What the Transatlantic Data Privacy Framework Means for Cloud Computing
A new agreement that could allow data to flow securely between the European Union and the United States has been welcomed by cloud computing providers. But the legal details of the transatlantic data privacy framework have yet to be ironed out, and it may not mean big changes for companies deploying workloads on major US cloud platforms.
The new EU-US data transfer framework was announced on Friday after talks between the EU and the US government culminated in US President Joe Biden’s visit to Brussels. Announcing the deal, Biden said he would “re-authorize transatlantic data flows that help facilitate $7.1 billion in economic relationships.”
The legality of data transfers between Europe and America has been in limbo for nearly two years after a lawsuit invalidated a previous agreement.
Earlier today, Google Cloud, one of the big three public cloud providers, expressed support for the new plan. “People want to be able to use digital services from anywhere in the world and know that their privacy is respected and their information is safe and protected,” said Marc Crandall, Director and Global Head of Privacy at Google Cloud. . “This agreement recognizes this reality: it commits the parties to a high level of data protection while establishing a reliable and sustainable foundation for the future of Internet services on both sides of the Atlantic.”
Google’s statement today follows a similar statement released last week by Microsoft following the deal. “Microsoft applauds the European Commission and the US government for taking this important step,” said Julie Brill, the company’s vice president of privacy and global regulatory affairs and chief privacy officer.
But the legal experts who spoke to Technical monitor are less convinced that the Trans-Atlantic Data Privacy Framework will solve the data transfer problems of cloud computing.
Content from our partners
Why does the EU-US Data Transfer Framework need to be updated?
Two previous versions of the data transfer agreement, known as Safe Harbor and Privacy Shield, were invalidated by the European Court. The most recent decision, in 2020, followed a case brought by privacy activist Max Schrems. The decision in the Schrems II case declared that the Privacy Shield was not compatible with the European General Data Protection Regulation (GDPR). Indeed, US law authorizes its government to requisition customer data from companies for national security reasons, which is prohibited by the GDPR.
Since the ruling, transatlantic data transfers have continued to use standard contractual clauses (SCCs), another legal mechanism that was not invalidated by the Schrems II ruling, but which applies stricter controls on how whose information is processed. These were updated by the EU last year and have since been emulated by the UK. Although it has been widely used for almost two years, the legitimacy of this method has not yet been tested in court.
The new framework will seek to put in place stricter controls over how data can be collected for national security purposes, as well as requiring US law enforcement to “adopt procedures to provide effective oversight new standards of privacy and civil liberties”.
A new method for EU citizens to take action if their data is misused will also be introduced through an independent Data Protection Review Tribunal which “would be made up of chosen individuals outside the U.S. government who would have full authority to adjudicate claims and direct remedies.” necessary measures”. It was a major bone of contention in the Schrems II case.
Is the Trans-Atlantic Data Privacy Framework compatible with the GDPR?
While the legal details of how the new deal has yet to emerge. Schrems, who has successfully challenged the two previous EU-US deals, has already expressed concern about it, writing on Twitter that it is too similar to the approach that “failed twice before”. He said: “What we’re hearing is another ‘patchy’ approach, but not substantial reform from the US side. Let’s wait for a text, but my first bet is that it will fail again”.
Looks like we’re doing another one #PrivacyShield in particular on one point: the policy of law and fundamental rights.
It has failed twice before. What we hear is another “patchy” approach, but no substantive reform from the US side. Let’s wait for a text message, but my first bet is that it will fail again. https://t.co/y6RFUyB8eG
— Max Schrems 🇪🇺 (@maxschrems) March 25, 2022
Jagvinder Singh, international and UK IT manager at law firm Mills & Reeve, says some of the high-level aspects of the new framework, such as “the United States will strengthen privacy and civil liberties, also confirming that proper oversight will be put in place. in place”, will reassure companies transferring data to the United States. But once full details of the deal are released, he expects more legal challenges to follow.
“It would be surprising if Schrems didn’t have another try, he’s probably looking for his hat trick,” Singh said. “The courts have highlighted several problems [in Schrems II] and there will be aspects that have not been addressed by this new framework and operations that are still taking place in a way that does not provide the necessary assurances.
According to Frank Jennings, a partner at cloud computing law firm Wallace, the new independent dispute regulator may not help ordinary EU citizens who want to file complaints because it is based in the United States. United States and takes action there. likely to be impractical. “If you’re someone like Max Schrems, that might be an acceptable compromise,” he says.
What does the Trans-Atlantic Data Privacy Framework mean for cloud computing?
European companies rely heavily on US hyperscale providers – Amazon’s AWS, Microsoft Azure and Google Cloud – for their cloud deployments.
Businesses in the EU and UK can expect little change in the short term, says Jennings, as the process of approving the legal text that underpins the deal is likely to be lengthy. Big cloud companies have already adapted their operating models since the Schrems II shutdown, with Microsoft saying it will shut down all European data on the continent by the end of 2022.
And with SCCs still in place, Jennings wonders if the new framework will affect how cloud providers operate. “It’s been almost two years [since Schrems II] and it will probably take longer than that before it’s actually implemented,” he says. “At that point, you have to wonder, is there a huge upside to this for Google, Microsoft, and Amazon?
He explains: “They all adopted these SCCs anyway to maintain their businesses, so I don’t see them changing unless there are legal or risk benefits to abandoning them. is perhaps because the new regime is a little clearer on [the cloud providers]but in this case, one would have to ask what is it for? [of the data transfer framework] East?”
Singh adds that the deal won’t solve all the problems the Schrems II judgment is causing for cloud hyperscalers, because their global nature means similar issues will arise in other jurisdictions. “Schrems II applies to all international data transfers where there is no data adequacy agreement [in place with the EU]“, he says. “Cloud providers will still have to think about how it works in other jurisdictions. All the focus is on the United States right now, but the same kind of safeguards should apply to any country. I don’t think the headache for cloud service providers that Schrems II has caused will go away.”