Today, IMY – the Swedish Data Protection Authority, responsible for enforcing the GDPR in Sweden – held a virtual conference. IMY proudly announced that they audited their tech stack and are no longer transferring personal data to third countries. In other words, they broke away from using US providers anywhere in their tech stack. Even the virtual conference itself – which was “only” processing IP addresses as personal data – was using a Swedish provider, with Swedish ownership, having servers owned and operated in Sweden.
The message that IMY tries to send to the IT industry is clear: Processing EU personal data in EU jurisdictions is possible and necessary. IMY set the example and expects the industry to follow suit, or face consequences.
But how exactly did we get here? Putting the blame on the IT department for not knowing how to implement GDPR back in 2016 wouldn’t be completely just. During the years since, however, clear guidance for how to technically implement the tech-neutral GDPR law has emerged. A myriad of court rulings, opinions, recitals and guidelines has brought much needed clarity. In this article, we’ll unroll the whole story.
May 2016: “Business as usual”
In May 2016, the EU made a new law – General Data Protection Regulation (GDPR) – which went into effect in May 2018. The GDPR is – honestly – a marvel of lawmaking. It has triggered the “Brussels effect” and inspired dozens of other countries to adopt similar legislation. GDPR is both flexible and stable, hence for a data protection regulation it is rather tech-neutral. On one hand, this is good for data subjects, as they can rely on their privacy being protected, no matter the latest incarnation of 3rd party cookies and cross-site tracking.
On the other hand, it puts a lot of pressure on regulators and the IT industry to figure out the exact details on how to apply GDPR day-to-day. What exactly is a third country transfer? Does geography or jurisdiction of the cloud provider’s parent entity matter? No wonder that the IT industry’s initial response to the wave of confusion was “let’s wait and see”.
July 2020: “Can we continue to run on US clouds?”
In July 2020, in so-called “Schrems II” ruling, the CJEU ruled on the incompatibility between the US Cloud Act – which prioritizes US national security over EU privacy rights – and GDPR. While the ECJ stopped short of banning US cloud providers, it makes it clear that companies need to assess the US Cloud Act risk, and take appropriate measures.
Certainly one would hope alarm bells would ring on the other side of the Atlantic, and for US lawmakers to rectify the situation, so as to allow US cloud providers to serve EU customers. Unfortunately, almost a year later after the issue was raised in a US Senate Hearing in Dec 2020, little was done to rectify the situation. Industry experts are pessimistic on the US changing their policy to foreign surveillance, as required to make US cloud providers compatible with the GDPR. The cultural gap is hard to bridge: the US needs access to non-US personal data for national security reasons, while the EU considers protection of personal data a human right.
March 2021: “It is a subsidiary of a company under U.S. law”
But what if the US cloud provider has a data center in the EU? Fortunately, in March 2021, a French court ruling also sheds light on this, and ruled that a US cloud provider – even if hosting data in the EU and promising not to transfer data to the US – is a risk to data protection, due to operating under US jurisdiction:
June 2021: “But what if we use encryption?”
In June 2021, after 7 months of public consultation, the EDPB issued recommendations on supplementary measures that data controllers and processors must take when transferring data to third countries, such as the US. On the positive side, the report highlights how to employ encryption to continue using US-based cloud providers. On the negative side, encryption keys need to stay under the control of an EU entity, i.e., data must look “opaque” to the US cloud provider, which reduces their usefulness. How would you send emails using AWS Simple Email Service (SES), when emails should not be decryptable by AWS?
Nov 2021: “Why aren’t you running in EU jurisdiction?”
Is now the time to re-evaluate our suppliers and systematically move to EU providers? As if to serve as the last nail in the proverbial coffin, in Nov 2021, a collaboration of Swedish government agencies issued a report on how to continue digitalization without using much-appreciated US services, like Zoom, Team, Office 365 and Google Workspace. They recommend using equivalent open-source solutions, hosted either on-premise or managed by EU cloud providers. This is not just an ambition, but IMY already highlighted during today’s conference that they are essentially done implementing.
When it comes to data protection, we can predict everything, except the future. However, looking at the recent escalation, the trend is clear. Besides GDPR fines moving away from “pedagogical” amounts to values that truly hurt the bottom line, your revenue may also hurt due to competition having moved already to pure-EU solutions.
Update Jan 2022: “Google Analytics ruled illegal”
Continuing the tone set in Sweden, the Austrian Data Protection Authority ruled Google Analytics illegal on the basis of the earlier Schrems II ruling. This really shows that the “US Cloud Act risk” is not a lonely Swedish initiative, but an EU-wide issue.
Google Analytics was the go-to solution for website analytics. In light of this ruling, many websites will need to fully audit their tech stack to stay out of trouble, making sure they no longer use GDPR-incompatible assets. This includes not only go-to frontend technologies, such as Google Fonts or YouTube Player, but also platform technologies, such as cloud services, database and object storage.