Privacy Shield. Over and done with. Suddenly everything is different – and without a grace period. The ECJ’s ruling on Schrems II and the EU-US Privacy Shield brings the issue of EU data protection back to the forefront.
Some cheer, others groan: intelligence services pull the plug
It has been a long road for the NGO NOYB, led by Max Schrems. The EU-US Privacy Shield long regulated data transfers between the EU and the US in the form of an informal arrangement. Negotiated between 2015 and 2016, it consisted primarily of a series of assurances from the U.S. federal government and an adequacy decision from the EU Commission. Specifically, it involved a determination that the Privacy Shield’s requirements were equivalent to the European Union’s level of data protection. This was declared null and void by the European Court of Justice on July 16, 2020 – and quite rightly so, per se: because the comprehensive rights that U.S. authorities and intelligence agencies had granted themselves were described by many, without exaggeration, as snooping.
Basically, whether it is the EU-GDPR or the Privacy Shield, it is always about the protection of personal data, in this case data transferred from a member state of the European Union to the USA. But now not only those who transfer personal data to the USA or have it processed there on behalf are wide awake, but all customers of cloud services who do not rely exclusively on computing in the EU economic area. From now on, things will get exciting.
My AWS instance is running in Frankfurt, what’s the problem?
Not only since the discussion about Privacy Shield have companies and large corporations been paying close attention to where they store their data and operate their virtual servers. The large providers such as Amazon, Microsoft and Google also have an interest in being considered “data protection friendly” and in complying with laws in an exemplary manner. Particularly in the course of the EU-DSGVO, comprehensive privacy controls thus came into play, according to which customers could demarcate the operation of their outsourced computing territorially accordingly. So it’s not surprising that the first reaction of many responsible parties was “we run everything on AWS, but in Frankfurt” – regardless of whether they were IT managers or IT service providers. From then on, things got complicated.
The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) regulates access by US authorities to data on the Internet. The wording alone makes it clear that this is nothing like European data protection. But there’s more: The FISA (Foreign Intelligence Surveillance Act) is a law that regulates the United States’ foreign intelligence and counterintelligence activities. If you now think of the NSA scandal and get goose bumps, you are right: US authorities basically have powers that extend beyond American national borders and are simply incompatible with an EU regulation such as the GDPR. Of course, the ECJ has no say here, making the decision to invalidate the Privacy Shield a unilateral one, and US cloud providers, from their own perspective, are more likely to see a change for their customers in Europe than for themselves. Those of us who live, work or are responsible for a business in the EU are now looking somewhat uncertainly at the decision, which, most importantly, does not provide for a transition period: The need for action is immediate, for everyone, now.
Please stay calm, nothing can happen to you. Honestly. Really?
However, the ECJ not only overturned the Privacy Shield, but also confirmed the validity of the EU standard contractual clauses. US companies that rely on EU data protection law would therefore be off the hook. Actually – because while the issue initially looked like US companies would now simply have to adapt their T&Cs, such a company cannot of course negate its own laws that apply in the US, such as the CLOUD Act and FISA, because the ECJ wants it that way. It’s a real quandary, which one Twitter user aptly described a few days ago as “The ECJ shut down the Internet.”
Meanwhile, there is little light in the darkness. Initial providers of services based on U.S. providers point to the appeasing wording of the providers, which reads as follows: “We have the EU standard clauses in the contract, you as a customer can determine where the instances are operated. You can use the services as usual”. As is so often the case, it’s worth digging deeper here. You don’t have to be a lawyer or spend hours searching – the list of subcontractors of many cloud providers alone is international, with powers to intervene in running services already permitted to ensure availability according to the GTC. In particular, however, it is noticeable that phrases are repeatedly used which clearly state: “We do not access your data unless ordered to do so by a public authority”. CLOUD Act, FISA, there they are again. Anyone who still believes that everything is fine is on thin ice.
Keep calm yes, wait and see no: What to do now.
Step 1: Identify services
What services do you operate that do not all run in the EU economic area, and what is the status of the contracts?
Now it is time to assess the impact of the ECJ decision on your own company. Which providers and which services do you run, what is their reaction to the Privacy Shield case? What is in the contracts, what consideration is given to EU-DSGVO, which subcontractors are listed? Are there possibilities to change providers or to agree on territorial delimitations?
Step 2: Identify data and information
What data do you process where, why and how? Is there potential in our information policy?
You should have created and regularly maintained your processing directory since the EU GDPR came into force. Ideally, it should also state which personal data you process, the reasons for doing so, and how you do it with which tools and providers. At the same time, data protection notices in contracts, on websites and in GTCs should refer to it, thus ensuring proactive transparency for customers and business partners.
Step 3: Determine risk
How are vendors responding and what is your risk appetite?
It is likely that almost all providers currently have full mailboxes with thousands of inquiries from concerned customers. Accordingly, it is foreseeable that, despite the lack of a transition period, no immediate individual statements, contract adjustments or agreements will be possible. What always applies is a risk analysis, an assessment and evaluation of the possibilities, and the implementation of quick solutions such as limiting cloud services to geographical zones, relocating workloads or switching providers in accordance with an existing business resilience plan. Don’t have one? Now you’ve found the perfect reason to create one.
Finally, the most important thing is to document. In the event of legal problems, here’s what I learned at a seminar in the United States: Ask yourself what a judge would want to know from you in the event of legal proceedings due to a data protection incident or use of a cloud provider that is no longer legal. Here, the principle of reasonableness, the structured analysis of your own situation, and the implementation of reasonable measures are the golden rule.