Schrems II and Cloud Computing: Immediate Action Required

How to continue international data transfer lawfully and avoid deleting your Cloud data due to the new Schrems II court decision

The title of a recent Fortune article highlights the tenuous nature of ongoing global trade following the recent Schrems II decision by the Court of Justice of the European Union (CJEU):[1] An EU court just killed a vital U.S. data-sharing agreement. Some say global trade is at risk.[2] This article is more than just a punchy header: it also highlighted the following recent claim by Microsoft:

“We want to be clear: If you are a commercial customer, you can continue to use Microsoft services in compliance with European law. The court’s ruling does not change your ability to transfer data today between the EU and U.S. using the Microsoft cloud.”

But the article was careful to emphasize:

“The key word in [the above] post is ‘today’: Microsoft’s [standard contractual clauses or SCCs] remain valid, but if Facebook’s SCCs fall, then Microsoft’s could soon follow.” [3]

The decision by Microsoft (and other large vendors) to forge ahead despite Schrems II, alongside hesitation from commentators and legal experts, highlights the precarious nature of international data transfers, and particularly lawful cloud computing.

This tension is explained by the Frequently Asked Questions (FAQs) published by privacy advocate Max Schrems, the initiator of the lawsuit resulting in the Schrems II decision. These FAQs state that popular cloud providers, including those specifically listed below, fall under the jurisdiction of Section 702 of the US Foreign Intelligence Surveillance Act (“FISA 702”). The FAQs assert that EU data controllers “will not be able to use them anymore.”[4]

• AT&T
• Amazon (AWS)
• Apple
• Cloudflare
• Dropbox
• Facebook
• Google
• Microsoft
• Verizon Media (former Oath & Yahoo)
• Verizon

The FAQs further state that “The location for hosting is … irrelevant” (emphasis added) because “FISA 702 [and related laws] have no territorial limitation. These laws also apply to servers in the EU that are operated by a US “electronic communication service provider” or where certain operations are outsourced to a US provider.” The FAQs go on to state that “typical ‘outsourcing’ situations (when an EU business is forwarding your data to a US company that is in turn processing your data) are in most cases illegal.”

Despite the strong position taken in the Schrems FAQs, the court in Schrems II ruled that if “supplementary measures” are provided in addition to Standard Contractual Clauses (SCCs) then doing business with US cloud providers (and the transfer of data to non-EU countries) will be lawful.

However, these “supplementary measures” must ensure “compliance with the level of protection essentially equivalent to that guaranteed within the EU by the GDPR.”

Protecting and respecting the fundamental rights of EU data subjects while ensuring ongoing commercial and economic flexibility for EU businesses and member states is possible. To do so, it is important to examine the viability of different approaches to providing “supplementary measures” that can satisfy the requirements of Schrems II.

This situation is extremely time critical and all organisations should make suggestions for potential resolution of the situation.

The critical nature of the situation was reinforced by the European Data Protection Board (EDPB) in their own FAQs[5] which highlight, among other matters:

