As is widely known, cloud computing is the use of a network of remote servers hosted on the internet to store information.
An organisation which commissions and prescribes the manner and purposes for which a cloud provider will process personal data, will constitute the data controller and the provider a data processor. Therefore, the organisation must implement a “data protection by design and by default” approach, as per Article 25 of the General Data Protection Regulation (GDPR).
However, the Schrems II judgment has introduced further challenges for data controllers where cloud computing necessitates international transfers of personal data to cloud providers in ‘third countries’, such as the US. This article outlines some key considerations in responsibly procuring third-party cloud solutions where providers are based in the US or other third countries.
The EU-US Privacy Shield framework permitted transfers of personal data from the EU and UK to US organisations which agreed to higher standards of data protection than were required under standard US laws. On 16 July 2020, the Court of Justice of the European Union (CJEU) issued a landmark judgment in the case of Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (known as “Schrems II”). The CJEU invalidated the EU-US Privacy Shield for failing to protect personal data from unnecessary and disproportionate access by US intelligence agencies under Executive Order 12333 (EO 12333) and Section 702 of Foreign Intelligence Surveillance Act (FISA).
The CJEU upheld Standard Contractual Clauses (SCCs) as a valid mechanism for transfers from the EU and UK to the US. However, SCCs are clearly no more effective than the EU-US Privacy Shield in preventing US intelligence agencies from accessing personal data if they so wish, and therefore this creates a clear and present danger that SCCs could be similarly invalidated on the same basis in the future.
For example, on 27 April 2021, the Portuguese supervisory authority, the Comissão Nacional de Proteção de Dados (CNPD), ordered the National Institute of Statistics (INE), which had contracted Californian company Cloudflare, to suspend the transfer of up to 6.5 million data subjects’ census data to the US. Ominously, the CNPD observed in respect of the Schrems judgment that: “The Court also considered that … data protection authorities are obliged to suspend or prohibit data transfers, even when based on contracts based on the model approved by the European Commission, as is the case with the clauses signed by the INE,… if there are no guarantees that they can be respected in the third country.” The CNPD notably highlighted that: “Cloudflare… are directly subject to US national security surveillance legislation, which imposes a legal obligation… to give US authorities unrestricted access to personal data…”
Only time will tell whether the CNPD’s appetite for enforcement is reciprocated by other supervisory authorities, such as the Irish Data Protection Commission or the UK Information Commissioner’s Office.
It is noteworthy that some cloud providers, such as Microsoft have responded to the Schrems II judgment by making commitments to maintain cloud storage in the EU, so as to disengage international data transfer considerations under the GDPR. However, it is important to appreciate that such storage would still not prevent US surveillance, as for example Section 702 of FISA authorises the acquisition of foreign intelligence information about non-US persons located outside the US from US internet service providers (such as Google). Therefore, US cloud providers’ ‘solution’ of EU and UK storage would remain susceptible to future legal challenge.
The difficulty for cloud customers is that compliance is a legal problem (in terms of differences between data protection legislation in the EU and UK as compared with the US) which likely requires a political solution (amendments to legislation on either side of the Atlantic to make them compatible). A number of US States are each formulating their own data protection bills with varying degrees of success, but there are no substantive developments on the horizon in respect of a federal US data protection law. It is also important to appreciate that the problem is not exclusive to data transfers to the US, but to all ‘third countries’ adjudged not to provide adequacy.
Cloud computing considerations
In light of data protection by design and by default and Schrems II, it is important that organisations establish:
- whether it is appropriate to move personal data, in part or in entirety, to the cloud and if so, whether those data can be pseudonymised;
- whether it is possible to use cloud providers which are self-contained within the European Economic Area (EEA) or countries with an EC adequacy decision;
- whether the cloud provider is accredited to an internationally recognised security standard such as ISO27001 and / or relevant codes of practice;
- whether it is possible to encrypt the data, including when in transit between themselves and the cloud provider, and when ‘at rest’ in the cloud;
- whether the cloud provider can enable them to monitor who is accessing the data and publish reports as to the receipt of surveillance requests; and
- whether the cloud provider will delete all copies of the data within a timescale in line with their retention schedule and / or when they decide to withdraw from the cloud service.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience supporting organisations in respect of cloud computing compliance. We offer a range of data governance services, including vulnerability scanning and penetration testing, audit and assessment, and compliance support. For more information please feel free to contact our advisers, who would be more than happy to help.