Max Schrems is probably a name, few people are familiar with. The Austrian have been known in the circles that are interested in data privacy and later on, GDPR. But in the broad population, there has been a lack of interest in Max Schrems.
We will not start guessing whether this is going to change, but it is without doubt that if your company’s strategy of digitalization is based partly or fully on public cloud, then the Austrian’s name will have an impact on you in the next couple of months.
His name is namely synonymous with a ruling that have been settled at the The European Court of Justice the 16th of July 2020. We will return to that.
Max Schrems' fight against Facebook and the Irish Data Protection Authority
Lets start out by explaining in brief, what the case is about. In 2013, Max Schrems filled the case as a complaint to the Irish Data Protection Authority. He argued that it was illegal for Facebook to export personal data to the united states under the rules applicable then, which was based on trust that the receiver of the concerned data (in this case, Facebook in USA) could protect the data sufficiently.
After a progress where the Irish Data Protection Authority rejected the case, with the explanation that it was “unnecessary and annoying”, the case ended in Ireland the 3rd of October 2017 with the verdict that the case was carried on to the The European Court of Justice.
The European Court of Justice then took the case, and did as mentioned, settled on a ruling the 16th of July 2020. In the verdict, it says that “European data authorities need to shop transferring personal data under the companies (e.g. Facebook’s) standard terms”. The verdict is thus a dissapoval of the Privacy Shieldagreement between EU and the United states.
What does the verdict mean?
In everyday speak, the verdict means that exporters of data are now particularly obliged to ensure that the legislation for data transfers to third countries complies with the GDPR. In other words, as a customer of a Public Cloud Provider (AWS, Azure, Google Cloud or one of the 5,372 other companies certified under the Privacy Shield) you are required to ensure that the GDPR is complied with when exporting data to e.g. USA.
But that's not that bad, is it? So, it is clear that it affects companies like Facebook and Google. But what about ordinary Danish companies that only have a few services in the cloud?
What about you and your company?
The answer is, you are also affected, if you are using one of the big public cloud services: Amazon Web Services, Google Cloud Platform, Microsoft Azure etc.
It has to do with companies approach to support, which follows a "follow the sun" model, where support is exercised at all times by an employee who sits somewhere in the world where it is daytime. For example, the United States or India. As these employees can access the personal data of EU citizens - even if they are encrypted - the data is to be considered as if they were exported outside the EU - and then we have the trouble.
But what about our digitalisation strategy hvad med vores digitaliseringsstrategi?
And that brings us back to the beginning of this post. Because, how can Danish companies follow a digitization strategy based on public cloud that is already made, if the legal basis for having personal data in public cloud to a certain extent is gone? At least understood in such a way that you have an obligation that you will have a hard time complying with, such as public cloud exists in its current form.
After all, if your applications or services do not contain personal data, then let go, but it is the fewest companies that do not have personal data. Many companies even in large scale.
One can, of course, wait and hope that someone solves the problem. For example, the public cloud providers, whose business can to some extent be said to be threatened by this. But there are alternatives.
Several of Netic's customers use a hybrid model, as this model have various advantages. The model, which we already use together with several of our larger customers, involves test and developer environments in public cloud and thus the use of the benefits that the cloud providers have for these purposes.
Personally sensitive data are stored entirely in Netic’s Private Cloud, established in own Danish datacenters. In that way, the overall hybrid environment complies with the GDPR.
Netic can help you from here
We offer our experience with establishment and operations of Private, Public and Hybrid Cloud, no matter if the dialog should have a techical, commercial or legal starting point.
If you want to know more about how Netic can help you with Cloud, we have gathered articles, knowledge and help for you. You can also get information and help within security.