“We lost a public procurement because we run on a US cloud provider.”
But how exactly did we get here? Putting the blame on the IT department for not knowing how to implement GDPR back in 2016 wouldn’t be completely just. During the years since, however, clear guidance for how to technically implement the tech-neutral GDPR law has emerged. A myriad of court rulings, opinions, recitals, and guidelines have brought much-needed clarity.
In this article, we’ll unroll the whole story.
May 2016: “Business as usual”
In May 2016, the EU made a new law, the General Data Protection Regulation (GDPR), which went into effect in May 2018. The GDPR is, honestly, a marvel of lawmaking. It has triggered the "Brussels effect" and inspired dozens of other countries to adopt similar legislation. GDPR is both flexible and stable; hence, for a data protection regulation, it is rather tech-neutral. On one hand, this is good for data subjects, as they can rely on their privacy being protected, no matter the latest incarnation of 3rd party cookies, cross-site tracking, or federated learning of cohorts.
On the other hand, it puts a lot of pressure on regulators and the IT industry to figure out the exact details of how to apply GDPR day-to-day. What exactly is a third-country transfer? Does the geography or jurisdiction of the cloud provider’s parent entity matter? No wonder that the IT industry’s initial response to the wave of confusion was "let’s wait and see".
July 2020: “Can we continue to run on US clouds? Let’s wait and see.”
In July 2020, in so-called “Schrems II” ruling, the Justice of the European Union (CJEU) ruled on the incompatibility between the US Cloud Act – which prioritizes US national security over EU privacy rights, and GDPR. While the CJEU stopped short of banning US cloud providers, it makes it clear that companies need to assess the US Cloud Act risk and take appropriate measures.
Certainly, one would hope alarm bells would ring on the other side of the Atlantic and for US lawmakers to rectify the situation so as to allow US cloud providers to serve EU customers. Unfortunately, almost a year later, after the issue was raised in a US Senate Hearing in December 2020, little was done to rectify the situation. Industry experts are pessimistic about the US changing its policy on foreign surveillance, as required to make US cloud providers compatible with the GDPR.
SafeHarbor, a mechanism to legally allow the transfer of personal data from EU to US, was declared invalid in 2015. PrivacyShield, allegedly an improved version of SafeHarbor, was declared invalid in 2020. SafeHarbor, PrivacyShield—fancy names, but with no material change in EU law. Whatever the next incarnation of a transatlantic data transfer agreement—"IronFence" sounds catchy if you ask me—it’s likely to be declared invalid again. The cultural gap is hard to bridge: the US needs access to non-US personal data for national security reasons, while the EU considers the protection of personal data a human right.
March 2021: “EU subsidiaries of US clouds fall under U.S. law.”
But what if the US cloud provider has a data center in the EU? Fortunately, in March 2021, a French court ruling also shed light on this and ruled that a US cloud provider, even if hosting data in the EU and promising not to transfer data to the US, is a risk to data protection due to operating under US jurisdiction:
[T]he data is hosted in data centers located in France and in Germany [...]. However, because it is a subsidiary of a company under U.S. law, the court considered AWS Sarl in Luxemburg may be subject to access requests by U.S. authorities in the framework of U.S. monitoring programs based on Article 702 of the Foreign Intelligence Surveillance Act or Executive Order 12333.
This, of course, should not come as a surprise. Microsoft Ireland tried pointlessly to fight back against the US Cloud Act all the way to the US Supreme Court, but was eventually forced into handing out European data.
June 2021: “But what if we use encryption?”
In June 2021, after seven months of public consultation, the EDPB issued recommendations on supplementary measures that data controllers and processors must take when transferring data to third countries, such as the US. On the positive side, the report highlights how to employ encryption to continue using US-based cloud providers. On the negative side, encryption keys need to stay under the control of an EU entity, i.e., data must look “opaque” to the US cloud provider, which reduces their usefulness. How would you send emails using AWS Simple Email Service (SES) when emails should not be decryptable by AWS?
US Cloud providers have tried tirelessly to market encryption as a silver bullet. They even came up with catchy names like “Customer-Managed Encryption Keys”. And, indeed, encryption-in-transit prevents your coffee shot providing free WiFi from stealing your personal data. Similarly, encryption-at-rest adds a layer of security by making sure that no personal data can be recovered from hard drives if they are incorrectly disposed of.
But what about encryption in use? Two technologies are flashed in this area: homomorphic encryption and confidential computing. Homomorphic encryption is a way to process data in its encrypted form. It’s really cool mathematically, but it currently needs 100x more computing resources compared to processing data unencrypted. (But hey, if you don’t mind 100xing your cloud bill, then you've found a solution to continue using a US cloud provider.)
