Can personal data be stored in the cloud? The new legal framework on data protection between the EU and the USA

2. 12. 2022
Can personal data be stored in the cloud? The new legal framework on data protection between the EU and the USA

In early October, US president Joe Biden signed an executive order to facilitate the transfer of personal data between the EU and the USA. This is the first step aimed at restoring cooperation in this area after the original mechanisms were abolished by decisions of the European Court of Justice (the “ECJ”). How will this change affect the operations of European companies doing business with their counterparts in the USA?

The original “Safe Harbour” data transfer regimes and their successor “Privacy Shield”, approved by the European Commission, have gradually been declared invalid by ECJ rulings. In the “Schrems I” and “Schrems II” cases a Facebook user objected to the unauthorised sending of personal data to servers in the United States. The ECJ ruled in his favour, pointing out in particular the lack of data security, which does not reach the standards provided by EU regulations, such as the GDPR and the EU Charter of Fundamental Rights. The access that US intelligence services have to this information was considered problematic.

These shortcomings ultimately resulted in additional obligations for EU companies working with US companies. But the issue also affects those using cloud corporations such as Microsoft or Google to store their customers’ data.

At this point, it should be mentioned that in order for data to be transferred outside the EU, this third country must be designated safe by the European Commission. Following the aforementioned ECJ rulings, this does not apply to the USA.

Currently, if European citizens’ personal data needs to be provided to an American company, a written contract is required. The Standard Contractual Clauses (“SCCs“) issued by the European Commission, which provide a model contract for data controllers and recipients in a third country (in their current wording), can be used.

In the “Schrems II” decision the ECJ imposed additional obligations on companies: If the target country – for example the USA – operates surveillance programmes that are questionable from a rule of law perspective, model clauses alone are not sufficient.

EU data providers must adopt additional measures to protect personal data. For example, that could mean effective data encryption. Such encryption is incompatible with many cloud applications. In order to process data in cloud software the data must be decrypted, which in turn exposes it to technical access by the NSA and other intelligence services.

The executive order approved by the American president is therefore a response to the problems outlined above and a number of elements contained in it are identical to the legal principles in the GDPR. It is now up to the EU Commission to examine whether the American standard is sufficient.

Until that time, EU data controllers and processors should not use the cloud services of American companies without further consideration, otherwise they run the risk of heavy fines imposed by data protection supervisory authorities. Even if the USA is designated a safe country under the GDPR by the EU Commission, another decision by the ECJ, which again takes an opposite view to the Commission, can be expected sooner or later. So, maybe we can expect a Schrems III.

Need help?

We are here for you and we will be glad to advise you based on more detailed information and documentation. Do not hesitate to contact us to arrange a non-binding consultation meeting.

We give clear answers

In our communication with clients, we do not hide behind long quotations of laws, but give a clear and understandable answer.

We're thinking with you

We always solve a specific problem with respect to the overall needs of the client; we do not take our recommendations out of context.

Newsletter - Stay up to date

We deliver directly to your e-mail

Copy image to check against spam.
A test to determine whether or not you are a human user in order to prevent automated spam.
© Schaffer & Partner 2024 | Created by:
Move up