Since the European Court of Justice overturned the « Privacy Shield » agreement, it is official: The use of US cloud services is not compatible with European data protection law. This is a problem that persists even if the data centers in question are located on European soil, because of the US Cloud Act.
Grace period after Privacy Shield is over
For companies and public administrations, the grace period ofter the ECJ’s ruling in July 2020 seems to have expired. The German Data Protection Conference has formed a task force that is currently developing several questionnaires for organizations, to determine whether they violate EU law by using US cloud services, which carries a threat of severe fines.
Some US cloud operators now claim that their offerings are now data protection-compliant due to contract adjustments. Organizations cannot and should not simply trust these marketing-driven claims. Instead, they should rethink their cloud strategies. Here are some recommendations for companies and public administrations:
- obtain clear information about all data flows and all locations where data is processed and stored, including providers’ subcontractors
- find out if your cloud service providers guarantee a level of data protection equivalent to EU regulation – and if there is an adequacy decisions from the EU for their home country and all data center locations involved
- check if those guarantees can really be met in practice
- if this is not possible, as will be the case for US-based cloud services due to the Cloud Act – examine what additional steps can be taken to protect data, such as encryption, anonymization and pseudonymization of personal data
- if a US cloud service cannot be used in compliance with European data protection requirements, or the effort would be disproportional, check whether there is a suitable alternative in Europe or another country with an adeqacy decision
- examine if sensitive data could be stored in a private cloud instead for more security and efficiency
« The time to hesitate is through. Organizations need to think about alternatives to public clouds run by US providers for storing and processing user data, » says Tobias Gerlinger, CEO of ownCloud. « They can for example supplement or completely replace Microsoft OneDrive with secure private cloud data. That brings free choice of data center, helps reduce vendor lock-in and also lowers costs in the longer term. »
ownCloud CEO Tobias Gerlinger