European probes into whether Amazon and Microsoft’s cloud-based services infringe the single market’s tough privacy rules have once again shone a spotlight on how—and when—the United States and the European Union intend to come up with a practical solution to ensure trans-Atlantic data transfers are fully compliant and safe.
The European Data Protection Supervisor (EDPS), which is in charge of overseeing compliance with the General Data Protection Regulation (GDPR) in EU institutions, on May 27 opened two investigations into the tech giants over concerns EU data that is meant to be protected could still be accessed through cloud services by U.S. authorities under national surveillance laws, despite contractual terms agreed with the European Commission.
The probes are likely to raise deeper questions about Europe’s reliance on non-EU based cloud services providers and what actions data protection authorities (DPAs) might have to take to protect citizens’ data. Currently, U.S. tech firms Amazon, Google, and Microsoft overwhelmingly dominate the data storage market worldwide.
European concerns over cloud services are also likely to prompt renewed impetus for both the United States and the European Union to set up a mechanism to replace the Privacy Shield, which was torpedoed by privacy campaigner Max Schrems in July 2020.
“There is pressure to have something to replace the Privacy Shield sooner rather than later. Any alternative has to work. If we don’t do it right, we risk having a ‘Privacy Shield Mk. 2’ and a ‘Schrems III’ decision, which is no good for anyone.”
Wojciech Wiewiórowski, European Data Protection Supervisor
The “Schrems II” case threw data transfers to all third countries into disarray. Although the European Data Protection Board (EDPB), which oversees how DPAs enforce the GDPR, issued revised standard contractual clauses (SCCs) and guidance on the appropriate approach to the risks related to the transfers in November 2020, companies—and regulators—have wanted clarity and legal certainty regarding data transfers ever since.
EDPS Wojciech Wiewiórowski says “there is pressure to have something to replace the Privacy Shield sooner rather than later.” But he adds, “Any alternative has to work. If we don’t do it right, we risk having a ‘Privacy Shield Mk. 2’ and a ‘Schrems III’ decision, which is no good for anyone.”
Bjørn Erik Thon, director-general of the Norwegian Data Protection Authority, hopes any EU-U.S. plan to create a workable and lasting alternative to replace the Privacy Shield will “happen soon.”
“As it is today, it is not sustainable to business,” says Thon. “Furthermore, it has put us as regulators in a deadlock, which in the long run can undermine our authority. We cannot give any clear advice, and launching investigations against the thousands of companies that are not compliant is not the right way to use our resources, to put it mildly.”
Lawyers say companies “badly” want a safe transfer mechanism.
According to Nicola Howell, managing attorney, legal at business analytics firm Dun & Bradstreet, the lack of certainty has prompted companies to bank on using SCCs for the foreseeable future, with some intimating they might stay with the clauses even if an updated Privacy Shield is accepted. The EDPB is due to present updated SCCs later this month.
“The only way forward is if the U.S. tightens up its security laws to appease European legislators,” says Howell. “Europe is not going to change its views on data protection anytime soon.”
Jane Sarginson, barrister at law firm St Philips Chambers, says “as far as the United States is concerned, Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333 remain in force. For as long as they do, negotiations will remain difficult.”
There is a danger the European Union might lose momentum—and perhaps political face—if an agreement is not concluded before others do.
Mebs Dossa, partner at law firm McGuireWoods, says the United Kingdom has indicated it is keen to take a new approach to international data transfers now that it is outside the European Union, and the United States would be an obvious target.
“It seems likely the U.K. will start making its own adequacy decisions and devising its own data transfer mechanisms before the end of this year,” he says.