The ending of the Privacy Shield agreement by the European Court of Justice (ECJ) could have serious ramifications for the major hyperscale cloud providers, according to privacy activists.
Privacy Shield is an EU-US agreement which ‘provides companies on both sides of the Atlantic with a mechanism to comply with data protection requirements in support of transatlantic commerce’, in the words of the framework’s website statement.
Max Schrems, a leading privacy advocate, challenged the agreement, arguing that security laws in the US were inadequate in safeguarding EU citizens from surveillance. The case – Data Protection Commissioner (DPC) v Facebook Ireland and Maximillian Schrems – hinged on Schrems asking the Irish DPC to suspend Facebook’s future use of Standard Contractual Clauses (SCCs), a mechanism which authorises moving EU user data to the US for processing.
In a ruling dated July 16, the ECJ ‘invalidate[d] Decision 2016/1250 on the adequacy of the protection provided by the EU-US [Privacy] Shield.’ The ruling however added that ‘it considers the [EU Commission decision] on standard contractual clauses for the transfer of personal data to processors established in third countries is valid.’
While the ECJ did not explicitly curtail SCCs in its ruling, legal experts have advised that this is in all but name only.
Daniel Solove, a professor of law and founder of TeachPrivacy, a company which provides privacy and data security training, said that while Privacy Shield had been struck dead, SCCs were ‘in a coma on life support.’ While SCCs were still theoretically useable, Solove said they could not work in reality as a means to transfer EU personal data to the US without additional protections against US government surveillance.
“US companies initially breathed a big sigh of relief, but then they began to have the dark disturbing realisation that the impact of the decision was far more dire,” he added.
For companies such as Amazon Web Services (AWS), Microsoft and Google – the three biggest cloud infrastructure providers – this realisation was not immediately apparent. All three companies issued statements in the aftermath of the ruling assuring customers their clouds were essentially still as open as before.
“We want to be clear,” wrote Julie Brill, Microsoft CVP for global privacy and regulatory affairs and chief privacy officer. “If you are a commercial or public sector customer, you can continue to use Microsoft services in compliance with European law. The Court’s ruling does not change your ability to transfer data today between the EU and US using the Microsoft cloud.” Pablo Chavez, VP government affairs and public policy at Google Cloud, wrote: “Given the [ECJ] has upheld the [SCCs], it is important to know that your use of G Suite and Google Cloud Platform meets GDPR’s standards for transfer of personal data outside the EU.”
Last week, AWS chief information security officer Stephen Schmidt wrote similarly, citing the continued use of SCCs. “AWS customers can rely on the SCCs included in the AWS Data Processing Addendum,” Schmidt wrote. “As the regulatory and legislative landscape evolves, we will always work to ensure that our customers and partners can continue to enjoy the benefits of AWS everywhere they operate.”
Yet others are not as convinced. Asked by CloudTech to analyse Google’s initial statement, Bill Mew, a privacy advocate and founder and CEO of Crisis Team, said it was ‘misleading.’
“The reality is that the only companies who can continue to use SCCs are ones that can provide assurances that the data is protected from third party surveillance either at rest (protected from FISA 702) or in transit (protected from FISA 702 and/or EO 12.333),” he says in an email. “Google is an ‘electronic communication service provider’ and so falls under both FISA 702 and EO 12.333 whether it likes it or not.”
Mew said he was aware of one ‘very large company’, running on Azure, that was looking to remove ‘everything’ from Microsoft’s cloud. The company, in Mew’s words, found it would be ‘too much of a hassle’ for them to separate non-compliant data and move that to a local cloud provider. Some parties have already set out their stall. A note from Owen Sayers, an independent privacy consultant, has advised that UK criminal justice organisations can no longer discuss or share any personal data on cloud platforms from US firms.
Part of this fight-or-flight response is because there is no grace period for companies affected by the ruling. As in the case above, the immediate concern for many organisations is to conduct an assessment over whether they can continue sharing data. NOYB, a non-profit digital rights organisation founded by Schrems, said in an FAQ that ‘most’ US cloud providers fall under FISA 702, and that it is the organisation’s responsibility to find out whether they are compliant.
