD Act eliminates protection for data stored overseas, and provides them with no legal recourse to withhold data from the NSA and other US law enforcement bodies, meaning that they cannot guarantee data sovereignty.
Europe's #PrivacyShield threat deadline has passed and no-one in Washington has blinked. As @BillMew explains: the only certain (risk-free) answer is complete data #sovereignty: retaining data in UK and using a UK-based service provider @WhoStu @diginomica https://t.co/h69lYLMIEy pic.twitter.com/LiNIChsvZ6
— Bill Mew (@BillMew) September 4, 2018
#PrivacyShield was created in a rush and has had limited support from the US side. Efforts to improve it have failed and the EU is running out of patience. @BillMew from @ukcloudltd argues that #data #sovereignty is the only "certain (risk-free)" answer https://t.co/W6nZ77eF88 pic.twitter.com/wq1LeZMfsi
— Bill Mew (@BillMew) September 5, 2018