What has happened?
The EU Court of Justice has invalidated the protection provided by the EU-US Data Protection Shield as noted in their press release.
“The requirements of US national security, public interest and law enforcement have primacy, thus condoning interference with the fundamental rights of persons whose data are transferred to that third country. In the view of the Court, the limitations on the protection of personal data arising from the domestic law of the United States on the access and use by US public authorities of such data transferred from the European Union to that third country, which the Commission assessed in Decision 2016/1250, are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law, by the principle of proportionality, in so far as the surveillance programmes based on those provisions are not limited to what is strictly necessary.”
The decision was not a surprise but the long term effects are hard to foresee and are worth considering for any regulated entity or corporation that takes the question of data privacy seriously.
What’s the background?
The case, known as Schrems II after privacy activist and lawyer Max Schrems, has a long history. Schrems challenged Facebook’s use of Standard Contractual Clauses (SCCs) back in 2015 and asked the Irish Data Protection Commission (DPC) to suspend Facebook’s data transfers which ended up with the questioning of the whole Privacy Shield agreement.
Before that, Schrems had also successfully challenged and brought down the previous EU-US data transfer agreement, Safe Harbor, in 2015 (Schrems I).
In general it’s a clash between two cultures; the US with a strong focus on surveillance and the government’s right to be able to protect its citizens versus the EU stronger focus on the individual citizens and their rights to data privacy.
What does this mean for EU-US cloud consumption?
In the near term, this means that you are probably using quite a few services in your daily work that are now classified as illegal. Over 5000 services are currently relying on Privacy Shield as a vehicle to transfer data.
But will you beheld accountable for this in the near future? That is very unlikely as the EU and US now will scramble to sort out this question. Adequate data transfer abilities are the basis for trillions of dollars of business, so the EU and US counterparts are already in discussions about how to best handle the ruling – safe to say is that the data plug won’t just be pulled over night.
Standard Contractual Clauses (SCCs) which is another way to facilitate data transfers hasn’t been declared illegal either. The court ruled that as long as there is adequate data protection from your SCC plus the laws in the receiving country, equal to if the data would have been handled by operators under European jurisdiction, you should be fine. If this is actually the case for data that is being handled under American jurisdiction remains to be seen but seems highly unlikely at this point.
Also to be clear, this only affects personal identifiable information (PII). Which, although it permeates most of our services today, far from makes every kind of service a bad fit for running on top of American cloud providers even after this ruling.
For regulated organisations in healthcare, financial services or public sector though this could potentially mean a lot in the mid to long term. Even though everybody agrees that this verdict was only a matter of time, having an actual ruling changes the playing field.
As a regulated entity, organisations with a mature approach to compliance now need to evaluate what this means for them. International organisations evaluating their cloud roadmap or putting out tenders probably would now do well to widen their mental vendor list from just the usual suspects.
What this means for Europe
This is a chance for Europe as a whole and for European service providers to even further step up their game and offer more high value services targeted towards the modern, cloud native way of consuming the services the way developers are used to.
The average European cloud provider offers somewhere around 3-10 managed services, often centered around the lower parts of the stack such as IaaS. The big US hyperscalers have for years been building out their ecosystems of easy to use services for everything from analytics to machine learning and IoT, often with the effect of vendor lock-in.
“Percentage wise” Europe is starting to catch up though as the trend of worrying about data privacy is nothing new. The Cloud Act has for years kept regulated European industries on their toes, sparked initiatives like Gaia-X and enabled lean, forward looking cloud providers like our partners City Cloud, Exoscale, and Safespring to step forward and offer modern cloud services under European jurisdiction, built on open source and with the cloud-native enterprise in mind.
GDPR’s renewed focus on data privacy questions was the starting point and now for European and non-US organisations in general having a cloud strategy that addresses the question of what data goes where will only be more important going forward.
As this will now be overturned by the EU Commission and it’s US counterparts once again, will the US step down their protectionism laws to adhere to EU privacy laws, will we soon have yet another watered out agreement similar to Safe Harbor or Privacy Shield again with the accompanied Schrems III case or will something change for real in the balance between the US giant internet service providers and the end users in the EU?
This remains to be seen but this ruling should be a wake up call for regulated entities to do a risk assessment where this leaves them, make an inventory of cloud services in use and start thinking about if there are workloads or service that could benefit from running in Europe depending on where this goes.
As a tip for everybody with customers in Europe; next time you are evaluating where to run your workloads also have a serious look at our European alternatives.