The European Data Protection Supervisor (EDPS) says it would look into the use of cloud services provided by Microsoft and Amazon by European public sector organizations. The EDPS will look into international data transfers facilitated by U.S. cloud giants and whether they comply with GDPR. The decision follows the striking down of the Privacy Shield, which previously facilitated unhindered data transfers across the Atlantic. Currently, the odds don’t seem to favor the cloud giants, considering a federal data protection law in the U.S. that offers similar protection to data subjects as GDPR is still in the works. Here’s a quick look into the road ahead for U.S. cloud giants and whether the European private sector should worry?
The U.S. and Europe have enjoyed deep economic relations since the beginning of the Cold War era. The two entities continue to be each other’s largest trading partners to date. In 2019, transatlantic trade totaled nearly $5 trillion, with the EU enjoying a significant trade surplus and as per the EU, the EU and the U.S. economies account for about â€œhalf of world GDP and for nearly a thirdOpens a new window of world trade flows.â€Â
However, in July 2020, the European Court of Justice invalidatedOpens a new window the Privacy Shield. This EU-U.S. framework enabled European organizations to comply with data protection regulations when transferring personal data to the U.S. The Court observed that the mechanism did not protect the personal data of EU citizens from being accessed by U.S. public authorities as the requirements of U.S. national security, public interest, and law enforcement enjoyed priority in the U.S.
Why AWS and Microsoft 365 Are Under the Spotlight
The landmark decision, popularly known as the Schrems II Judgment, effectively put brakes to transferring personal data from the EU to the U.S. until the latter introduces strong federal legislation that affords equal sanctity to personal data at the same level GDPR provides. This has a significant bearing on the data transfer practices of EU-based entities that transfer vast amounts of data to data centers located in the U.S., mainly social media companies.
Soon after the judgment arrived, the European Data Protection Supervisor (EDPS) said it would monitor the compliance of European institutions, bodies, offices and agencies concerning transfers of personal data to third countries, and in particular, the United States. It said the primary focus would be towards monitoring ongoing controller to processor contracts and/or processor to sub-processor contracts involving transfers of data to third countries, emphasizing those carried out to the United States.
In May this year, EDPS launched its first investigationsOpens a new window as part of its fresh mandate. While one of them focuses on the use of AWS and Microsoft services by European Union institutions, bodies and agencies (EUIs) under Cloud II contracts, the other focuses on the use of Microsoft Office 365 by the European Commission. EDPS noted that EUIs increasingly rely on cloud-based software and cloud infrastructure or platform services from large ICT providers and are subject to legislation that allows disproportionate surveillance activities by U.S. authorities.Â
â€œI am aware that the â€œCloud II contractsâ€ were signed in early 2020 before the â€œSchrems IIâ€ judgement and that both Amazon and Microsoft have announced new measures with the aim to align themselves with the judgement. Nevertheless, these announced measures may not be sufficient to ensure full compliance with EU data protection law and hence the need to investigate this properly,â€ said Wojciech WiewiÃ³rowski, the European Data Protection Supervisor.
U.S. Cloud Act: Why the EU Is Adamant on Negating Its Enforcement
At present, U.S. cloud services are widely used by EU organizations, with Microsoft, Amazon, and Google enjoying a 66% share of the European cloud market, pushing the market share of European service providers down from 26% in 2017 to 16% in 2020. According to Synergy Research GroupOpens a new window , the three U.S. cloud giants own 67 hyperscale data centers in Europe and tier two U.S. providers have another 36 major data centers. Deutsche Telekom, the largest European service provider, boasts just a 2% market share.
Now that EU data protection agencies have begun monitoring the adherence of overseas cloud services to GDPR, the banning of their use, like the invalidation of the Privacy Shield last year, could have significant ramifications on the region’s economy. At present, U.S. cloud giants are using Cloud II contracts to continue operating in the EU, but considering the EDPS does not deem them sufficient to preserve data subjects’ rights in the U.S., their longevity cannot be taken for granted.
