Data appears to be omnipresent in our everyday lives; available wherever and whenever we need it. However, even though it may appear that data can exist on an ethereal “cloud,” its actual physical location presents a unique set of privacy and data protection issues. The location of cloud ecosystem hardware and the hardware supporting individual cloud services are not always obvious, so it’s often difficult to tell where data on the cloud is being transferred to or who has access to that data.
On 16 July 2020, the Court of Justice of the European Union invalidated the “EU-US Privacy Shield,” in the Schrems II decision. The Privacy Shield was a legal mechanism relied on by many organizations who transfer data from the European Economic Area (EEA) to the US – including US cloud services. Since Schrems II, global cloud services have come under increased scrutiny by European data protection authorities (DPAs), over transfers to the US and whether the cloud providers provide adequate protections required under the General Data Protection Regulation (GDPR).
Which key issues are DPAs addressing?
In the first half of 2022, DPAs in Austria, France and Italy have issued decisions finding it a violation of GDPR if a cloud provider requires transfer of personal data, such as IP addresses, from the EEA to the US as part of the provided services without adequate measures to protect the personal data, or an option for users to opt out of this transfer.
The DPA findings specifically result from the Court’s ruling in Schrems II in which the Court found that US national security laws allow for far-reaching possibilities of surveillance, allowing the US government access to and use of personal data imported from the EU into the US. The Court further found that inadequate controls protect EU data subjects, who may become the target of national security investigations.
Following Schrems II, 101 complaints were filed in the EU based on EU-US data transfers. The three aforementioned DPAs are among the first to issue rulings and reports about the usage of cloud services, but it may be a matter of time before more EU DPAs start addressing these issues.
Scrutiny in cloud services has also been tightening in the public sector. In February of this year, the European Data Protection Board launched a coordinated enforcement action with 22 DPAs across the EEA to investigate the use of cloud-based services by the public sector.
Any company using software run on US-controlled servers to process EU personal data should be aware of these trends and be aware that they could also be subject to similar rulings in the future.
Are your cloud provider relationships in violation of GDPR?
How can you ensure that your cloud service providers are GDPR compliant? It’s a good start just by asking this question.
Under GDPR, data controllers have the responsibility to ensure that their third-party cloud relationships provide an adequate level of protection. Some key questions can help an organization assess this compliance.
- Does GDPR apply to the personal data of my customers?
- Is personal data transferred, stored, and processed outside the EEA? Where?
- Why is personal data being transferred?
- What personal data is being transferred?
- Is it possible to avoid the transfer, storage and processing of personal data?
- If data must be transferred, how do safeguards protect personal data transferred?
- Is data encrypted? If so, is it ensured that the cloud provider has no access to decryption keys?
What can you do to ensure your cloud relationships comply with GDPR?
An easy solution is to choose a cloud provider located in the EEA who does not transfer data outside of the EEA. Since many global organizations use cloud services foreign to the EEA, this is not always possible.
The French DPA, CNIL, published a guide on proxification, a technique to obscure the IP address of a website visitor before it can be accessed by a cloud service. However, critics say proxification is a complex and potentially costly solution.
Another safeguard is to anonymize personal data at the point it is generated so that only anonymized data is transferred, preventing data subject’s activity from being tracked. In many cases, anonymized data still provide the necessary business insights without the risk of GDPR violation.
Further safeguards include functional encryption (FE) and differential privacy. FE generates restricted private keys that allow a key holder only access to specific functions of the encrypted data but no other information. Whereas differential privacy is a mathematical technique of adding a controlled amount of randomness to a dataset to prevent disclosure of information about individuals in the dataset. Because the added randomness is controlled, the resulting dataset is still accurate enough to generate aggregate insights while maintaining the privacy of individual participants.
Organizations should assess their cloud provider relationships in detail to determine which additional safeguards could be appropriate to ensure proper GDPR protections are in place.
Outlook
At the same time as Austria, France and Italy were issuing rulings since the Schrems II decision, the European Commission and US proposed, on 25 March 2022, a Trans-Atlantic Data Privacy Framework to replace the EU-US Privacy Shield. Under the Framework, the US would implement new safeguards to ensure the privacy of EU personal data. The timing of the finalized framework is still unknown.
Data sovereignty and protection will gain even further importance given the need for more control on EU-US and global data transfers. The European initiative GAIA-Xis intended to provide a unified ecosystem of cloud services and data centers governed by EU data laws – a collaboration between the European Commission, 27 EU members states, and over 100 companies. All major US cloud providers have been working on establishing EU sovereign clouds in accordance with GAIA-X.
Until the Trans-Atlantic Data Privacy Framework is finalized or EU sovereign clouds become a reality, organizations should continue to diligently monitor and risk assess all EU-US data transfers.
This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. Member firms of the global EY organization cannot accept responsibility for loss to any person relying on this article.