Confidential computing is promising. However, it’s not a silver bullet either. First, the technology still needs to mature before you can rely on it to protect your data on an untrusted cloud provider. Second, even if the vision of confidential computing is fully implemented, you still need to trust that US processor manufacturers, like Intel and AMD, will have the guts to violate US law and not allow "formal access channels".
Of course, “just use encryption” is really just marketing. Read Google’s “Safeguards for international data transfers with Google Cloud”, and the truth will quickly bubble up:
If data is encrypted, it will be unreadable to a third party without the encryption key, and cannot be accessed in a meaningful form by a U.S. or other government agency unless they go through formal access channels to obtain the plaintext [...]
Highlights in the quote above are added by us.
So what does this mean for you? This really means that the only useful service one could use on a US cloud provider is something like S3 storage, where data is encrypted before ever entering the US cloud provider. Of course, data needs to stay encrypted for the duration of the time spent at the cloud provider. You would be unable to decrypt the data at the cloud provider and do any useful processing there.
Nov 2021: “Why aren’t you running in EU jurisdiction?”
Is now the time to re-evaluate our suppliers and systematically move to EU providers? As if to serve as the last nail in the proverbial coffin, in November 2021, a collaboration of Swedish government agencies issued a report on how to continue digitalization without using much-appreciated US services like Zoom, Team, Office 365, and Google Workspace. They recommend using equivalent open-source solutions, hosted either on-premise or managed by EU cloud providers. This is not just an ambition, but IMY already highlighted during their regular webinars that they are essentially done implementing it. And, indeed, IMY webinars are hosted by a Swedish provider in Swedish jurisdiction.
When it comes to data protection, we can predict everything, except the future. However, looking at the recent escalation, the trend is clear. Act now or risk being left alone. Besides GDPR fines, moving away from “pedagogical” amounts to values that truly hurt the bottom line, your revenue will also hurt due to competition having moved already to pure-EU solutions. Also, in case you are a CEO reading this, it is not unheard of for getting a jail sentence for ignoring data protection.
Jan 2022: “Google Analytics ruled illegal.”
Continuing the tone set in Sweden, the Austrian Data Protection Authority ruled Google Analytics illegal on the basis of the earlier Schrems II ruling. This really shows that the "US Cloud Act risk" is not a lonely Swedish initiative but an EU-wide issue.
Google Analytics was the go-to solution for website analytics. In light of this ruling, many websites will need to fully audit their tech stack to stay out of trouble, making sure they no longer use GDPR-incompatible assets. This includes not only go-to frontend technologies, such as Google Fonts or YouTube Player, but also platform technologies, such as cloud services, databases, and object storage.
2022: EU-US Agreement in Principle: The light at the end of the tunnel …
The US Cloud Act and FISA risks can be fixed quite easily: let the US enact data protection regulations equivalent to GDPR. Many were hoping this would happen, and those same people had to deal with a huge emotional rollercoaster.
In March 2022, the President of the United States and the President of the EU Commission signed an agreement in principle. In essence, the US promised to make US law compatible with GDPR.
It took over 6 months to make any significant progress before people quickly realized that the progress was not significant. In October 2022, the President of the US enacted Executive Order 14086 on "Enhancing Safeguards for United States Signals Intelligence Activities". The European Commission tried to champion that EO 14086 is sufficient to solve "the GDPR issue" with US cloud providers and drafted a so-called "adequacy decision". However, many more voices were negative.
… and the tunnel which collapsed
In December 2022, NOYB.EU, the non-profit organization behind the Schrems 2 ruling from July 2020, issued a statement: “It seems obvious that any EU ‘adequacy decision’ that is based on Executive Order 14086 will likely not satisfy the CJEU.”. NOYB essentially threatens to challenge a potential adequacy decision in court.
In February 2023, the European Data Protection Board (EDPB) issued a 54-page opinion, expressing several concerns and requesting several clarifications on whether the Executive Order truly passed the bar needed to satisfy the CJEU.
The final nail in the proverbial coffin came in April 2023. The EU Parliament adopted a resolution: “[T]he EU-US Data Privacy Framework fails to create actual equivalence in the level of protection”. The EU Parliament essentially echoed NOYB’s assessment that the CJEU will likely rule against the adequacy decision.
Outlook
Will the future be Privacy Shield 2.0 or Schrems III? Given the recent developments, I would bet on the latter. In fact, we increasingly get asked during vendor audits:
Are you processing any personal data outside EU jurisdiction?
It is with great pride that we answer such questions with:
As a Processor, we only process personal data in Sweden.
It seems like Europeans are finally getting the taste of data sovereignty. Why not capitalize on this and use GDPR as your unfair advantage to successfully compete against US Software-as-a-Service companies?
We at Elastisys have helped many customers win public procurements by keeping their data in pure EU jurisdiction. For example, Boost.AI sold their awesome chatbot solution to the Swedish Tax Agency (Skatteverket) after migrating from AWS to our Managed Kubernetes Platform.
