Personal Data in the Cloud? Why the Schrems II verdict is important

The Schrems II verdict at the European Court of Justice on the 16th of July 2020. It probably  sounds so boring that you are about to bounce back to where you came from. However, if you are planning on using cloud services with personal data, we would encourage you to read on. It might sound boring, but it's pretty important.Let’s start by very briefly outlining what the verdict means. In its shortest form, it can be said as follows:

When you have personal data in a cloud service, you as the data controller have a duty to ensure that the EU Personal Data Regulation (GDPR) is complied with. If the provider of the cloud service is from a third country (for instance outside the EU), you must, as part of this duty, ensure that the personal data in question is subject to protection equivalent to the ones in the EU.

The verdict then overrules the agreement that hitherto has existed between the EU and the US - the so-called Privacy Shield scheme - as the verdict says that Privacy Shield does not provide protection equivalent to the protection that personal data would have had in a European country.

In other words: There is probably no legal framework for exporting personal data to the US or other third countries, which is compliant with GDPR.

We will return to the word "probably." For now we provide you a few links if you want to dive deeper into the background and why the verdict is so important.

We have also previously touched upon the topic on our blog: https://blog.netic.dk/saadan-faar-en-oestrigsk-aktivist-indflydelse-paa-din-it-strategi

 

What are the implications?

But what does it mean then? What are the real implications of the verdict for companies and organizations in Denmark - in the short and long term?

Let’s start with the positive. If you already have cloud services in use with personal data, and the service was taken into use before the verdict - that is before the 16th of July 2020 - you are most likely in good faith and not required to do anything at the moment.

However, it does not mean that you are compliant. It means that you probably should not lie sleepless with the thought of the The Danish Data Protection Agency knocking on your door.

That's the positive part. Let's move on to the slightly more serious part:

If you plan to use a cloud service with personal data in the nearest future, you are probably acting in bad faith, and thus risking a penalty, cf. the rules in the GDPR, which is implemented in the Danish Data Protection Act

There you have the word "probably" again. Let's go over it. The challenge right now is that the Schrems II verdict has not yet been applied in Danish legal practice. It is the Danish Data Protection Agency together with the Danish government and more specifically, the Minister of Justice, who are ultimately responsible for the implementation of the verdict in Danish law.

For now, the Danish Data Protection Agency has not announced how Denmark relates to the verdict, for which reason we have to make certain reservations. However, our neighbouring country Norway, who is often a pioneering country in the field of personal data, has announced that if one is currently exporting personal data to the US or other third countries, which are not compliant with GDPR, one is in bad faith.

Hence, the word "probably".

 

What will happen?

Right now, no one knows what will happen. This leaves us in a very uncertain situation.

From our part, given the above and the current situation, we do recommend that personal data is exported to third countries, as this will be associated with a significant risk.

However, this is based on the current situation. How about in three months? Or six months?

It can be said quite briefly: Someone needs to change something, if the situation is to be resolved.

    • Either the EU must relax the rules, either by reversing the verdict or by implementing changes in the GDPR.
    • Alternatively, the US must change its legislation so that the Privacy Shield will provide the same protection as if personal data were stored in the EU.
    • Or cloud service providers must ensure that personal data stored in their services is provided the same protection as if they were covered by EU law.

Let's start from the bottom with the third option:

Why don't the cloud providers - for example Amazon Web Services or Microsoft Azure - just establish data centers in Denmark and then the problem is fixed? Or why can't you just select "EU Region" in AWS and then have your data stored in Europe?

Unfortunately, it's not that easy. The physical location of personal data does not change the basic issue: That the cloud provider is subject to (in this case) US law.

As for option 1 and 2 in the list above, they are not much better. Traditionally, the EU does not change its rules to accommodate major US tech companies. Quite the opposite, actually.

In terms of the US' willingness to change their legislation, it may also have long-term prospects. The crucial point is the US Foreign Intelligence Services Act, Section 702. It was the same legal section that was the focal point of Edward Snowden's leak of the Prism program in 2013, and the largest US tech companies have been lobbying US authorities for years for an amendment of the said paragraph. So far, without luck.

The question is then, where does that leave you and other Danish companies? Are cloud services no longer an option?

 

How do we move on?

What we know right now is that there is probably no legal framework for exporting personal data to the US. Nor does such legal framework appear to be in place in the foreseeable future.

However, this does not mean that you now have to stop using cloud. It just means that you simply have to do it in a way that ensures you live up to the rules.

At Netic, we are currently operating a number of services that are based partly on cloud services from third countries as well as compliant with the rules, including the Schrems II verdict.

As mentioned above, we do not recommend exporting personal data to US providers at the moment. Yet, we are happy to advise you on both the legal aspects and the technical aspects of your IT solution. In this way you are able to proceed with your plans while being compliant with the rules.

Steen Jensen

CEO sj@netic.dk +45 2248 6193
Share content