1. The inability of SCCs to bind governmental authorities of third countries to which data is transferred, as they are only contractual in nature between the exporter and importer.[6]
2. The obligation of both the EU data exporter and the recipient of the data (the “data importer”) to verify, prior to any transfer, that they have measures in place that provide “the level of protection essentially equivalent to that guaranteed within the EU by the GDPR.”[7]
3. The obligation of the data exporter to suspend the transfer of data and/or to terminate the contract when SCCs have no supplementary measures and (therefore) do not “ensure compliance with the level of protection essentially equivalent to that guaranteed within the EU by the GDPR.”[8]
4. The applicability of the Schrems II requirements to other countries as well as to the US.[9]
5. The absence of any grace period and the requirement to take prompt action following the Schrems II decision.[10]
6. The illegality of data transfers under the Privacy Shield and the immediate need to find an alternate legal basis or terminate the processing.[11]
7. The need to augment data transfers using SCCs with supplementary measures to ensure that US or other third country laws “do not impinge on the adequate level of protection they guarantee.”[12]
8. The applicability of the Schrems II mandated requirements to all data transfers covered by Binding Corporate Rules (“BCRs”).[13]
9. The EDPB will be assessing the impact of Schrems II on transfer tools other than SCCs and BCRs. In all cases they highlight that the requirement for “appropriate safeguards” in Article 46 GDPR is that of “essential equivalence.”[14]
10. That “consent of the data subject” only serves as a derogation allowing for lawful data transfer when the consent is: (i) explicit; (ii) specific for the particular data transfer or set of transfers; and (iii) informed, particularly as to the possible risks of the transfer.[15]
11. That “necessary for contract” only serves as a derogation allowing for lawful data transfer on an “occasional” basis and when the transfer is objectively necessary for the performance of the contract.[16]
12. That “important reasons of public interest” only serves as a derogation allowing for lawful data transfer if recognized by EU or a Member State law and restricted to specific situations.[17]
13. The need for further analysis before the EDPB can provide guidance on “the kind of supplementary measures that could be provided under Schrems II in addition to SCCs or BCRs, whether legal, technical or organisational measures, to transfer data to third countries when SCCs or BCRs do not provide the sufficient level of guarantees on their own.”[18]

With no grace period and the EDPB’s need to receive suggested supplemental measures before the board provides advice, we have taken the challenge made by the EDPB for analysis of “the kind of supplementary measures that could be provided under Schrems II in addition to SCCs or BCRs.”

To that end, we have published the Data Embassy principles at www.DataEmbassy.com. Further details on the Data Embassy are available at the link following my signature below.

It is our hope that the Data Embassy principles will enable stakeholders to examine and determine appropriate ways to move forward in this critical situation for the benefit of all parties.

Magali Feys, Data Protection Lawyer - Anonos Chief Strategist - Ethical Data Use

Click Here For Details on Data Embassy Principles

[1] Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (Case C-311/18), “Schrems II”). See https://curia.europa.eu/juris/document/document.jsf?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=9745404 The Schrems II case originated from the 2015 CJEU “Schrems I" case (see Note 2, Infra) which invalidated the EU–US Data Protection Safe Harbor for the transfer of trans-Atlantic data. In Schrems II, the Irish Data Protection Commission argued that Standard Contractual Clauses (“SCCs”) did not constitute an adequate level of protection of personal data in violation of the EU Charter of Fundamental Rights ("Charter"). After invalidation of the Safe Harbor in Schrems I, Ireland's High Court referred a preliminary ruling to the CJEU on October 3, 2017. The CJEU was further asked to rule whether US legislation ensures adequate protection of personal data of EU citizens, and whether using SCCs provided sufficient safeguards to protect the freedoms and fundamental rights of EU data subjects.

[2] https://fortune.com/2020/07/16/cjeu-kills-privacy-shield-facebook-schrems/

[3] The temporary nature of the validity of Microsoft’s SCCs highlights that Schrems II applies directly to Facebook. The SCCs relied upon by Microsoft and other “data exporters” for international data transfer are subject to separate challenges by EU data subjects, supervisory authorities and privacy advocates. Under Schrems II, SCCs and BCRs must be supplemented by additional measures that ensure protection of personal data in a manner equivalent to EU law, or their use for international data transfer is illegal.

[4] See https://noyb.eu/en/next-steps-eu-companies-faqs

[5] See EDPB FAQs on Schrems II adopted on 23 July 2020 at https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118.pdf

[6] See EDPB FAQ #1.

[7] Id.

[8] Id.

[9] See EDPB FAQ #2 and FAQ #9.

[10] See EDPB FAQ #3.

[11] See EDPB FAQ #4.

[12] See EDPB FAQ #5.

[13] See EDPB FAQ #6.

[14] See EDPB FAQ #7.

[15] See EDPB FAQ #8.

[16] Id.

[17] Id.

[18] See EDPB FAQ #10.