The Swedish data protection authority issued a GDPR fine for lack of adequate protection of sensitive data stored in an American cloud platform after the Schrems II decision.
The Swedish case on storage of sensitive data in a cloud platform
The Swedish data protection authority held that the Umeå University had processed special categories of personal data concerning sexual life and health through, amongst others, storage in a cloud service of an American provider, without sufficiently protecting the relevant data.
This circumstance was confirmed by the fact that reports containing sensitive data were stored in the cloud platform, although the University had been informed via its intranet, special categories of data should not be stored in the cloud service in question.
Besides, when the research group sent an e-mail to the police requesting further information, one of the scanned reports was attached as a reference, a practice that the research group later repeated even though the police pointed out the inappropriateness in sending sensitive material in unencrypted e-mails. This additional circumstance led to a further challenge relating to the lack of notification of the data breach.
Due to the above-mentioned events, the Swedish Data Protection Authority issued a fine of SEK 550,000 against the university.
The first GDPR fine on data stored in an American cloud platform after Schrems II
Apart from the above, the decision is relevant since the Swedish data protection authority refers to the Schrems II decision, taking the stance that a data transfer to the United States is per se triggering a high risk for personal data since data subjects are limited in protecting and enforcing their privacy rights.
This aspect of the dispute did not lead to a GDPR fine since the events had occurred up to 2019 and, therefore, before the Schrems II decision. However, the dynamics of the investigations portrays that in any dispute with data protection authorities, regardless of the challenge from which they originated, the unlawful data transfer outside the EEA might become an additional element of the challenge if it pertained data are stored or accessible from outside the EEA.
And in the current situation, the authority might argue that the potential delay in proving the implementation of any action necessary to secure data transfers is unjustified. Such a scenario renders a transfer impact assessment methodology like the one developed by DLA Piper even more essential for any business.
You can read more about our methodology in this article, “Do you have a data transfer methodology based on the Schrems II decision?“.