The aftermath of Schrems II

In July 2020, the European Court of Justice announced the so-called Schrems II judgment, which made it clear that transfers of personal data to the United States do not provide adequate protection for EU citizens. The giant insurance company Folksam is now seemed to be affected by the effects of Schrems II.

Folksam reported itself to the Swedish Authority for Privacy Protection after the discovery that the company shared approximately one million personal data illegally. It was during an internal audit that Folksam noticed that personal data had been shared with companies such as Facebook, Google, Microsoft, LinkedIn, Adobe, etc., all of which are headquartered in the United States. It has become increasingly clear, following the Schrems II ruling, that digital integrity is extremely important and that high demands are placed on companies over the control of personal data.

The purpose of Folksam to share the personal data has been to analyze what information the company's logged in customers and other visitors searched for on Folksam´s website. The analyzes have been used for announcement-adapted offers, among other things in Folksam's communication channels. Most of the personal data shared has been considered sensitive, such as IP addresses, social security numbers, union membership and pregnancy. Following the discovery, Folksam has requested the receiving companies to delete the personal data immediately. Other companies should probably also review and make internal controls in the same way Folksam did in order not to risk lawsuits or large fines.

How the outcome will be for Folksam remains to be seen.