After last week’s ruling from the European Court of Justice striking down the privacy shield data transfer agreement between the EU and the US, Berlin’s chief data protection officer Maja Smoltczyk now urges (text in German) organizations to repatriate personal data currently stored with US cloud providers.
The court had found that US government agencies have simply too much access to data about European citizens stored with US tech companies, violating the Charter of Fundamental Rights of the European Union and the extensive data privacy rights enshrined in the GDPR.
While standard contractual clauses remain valid as a legal means to transfer personal data to processors established in third countries, the court makes this practice conditional on those third countries guaranteeing a right to data privacy comparable to those in Europe.
In essence, organizations from now on have to process user data in European clouds or those of demonstrably similar data privacy. They also have to avoid data centers on European soil run by US providers, because access for US government agencies cannot be ruled out.
Organizations can make sure they comply not only with the letter but also with the spirit of the law by storing user data encrypted with robust access control and auditing whether on-premises or in a private cloud in Europe. ownCloud is proud to enable digital sovereignty with its secure, efficient and open-source file access platform.
Our action plan for those affected:
1. What the court said
The European court of justice invalidated Privacy Shield, the agreement about data transfers between the EU and the US, because the US government infringes on the data protection rights of European citizens. Until the US has a data privacy law on the books that is comparable with GDPR and has drastically curbed the snooping powers of its agencies, user data cannot be transferred there.
2. What that means
Organizations can no longer use US clouds to process the personal data of European Citizens. That includes Microsoft365 as well as Google Drive and other cloud offerings from US providers. They can however still use on premises integrations like Microsoft OOS and SharePoint, for which support ends in 2025 and 2026 respectively.
3. What to do
Some Organizations are now stranded with an unlawful setup and need to devise a sovereign stack strategy. Some products have natural replacements: With Microsoft365 out of bounds, its browser-based on-premises cousin, Microsoft Office Online Server, can still be used lawfully. Also, there are options beyond the US tech behemoths to choose from. The European tech ecosystem has grown nicely. By leveraging best-of-breed open-souce software hosted on-premises or in private clouds, organizations gain added security and efficiency.
4. What we provide
ownCloud offers a suite of integrations to build a fully functional sovereign workspace. To let small and medium organizations start today and collaboratively edit documents tomorrow, we offer ownCloud.online, our ownCloud as a Service fully compliant with GDPR. For your larger projects please contact us.