The Court of Justice for the European Union (CJEU) recently issued an opinion (Schrems II) that invalidated the US-EU Privacy Shield. This presents the obvious technical question, “which of my data transfers are to the US?”
For global companies operating in Europe and for EU-based companies, the answer is probably surprising. It is almost impossible to operate a global business without sending a good chunk of personal data to the US. Some of these transfers are intentional while many others are unwitting, but nevertheless occur because of the huge reliance on third parties and third party code libraries in modular development.
This presents a challenge in terms of detection of the data flows and classification (is it personal data or not?). We just spent the weekend putting together an add-on for the NT Analyzer tool suite that does exactly that. Now we can take a network traffic capture, or a log file provided by the business, and provide an automated classification of remote host, the company controlling the host, and most importantly for Schrems II, an indication of whether or not the destination server is inside the EU (and if not in the EU, at least whether the destination server is in a jurisdiction that has received an adequacy decision from the EU), or whether the transmission is to a jurisdiction that the EU has not deemed safe for personal data.