Another factor that EU organizations must consider is that all U.S. cloud services have to abide by the 2018 Clarifying Lawful Overseas Use of Data Act, popularly known as the CLOUD Act. The Act forces U.S. cloud services to â€œpreserve or disclose content of a wire or electronic communication and any record of other information that is stored outside U.S. territory.â€
According to the Centre for European Policy Studies (CEPS), the CLOUD Act gives U.S. law enforcement authorities the powerOpens a new window to â€œissue warrants mandating production, preservation and wiretapping of data, and to address them directly to U.S. companies operating abroad. By doing so, it gives U.S. authorities a â€˜legal shortcut’ allowing the unilateral application of U.S. laws over issues (cross-border access to data for law enforcement and criminal justice purposes), which have far-reaching trans jurisdictional implications.â€
It added that challenging a U.S.data-gathering measure issued according to the CLOUD Act appears very difficult in practice, even if U.S. service providers decide to challenge personal data requests. â€œThe CLOUD Act significantly restricts the circumstances under which an â€˜obliged entity’ can file a motion to quash or modify the SCA warrant, and only allows for an order to be modified or quashed if it is in the interests of justice.â€
â€œSuch a formulation appears to clearly prioritize U.S. authorities’ investigative needs over the interests/rights of addressed service providers to challenge cross-border data-gathering measures. Challenging a SCA warrant is even more difficult (if not practically impossible) for data subjects. In fact, while the CLOUD Act foresees limited possibilities for legal actions from the obliged entity (i.e. the addressed service providers), it does not envisage notification duties in relation to data subjects,â€ it added.
The Way Forward for EU Organizations
The Schrems II ruling, and the recent investigations by EDPS into the use of U.S. cloud services by European Union institutions, bodies and agencies, should allow organizations to reorient their data storage, data processing, and data transfer practices as per the requirements of GDPR. Considering that Amazon, Microsoft, and Google offer market-leading and price-competitive cloud services, it would not make much sense for organizations to adopt â€œsafeâ€ cloud services that don’t provide similar benefits. However, an intelligent method that organizations should adopt, and are adopting widely, is the concept of hybrid cloud.
A hybrid cloud approach can help organizations plan for GDPR compliance, as they will have the flexibility to store sensitive personal data in on-premise servers and upload non-sensitive data on cloud servers. This helps them in structuring their data, enhancing visibility, and avoiding the sharing of personal data with third parties.
However, hybrid cloud architectures can pose significant challenges in terms of data security and governance if not planned well, organizations now have the flexibility to choose Data Security as a Service provider. Here’s our detailed article on how DSaaS providers can help manage the cost and complexity associated with hybrid cloud adoption. These are the ten best practices an organization can adopt to manage modern hybrid cloud security challenges in 2021 and beyond.
According to Tim Mackey, principal security strategist at the Synopsys CyRC (Cybersecurity Research Centre), leveraging DSaaS solutions and services is a great way for organizations to store and structure their data and comply with various data protection regulations. â€œMaintaining compliance with ever-shifting international regulations is a challenge for any business operating with a digital supply chain. Given the availability of â€œas a serviceâ€ providers and the low cost of acquisition of cloud services, when selecting any provider, a risk analysis should be performed as part of the procurement due diligence effort.
â€œWhile the most common element in such a due diligence exercise is the impact of outages, data privacy implications are a close second. Unfortunately, for many businesses the determination made in Schrems II impacting the EU-US Privacy Shield introduced uncertainty in their data transfer operations â€“ assuming the business leadership were fully aware of the implications of the EU-US Privacy Shield on their operations,â€ he said.Â
Commenting on the news about the Irish Data Protection Commission directing Facebook to cease data transfers to the U.S., Mackey said that the DPC’s ruling should serve as a catalyst for business leaders to review what transfers and associated digital supply chains power their businesses and how they can best remain compliant with GDPR. â€œAs part of that review process, the scope of data transfers should be carefully reviewed to ensure that only a minimum of data is subject to any international transfer where an Adequacy determination was required, and that when shifts in Adequacy occur that an updated review automatically occurs.â€