And so it finally came, the European Commission’s new adequacy decision, based on the EU-US Data Privacy Framework. Of course, many organisations are wondering whether they now have a green light to use American cloud service providers.
We believe that the answer is still no.
Download our in-depth report where we look at the impact of the adequacy decision and why there are still problems with using US cloud service providers. Feel free to share this with those in your organisation who you think might find it interesting, such as data protection advisors, data protection officers and those tasked with procuring cloud services and SaaS solutions.
What your organisation needs to know about the adequacy decision
For starters, we expect the Court of Justice of the European Union (CJEU) to invalidate the new adequacy decision within a couple of years. The foundation it stands on is crumbling and will sooner or later collapse. It would therefore be a strategic misstep to rely on the adequacy decision for digital undertakings of any significance.
However, this report is about something more important. Namely, what the adequacy decision can – and cannot – be used for. We hope to clarify some questions and prevent misunderstandings.
- The adequacy decision does not solve the problem of US intelligence agencies being able to compel US cloud service providers in the EU to disclose personal data.
- The adequacy decision also cannot be used for such transfers from the EU to US intelligence agencies. That this extraterritorial access remains will continue to be a problem in relation to EU law.
We therefore consider that organisations subject to the GDPR are still prevented, in principle, from processing personal data with US cloud service providers in the EU. Here are the key points of what you need to know.
1: The adequacy decision only allows for transfers of personal data from the EU to self-certified recipients in the US. It does not allow for transfers to the United States in general.
2: Transfers from the EU to US intelligence agencies cannot be made under the adequacy decision. US intelligence agencies are not self-certified recipients. Moreover, such disclosures to US authorities are in principle prohibited under other rules of the GDPR. The adequacy decision therefore makes no difference in these situations.
3: An organisation processing personal data in the EU must ensure the level of protection and rights required by the EU Charter of Fundamental Rights and the GDPR. The EU Charter’s level of protection includes the right of access to personal data, rectification of inaccurate personal data and effective judicial review. We believe that these rights still cannot be effectively exercised by those seeking redress in the US.
4: The GDPR has several rules that protect personal data against third country legislation. We argue that US cloud service providers cannot guarantee compliance with these rules. On the contrary, their statements mean that they place US law above the GDPR. We therefore believe that US cloud service providers do not provide the necessary guarantees to be able to be used as data processors according to the GDPR.
5: The CJEU has made clear that the level of protection afforded by EU rights covers all personal data irrespective of its sensitivity, how it is used and whether individuals have been inconvenienced in any way.
6: In Schrems II, the CJEU held that effective protection of personal data could not be ensured when the law of athird country allowed the authorities of the third country to interfere with the rights of individuals. The protection of rights could not be ensured already at this stage, there did not have to be an actual disclosure to US authorities or even a likelihood of such a disclosure. We believe that this clarifies the level of protection that must be ensured within the EU, meaning that when such third country legislation allows for personal data in the EU to be disclosed to third countries, the level of protection in the EU can in principle no longer be ensured.
7: It follows that if an organisation exposes personal data in the EU to US legislation, which allows interference with individuals’ rights, the organisation cannot sufficiently protect the personal data in the EU.
8: The GDPR and the CJEU’s approach to third country legislation should in most cases preclude the use of US cloud service providers with processing in the EU, as US law allows US authorities to demand personal data from US cloud service providers in the EU in a way that we believe violates the GDPR and undermines the EU’s level of protection. The adequacy decision does not change this.
9: Encryption in the cloud is sometimes proposed as a solution. However, we have not seen a case where a US cloud service provider has demonstrated how they encrypt data in a way where the customer is in full control, and where the cloud service provider has no technical ability to decrypt the data, without the customer also suffering from one or more of the following:
- Encryption covers only a subset of the data that needs to be managed in the cloud.
- Reduced performance and functionality as it becomes difficult or impossible to process information in the cloud and to search, share and collaborate on information.
- Higher licence costs.
- Administrative burden of managing the encryption and associated security risks.
- Increased demands on employees regarding the systems and digital tools where they can manage information, demands that are difficult to fully uphold.
10: For these legal, economic and practical reasons, cloud services with true data sovereignty, without exposure to US law, remain the most attractive option.