Schrems II: An opportunity for the Sovereign Cloud
Invalidation of the Privacy Shield
Just like the Safe Harbor before it, the Privacy Shield — which allowed the transfer of data between the European Union and U.S. operators adhering to its data protection principles without further formality — was invalidated by the Court of Justice of the European Union (“CJEU”) in a judgment called “Schrems II” given on 16 July 2020 (1).
Recommendations were made by the European Data Protection Board (“EDPB”) on the process to be followed after this landmark judgment. The shockwave created by the invalidation of the Privacy Shield could well turn to the advantage of the sovereign cloud.
Strengthened obligations for data controllers
In the Schrems II judgment, the CJEU recalled that the appropriate safeguards provided for in Articles 46 et seq. of the GDPR do not make data transfers to third countries automatically compliant.
The data exporter must ensure, on a case-by-case basis, that the data importer itself meets the required requirements. This is known as the accountability principle.
Although practice had led to the belief that transfers would be almost automatically compliant if one of the mechanisms set out in Article 46 of the GDPR —such as standard contractual clauses (SCCs) and Binding Corporate Rules (BCRs) — is used, the EDPB dispelled this common misconception in a draft recommendation dated 10 November 2020 (2).
While standard contractual clauses remain a valid tool to regulate transfers to countries that do not benefit from an adequacy decision, this tool alone is not sufficient protection. For example, it is ineffective for transfers to countries that do not sufficiently regulate state interference, as in the case of the USA.
Additional safeguards must be put in place to supplement the SCCs. Such “supplementary measures” may be of various types (contractual, organisational or technical) and should be subject to effective controls, such as documentary or onsite audits; a requirement that already existed before the GDPR (3).
However, for the EDPB, these may not be enough to prevent access to personal data by public authorities in third countries. The simultaneous implementation of the three types of supplementary measures mentioned above seems therefore unavoidable.
In any case, there is no perfect one-size-fits-all solution. Clearly, the obligations imposed on data controllers have significantly increased. And these various obligations could well result in an increase use of the sovereign cloud.
More sovereign cloud offerings?
The invalidation of the Privacy Shield gave rise to considerable legal uncertainty. From now on, data exporting companies have to assess themselves the adequacy of the third country that does not benefit from an adequacy decision.
The shock wave was real; in the absence of sovereign clouds, many frightened companies sought to relocate and partition their strategic data as much as possible by using costly private clouds (4). This is a tremendous opportunity for sovereign cloud providers.
In France, a case in point is the Health Data Hub. The Health Data Hub is a platform designed to store health data at the national level and for which the government chose to partner with the American company Microsoft. In the wake of the Schrems II judgment, a decree was published in the Official Journal on 10 October 2020 to clarify that “no personal data may be transferred outside the European Union” (5) and Cédric O, Secretary of State for Digital Transition and Communications, indicated that the French government had decided to repatriate the Health Data Hub to “a European platform” (6).
What are the alternatives to GAFAMI?
With a timely deployment, Gaia-X could greatly benefit from the shock wave created by the Schrems II judgment (7).
Gaia-X is an attractive project on paper; but in practice it seems quite complicated to operate without non-European cloud leaders. Gaia-X does not actually close the door to GAFAMI provided that they meet the highest privacy standards. In fact, Microsoft (and its cloud offer, Azure Stack) and Palantir recently joined Gaia-X (8).
The time has truly come for a sovereign cloud, but its success will be based on building a real alternative to GAFAMI. The repatriation of the Health Data Hub to Europe in two years’ time will provide both the best response and the best illustration of this new trend.
(1) See “Schrems II case: Privacy Shield declared invalid by the CJEU”, lexing.network, 17 July 2020.
(2) EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, adopted on 10 November 2020 (version for public consultations).
(3) Conseil d’État, n° 385019, 30 December 2015
(4) Éric Le Quellenec, « L’émergence d’un cloud souverain européen », RLDI n° 173 August-September 2020.
(5) Order of 9 October 2020 amending the order of 10 July 2020 prescribing the general measures necessary to deal with the Covid-19 epidemic in the territories where the state of health emergency has ended and in those where it has been extended
(6) Official summary record of Parliamentary proceedings of 22 October 2020.
(7) See Éric Le Quellenec, “Gaia-X: European sovereign cloud guidelines unveiled”, eurocloud.org, 17 August 2020.
(8) “US and Chinese tech giants welcomed into ‘EU sovereign’ cloud project”, Euractiv, published on 15 October 2020.
Article provided by: Eric Le Quellenec (Lexing, France)
Dr. Tobias Höllwarth (Managing Director INPLP)