After Schrems II: Play it safe with a European cloud

In this article you will read about, 

• the background to the ECJ's "Schrems II" ruling,
• what the new developments mean for companies, public-sector institutions, and IT service providers that rely on US cloud services,
• and how choosing the right public cloud helps to ensure EU-compliant data protection.

Whether exchanging order information with international subsidiaries or research results in university collaborations, whether processing information in commercial enterprises or in digital public administration: data knows no borders. And cloud computing is indispensable for implementing a wide range of requirements. For many companies and public-sector institutions, processing data internationally has long been part of everyday life. According to market researchers at Capgemini, 73 percent of all companies in Germany, Austria, and Switzerland exchanged data with suppliers in 2020, six out of 10 with supervisory authorities and three out of 10 with commercial data providers. Personal information must be particularly well protected. Realizing that one's own data, which is stored in the public cloud, is now in foreign hands after a cyber attack or government access abroad? That’s a worst-case scenario.

The Privacy Shield agreement between the United States and the European Union also served to protect European data abroad. In its Schrems II decision, however, the European Court of Justice (ECJ) overturned the Privacy Shield in July 2020 – just as it had overturned its predecessor, the Safe Harbor agreement, several years earlier. This is because, according to the European General Data Protection Regulation (GDPR), all data transfers to countries outside the EU must ensure that the level of data protection in the destination country corresponds to that in the EU. However, according to the ECJ, the Privacy Shield could not guarantee adequate protection and was therefore overturned.

Another approach to international data transfers that complies with data protection requirements is the use of standard contractual clauses (SCC). In these, the data exporter and the foreign data importer contractually agree on the level of data protection. However, the data importer must actually be able to comply with these obligations. Following the ECJ ruling, the standard contractual clauses continue to be valid – even for transfers to the US. However, a case-by-case review and, if necessary, the implementation of further measures is always required. In addition, the SCCs date back to before the GDPR. The consequences for many companies and public institutions: unacceptable legal risks and fear of high penalties on the one hand, costly and uneconomical processes for implementation in new contracts on the other.

What now? For long-term secure business relationships that rely on digital everyday life, the ruling created an enormous hurdle. After all, companies, universities, and public administration face great uncertainties when exchanging data overseas, especially when it comes to the question of what additional measures they have to take. Accordingly, the EU was under pressure to eliminate these uncertainties and reconnect the market internationally in a future-proof manner. Therefore, the European Commission presented new standard contractual clauses in June 2021.

The new version of the SCC is intended to provide "user-friendly instruments for the transfer" for companies and public authorities. This means that if companies still exchange personal data with third countries such as the US on the basis of the old clauses, they must review existing contracts and adapt them to the new SCC within 18 months. What kind of effort will this involve? It could be considerable, depending on the size of the company or public authority and the international integration of processes. Given the gap between the requirements of the GDPR and the self-image of many third countries, a new agreement is not likely for the foreseeable future.

It remains to be seen how the ECJ would rule in the event of a lawsuit over the new SCC or even a potential new Privacy Shield. The European Commission's expectations of the US are very high. Would such a new regulation be compatible with EU law? Or is "Schrems III" looming? Even if users of Microsoft Azure and Amazon Web Services were more protected by the new clauses: There is no such thing as 100 percent certainty. European cloud environments, on the other hand, offer certainty. Because without transfers to third countries, there is no need for additional provisions. For companies and municipal, federal, and state institutions this means: data sovereignty based on European solutions is the most effective means of long-term security for all cloud applications. Against operational failures, unauthorized access by authorities, and data leaks that can endanger the reputation and personal data of customers and citizens, but also research results. True to the motto: If you don't export, you won't be affected by surprising changes and stricter requirements.