With today’s election in the USA, potential changes in American surveillance legislation could have serious consequences for Nordic companies, warns WaysCloud.
These changes could undermine the Data Privacy Framework (DPF) and force companies away from US cloud services such as Microsoft Azure, Google Cloud and Amazon AWS.
This can make using services like Teams difficult and affect how companies communicate internally and with their customers.
The seriousness of the situation
After the Schrems II judgment in 2020, it became practically illegal to use American suppliers for processing personal data due to a lack of protection against American surveillance. The introduction of DPF made it temporarily possible to use certified suppliers in the USA. Now there are signs that a new administration may be looking at surveillance legislation, particularly Executive Order 14086, which was put in place to establish the DPF.
Changes to Executive Order 14086 may cause the DPF to lose its validity. This will make it illegal to transfer personal data to the US based on the DPF and the use of Standard Contractual Clauses (SCC) may also be affected. Companies must therefore reassess their suppliers and find alternatives within the EEA.
“We could potentially find ourselves in a situation in a short time where our everyday services become illegal,” warns Knut Michael Haugland, CEO of WaysCloud. “This not only affects internal communication, but also how we serve our customers. The seriousness cannot be underestimated and companies must act now to ensure continuity and compliance with the legislation.”
Consequences for Nordic companies
•Forced migration from US cloud services: Companies may have to move data and services from US suppliers to local alternatives, which can be expensive and time-consuming.
•Changes in internal communication: Internal communication tools may become illegal to use without extensive security measures.
•Increased legal risk: Violation of the GDPR can result in significant fines and damage the company’s reputation.
•Operational challenges: Transitioning to new systems can lead to downtime and reduced productivity.
For journalists and readers: What does this really mean?
Many companies in the Nordics use American cloud services for data storage, internal communication and services for their customers. If US law changes after the election, these services may become problematic to use. European data protection laws (GDPR) set strict requirements for how personal data is handled. If the US changes its laws so that they no longer meet these requirements, it may become illegal for European companies to transfer personal data to US companies.
What does this mean in practice?
•Everyday tools can become illegal: Software and services we use every day may be banned without comprehensive security measures in place.
•Large costs and time pressure: Companies may have to quickly find new solutions, which can be both expensive and demanding.
•Operating disturbances: The transition to new systems can lead to inefficiencies and affect customer service and company reputation.
By choosing suppliers that store and process data within Europe, companies can avoid these challenges and ensure they comply with the law.
Recommendations for companies
•Map suppliers: Identify all third-party vendors that process personal data, especially those based in the United States.
•Assess the risk: Analyze potential consequences of a change of government and changes in US law.
•Explore local alternatives: Begin the process of finding EEA-based suppliers who can offer similar services.
•Prepare a contingency plan: Be ready to quickly implement necessary changes to ensure operations.
Background information
•Data Privacy Framework (DPF): Establishes the basis for the legal transfer of personal data between the EU/EEA and the USA. Changes in US surveillance laws may invalidate the DPF.
•Executive Order 14086: A presidential order introduced by Biden to ensure compliance with the DPF. Can be canceled or changed by a new administration.
•Standard Contractual Clauses (SCC): Legal tools for transferring personal data to third countries. The validity of the SCC may be affected by changes in US law.
Source: it-kanalen.dk