The one proviso, Solove noted, was through ‘supplementary measures’ which “could” ensure an adequate level of protection. “The [ECJ], however, doesn’t state what these ‘supplementary measures’ would be,” he wrote. “The only thing I can think of is encryption of the data. I am not sure what else will prevent the government from obtaining the data.
CloudTech understands that Google Cloud is focusing on the supplementary measures aspect for SCCs, as laid down by the European Data Protection Board (EDPB), and is waiting for further guidance on this.
In an FAQ document from the EDPB, one question, applicable for companies who use SCCs with a US data importer, details: “Whether or not you can transfer personal data on the basis of SCCs will depend on the result of your assessment, taking into account the circumstances of the transfers, and supplementary measures you could put in place.”
Google Cloud says its data flows are encrypted to protect against electronic surveillance, while its trust principles include trust never to give any government entity ‘backdoor’ access to customer data or servers storing customer data. ‘We reject government requests that are invalid, and we publish a transparency report for government requests’, it adds.
One provider which could benefit from this ruling down the line is OVHcloud. The French-headquartered company will be known for its high ranking in Cloud Spectator’s price-performance analysis of cloud vendors. Yet the company’s governance structrure differs from the hyperscalers, with a US-based company for US operations and a different company for European operations, with no cross-ownership between the two.
“We have built our governance and organisation so as not to be impacted by extra-territorial data sharing with [the] US. This includes definitive separation,” Hiren Parekh, OVHcloud VP northern Europe, tells CloudTech. “While we have customers in US alone and in transatlantic regions, our operations in the US support compliance for data laws stateside and those here such as GDPR.”
Parekh said the ruling was ‘more or less expected’ by OVHcloud’s legal team, and cited a recent Forrester Wave Europe report which recognised the company for unifying services while ensuring a European offering which is not affected by the US-based CLOUD Act.
“This links with our core principle of transparency, including data protection, and has aided conversations with customers and prospects,” Parekh adds. “Some wish to take a hard line as a strategic position while others look to make use of a variety of cloud infrastructure or software and address compliance case by case.”
So what happens from here? For many analysing the case, the solution is simple: reform US surveillance law. This, however, is a long shot. Solove advised that it ‘would be great, but don’t bet on it’. Part of this is down to the current incumbent of the White House. Donald Callahan, a partner at The Duquesne Group, puts it simply. “The first thing is we have to change presidents,” he tells CloudTech. “We have to get a Democratic majority in both houses – that is a pre-requisite.”
Mew notes that the big US tech companies – recently on parade at Congress answering questions on whether they have become too dominant – may have to do some lobbying of their own. “If the tech companies want to work out some sort of deal where they use SCCs to transmit business data, the US surveillance laws are going to have to change to provide the protections that are lacking,” adds Callahan. “It’s not going to be easy, but there is wiggle room to get to a compromise.”
On the other side of the Atlantic, a ‘European cloud’ project, called Gaia-X, was unveiled at the start of this year. The initiative is a collaboration between the European Commission (EC), Germany, France, and various organisations within the continent. In February, the EC set out plans to invest €2 billion as part of a bid to restore the continent’s ‘technological sovereignty.’ At the time, many industry pundits – predominantly US-centric – looked askance, citing the dominant market share of the hyperscalers. But does this ruling potentially give Gaia-X more momentum?
Callahan says that while “the hyperscalers will figure out a way to stay in Europe, an EU cloud will get some market share if it has focus”. For Mew, who was initially uncertain about the project, this may be a catalyst if US reform fails.
“I was one of those dismissive about the Gaia-X initiative at the time as I did not see a compelling business case,” he adds. “If we are now saying that US cloud firms cannot use SCCs until the intrusive US laws are reformed, then this changes the game.”
Amazon Web Services and Microsoft did not return a request for comment by publication time.
Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.