The fallout from last year’s Schrems II decision continues as the European Data Protection Supervisor (EDPS), the EU’s primary independent data protection authority, is now examining cloud storage services to ensure that their handling of citizen data is General Data Protection Regulation (GDPR)-compliant. The investigation is scrutinizing major cloud services that are widely used by EU agencies, such as Amazon AWS and Microsoft Azure, to determine if the stored data of EU citizens could potentially be accessed by the US government.
Keeping cloud data storage GDPR-compliant
EDPS is reviewing how public bodies throughout the EU are using various cloud services to store and handle citizen personal data. The wide-ranging investigation appears to have been sparked by a July 2020 investigation into the use of Microsoft services specifically, which concluded that there were terms that were not GDPR-compliant in the contracts that various agencies had. The investigation found that software licensing agreements allowed Microsoft to act as a data controller, and that it lacked sufficient auditing processes. The report also raised concerns about inability to control which vendors and subcontractors Microsoft might allow access to, and inability to determine exactly where in the world some data was being stored.
While the new investigation focuses on similar cloud services, including use of Microsoft Azure, a separate investigation will also look into whether Microsoft Office 365 products are fully GDPR-compliant in light of the Schrems decision. The ruling invalidated the status of the US as a trusted data partner, forcing EU countries to proceed as if citizen data might be intercepted by the US government if sent to or stored across the Atlantic. The issue is complicated when dealing with US-based companies that have a physical presence in the EU by the Clarifying Lawful Overseas Use of Data Act (CLOUD), which gives the US government the ability to demand access to company-owned servers located overseas. The only way to be absolutely certain of remaining GDPR-compliant in this situation is for US companies to turn over processing of EU citizen data to a source based in the EU that is beyond US legal authority.
It is still possible for US companies to receive EU citizen data, but they must sign special Standard Contractual Clauses (SCCs) that meet GDPR-compliant levels of data protection. This generally means that a US company formally agrees to route the necessary data to partners in countries with “trusted partner” status. European Data Protection Supervisor Wojciech Wiewiórowski said that “certain types” of SCCs require “particular attention” and were a central motivator for the two new investigations.
One of these is the “Cloud II” contract format that many EU agencies signed with Microsoft and Amazon in early 2020 just prior to the Schrems II decision (which many observers expected to go in the opposite direction). After Schrems II was handed down, both of the tech giants pledged to make necessary changes to render their end of the agreements GDPR-compliant under the new international data transfer rules. In previous interviews Wiewiórowski has said that the Cloud II contracts may still not be sufficient to ensure full compliance.
Microsoft and Amazon have both issued public statements indicating that they believe their cloud services not only meet but exceed the GDPR-compliant standards established by Schrems II. Both companies also signalled that they intend to cooperate with the investigation.
EU organizations cannot disregard GDPR terms when selecting cloud services
The EDPS has stated that it wants EU government institutions to lead by example when selecting and forging contracts with cloud services. The terms established by Schrems II are technically enforceable now, though regulatory bodies have not yet made any major moves to shut down data transfers.
There are few options to readily resolve the uncomfortable Schrems situation. The simplest outcome, though highly unlikely to happen anytime soon, would be for the US government to pass a federal data privacy bill that reaches a GDPR-compliant level of parity with the EU’s guarantees for citizens. It might then regain “trusted partner” status. In the interim, if legally sufficient SCCs are not hammered out that leaves the costly and logistically troublesome option of keeping all storage and processing of EU citizen data with cloud services that exclusively have servers in the EU.
In late May, EU data protection authorities approved the “EU Cloud Code of Conduct” to certify GDPR-compliant services. This measure has been in development since 2017, however, and does not necessarily guarantee compliance with the Schrems requirement in its present form. It serves as a potential framework for use going forward, however, and both Microsoft and Google have already pledged that their cloud services will adhere to its terms. EU leaders are also working on a cloud data infrastructure called GAIA-X that could address the issue, but it is still in the development stage and is struggling to gain support across the bloc.