Sharing Personal Data Across Borders is Dangerous

<- Back to all Blogs
3 min Read  |  Published: Wed Sep 23 2020

July 16th saw the announcement of the long-awaited ruling by the Court of Justice of the European Union (CJEU) over Facebook’s transfer of data from Ireland to the US. The so-called Schrems II judgment had an immediate impact on the legality of international data transfers between the EU and ‘third countries’, rendering the previous Privacy Shield and adequacy agreements invalid. In Facebook’s case, this ruling impacted the company’s practice of transferring data from Ireland to the U.S – and they’re not alone. Data Transfers have long been a key aspect of any multinational business’s operational framework, with thousands of companies across the U.S reliant on the previous adequacy agreements in place to ensure the successful transfer and processing of data in compliance with the GDPR

So, What’s Changed?

The GDPR mandates that if personal data is transferred from an EU country to a country outside of the EU, the ‘third country’, or company in question, must ensure that adequate or equivalent levels of data protection are in place to maintain the safe, compliant and legal processing of Personal Data outside of Europe. Although the CJEU’s decision centred around a case involving the U.S, and specifically personal data accessed and processed by the United States Government, the decision has wide-ranging impacts on any company or government operating outside of Europe, and will now require Companies and Governments to conduct case-by-case analyses of personal data transfers, and examine potential solutions to ensure minimal disruption to the services offered by companies with international offerings.

How can Trunomi help?

Case-by-case analyses might themselves reveal a set of unexpected, yet nonetheless perfectly true observations. Much of the time, access to the raw Personal Data isn’t actually required – businesses require ‘facts’ around data, rather than the raw data itself. Let’s look at an example involving a Loyalty Use Case for a Global Airline. If a Passenger collects a certain number of loyalty points, they will move successfully from a Silver to a Gold card member. However, the backend systems responsible for that upgrade do not require the full data set of that Passenger to move them from Silver to Gold; rather they require two core facts – the Customer ID, and whether or not that ID has collected the requisite number of points to move beyond the threshold into Gold. Until now, businesses have assumed that in order to fulfil their business-as-usual processes, they require access to all personal data – the full data set. This is not the case and goes against the principles of Data Minimisation and Privacy-by-Design as espoused by the GDPR. Indeed, the more systems copy and process personal data, the greater the likelihood that that data will be lost, leaked or breached at a later date.

There is another way. Attestations.

Trunomi uses two core technologies, TruID and TruCert, to power Attestations. So what are Attestations? An Attestation is a digital record that can ‘attest’ to certain facts around Personal Data as being true without exposing the raw underlying personal data: e.g. has Customer X reached the required threshold of loyalty points? Is Customer Y over 18? The Attestation can provide a binary yes / no response as a means of sharing necessary facts around Customers and Customer Interactions and powering automated workflows without risking or exposing the underling raw personal data. As well as driving operational efficiencies, saving time, effort and cost by automating previously manual processes, Attestations also reduce risk by driving the GDPR principles of Data Minimisation and Privacy by Design. In the context of the Schrems II decision and the invalidation of the Privacy Shield, Attestations become an invaluable means of sharing necessary facts around customer data across international borders, without having to transfer raw Personal Data. Because they do not move or touch raw Personal Data, Attestations are bound neither by jurisdictional boundaries, nor by the Schrems II ruling.

Attestations are just one way in which Trunomi helps global organisations comply and be compliant with global, ever-changing Privacy Regulations.

If you’d like to learn how Attestations and Trunomi can help your organisation respond to the Privacy Regulations and the Schrems II decision, contact us or request a demo at