July this year, the Schrems II judgement by the Court of Justice of the EU (CJEU) and the associated invalidation of the Privacy Shield framework led to an unclear legal situation for many companies. The transfer of personally identifiable information of EU companies to the US within the framework of the Privacy Shield is hence invalid. For companies, this implies a thorough check of all used services with connection to the US and a potential adjustment. The judgement also affects cloud services of US providers used for processing personal data.
The implications of the judgement for European companies, the reason why US cloud providers are affected, and possible data-protection compliant alternatives are described in this blog post.
For all data transfers of personally identifiable information to third countries (that encompasses countries outside of the European Union (EU) and the European Economic Area (EEA)) companies have to meet the requirements of the EU General Data Protection Regulation (GDPR). It has to be ensured that the transferred data to third countries are handled with an appropriate level of protection. In case of data transfers to the US, this level could be ensured (until the judgement) by means of the Privacy Shield.
The privacy shield was an agreement between the EU and the US, which regulated the transfer of personal data between those regions. It was the successor of the Safe Harbor Framework which was invalidated due to the Schrems I judgement by the CJEU. Apart from the Privacy Shield, companies may use standard contractual clauses (SCC). SCCs bind companies in third countries by contract to comply with EU data protection standards.
The Schrems II judgement annuls the legitimacy of the so far valid Privacy Shield for the US and defines it as invalid. Due to a possible access to personal data of EU citizens by US authorities, the Privacy Shield infringes the EU data protection regulations.
The standard contractual clauses on the other side are still valid per se. But companies as the “person in charge” of data processing activities according to GDPR now have to audit on a case-by-case basis if their clauses still comply with the new judgement. Within the audit they have to assess the national law in the third country, if it abides with the EU data protection regulation and if a suitable level of protection is guaranteed. If it cannot be guaranteed, data transfers have to be stopped. Data transfers also have to be omitted, according to the current legal situation, if they are done on the basis of the Privacy Shield.
The judgement is valid immediately as of July 16th, 2020. There is no grace period.
Data transfers into and from the cloud are also affected by the judgement, as well as data storage and computing. Companies have increasingly relied on cloud services in the past years. This trend is going to magnify in future, as cloud services offer a bunch of advantages for companies. Mostly, cloud services are purchased at providers located in the US. The servers for the purchased services are partly located in the US, partly in Europe.
And at this point it’s getting complicated for companies. Even if a server is located in the EU, US authorities may access the stored data. This access is possible because of the FISA (Foreign Intelligence Surveillance Act) 702 and the EO (Executive Order) 12.333 and apply to all Electronic Communication Service Providers headquartered in the US (well-known brands are hence affected by these regulations).
There lies the rub, as US authorities have the possibility to access EU-based servers. European data protection standards cannot be ensured this way. Companies who deliberately chose a server location in the EU (to supposedly abide with data protection regulation), but that server is owned by an US cloud provider, may infringe on EU general data protection regulations.
In short: The server location is irrelevant, if the cloud provider is based in the US. Data protection is not guaranteed. The solution: European cloud providers.
Next to well-known US brands for cloud services, many European alternatives have established themselves on the market in the past years. Due to their location within the EU and strict requirements concerning data protection, companies are assured that personal data stay within the EU and are not subject of access by any authorities. Companies who use European providers are guaranteed, that their data are processed according to GDPR. No SCCs or other contracts need to be set up. Especially if companies work with “sensitive data” like ethnic affiliation, religion or health data, special care is necessary.
Anexia is an Austrian Cloud Service Provider headquartered in Klagenfurt. With more than 25 server locations in the EU/EAA, but also numerous international locations, Anexia offers a unique advantage concerning server locations and infrastructure. Thanks to our many years of experience and our various, individual cloud services, we are a reliable alternative to well-known US providers of cloud services – EU-conform data protection included.
As especially migration processes from existing server infrastructures to new ones are critical, we keep particular attention on a frictionless and customer-oriented process. We support companies during the complete process with our know-how and experience from numerous large as well as smaller projects.
We stand for highest quality, availability, security and data protection standards. Not only is Anexia ISO 9001 and ISO 27001 certified but also member of the Cloud Security Alliance (CSA) and has established a sustainable data protection management system.
Contact us! We are happy to show you your possibilities with our European cloud solution in more detail.