Cloud infrastructure: Why only European providers can offer adequate data sovereignty and data protection

Author Prodosh Banerjee on 1 March 2021 Prodosh Banerjee's blog

It is no coincidence that the term “data sovereignty” has become increasingly important in corporate IT infrastructure decisions in recent years, especially for European companies.

In this article we will look into why only Cloud IT partners with European ownership can ensure full compliance with the European Union’s data privacy governance as regulated by GDPR and provide the level of trust and legal certainty, needed to reassure business partners that they have minimised their risk and their data will be (a) protected adequately and (b) in compliance with applicable laws.

The implications for European companies of relying on US cloud providers 

It is a common misconception that if a European company hosts its data in a European data centre, as part of a service operated by a USA headquartered cloud provider, that it is safe. A 2018 USA law called the Cloud Act allows US government agencies to access data held by or entrusted to an American legal entity like a cloud provider, no matter where in the world it is physically stored. The European Court of Justice (CJEU) in its ruling on the so-called «Schrems II» case, invalidated the EU-US «Privacy Shield», which used to provide a legal framework for European companies to host and have their data processed by US providers. The European Court’s ruling clearly established that the level of data protection provided in the USA does not comply with the data protection requirements of the European Union. While the ruling provides for exceptions to the processing of data in the USA (or any other 3^rd country), they always stipulate adequate and equivalent protections to those of the EU. 

As a result, European companies entrusting their data to American cloud providers, even if hosted in European data centres, will not generally meet the European Union’s data compliance requirements embodied in the General Data Protection Regulation (GDPR), which is the applicable law in all 27 countries of the EU and a de facto standard in many more.  For European companies that already process or store data in US owned clouds, this means additional legal risks, arising out of the inability to guarantee their customers, compliance in the handling of their data, as required by the European GDPR, because the exceptions will require EU companies ensure European levels of data protection.

As a result, European companies entrusting their data to American cloud providers, even if hosted in European data centres, will not generally meet the European Union’s data compliance requirements embodied in the General Data Protection Regulation (GDPR), which is the applicable law in all 27 countries of the EU and a de facto standard in many more.  For European companies that already process or store data in US owned clouds, this means additional legal risks, arising out of the inability to guarantee their customers, compliance in the handling of their data, as required by the European GDPR, because the exceptions will require EU companies ensure European levels of data protection.

What does all this mean in practice?

For potential cloud users, the benchmark for making a determination as to what is acceptable under EU law is the judgement of the European Court of Justice in the “Schrems II” case, which makes clear that the rights of US authorities to access data of European customers in European data centres, without the right of legal redress for non-USA customers, does not meet the standards of European data protection. In response to this judgement, Switzerland’s Federal Data Protection and Information Commissioner (FDPIC) has issued the following guidance: «FDPIC considers CH-US Privacy Shield does not provide adequate level of data protection», which shows the knock-on effect of the CJEU ruling. 

Various recipes are in circulation to assuage the concerns of European customers using cloud services provided by USA based cloud service providers. Some, like Microsoft, are trying to address the issue, by making changes to their terms of use, in the form of making provisions for financial compensation in case of unwanted and unauthorized data access by US authorities. The data protection commissioners of the German state of Baden-Württemberg have already stated that this is not enough, because «an addition to the standard contractual clauses cannot prevent access by the U.S. intelligence services to the data, which is precisely what the European Court of Justice is objecting to as disproportionate.» (source).

US cloud providers like Microsoft also want to inform their customers when an incident involving a data leak takes place. The Cloud Act, however, gives US authorities the right to serve a so-called “gag order” on the cloud provider when requesting the data. It is not clear how a US cloud provider can inform a European customer of such an incident, without violating such a gag order. How credible is it to expect a US corporation to take the risk of knowingly violating US law in a sensitive area?

Most importantly, it is not clear, how any of the proposed recipes help when a customer’s sensitive intellectual property, manufacturing processes, supplier and client data have been compromised? How can any measure, prevent the consequences of the damage caused to the reputational risk of a customer, by a data leak incident? 

How can European cloud customers eliminate risk and ensure they are compliant with European data protection laws?

The best way for European customers to avoid the risks outlined are to use a European cloud solution, where the cloud partner (i.e. provider) is European owned AND the data centers in which their data is stored and processed are in the EU or equivalent countries like Switzerland, which the EU has confirmed meets its standards. Note that Switzerland is among 12 countries considered by the EU to have adequate data protection. 

There are many European cloud providers who meet these requirements: City Cloud from Sweden, OVH based in Robaix, France, the Open Telekom Cloud of t-systems, the Italian Aruba Cloud, Upcloud from Finland and, of course, Safe Swiss Cloud. These European providers not only offer innovative services and know-how, but also carry in their DNA what European companies urgently need: data protection and data sovereignty. 

Sources:

1. FDPIC considers CH-US Privacy Shield does not provide adequate level of data protection:  https://www.edoeb.admin.ch/edoeb/en/home/latest-news/media/medienmitteilungen.msg-id-80318.html
2. EU: Adequacy decisions: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
3. Summary of the the CJEU judgment in  the Schrems II case: https://www.europarl.europa.eu/RegData/etudes/ATAG/2020/652073/EPRS_ATA(2020)652073_EN.pdf
4. European Data Protection Board (EDPB): Frequently Asked Questions on the judgment of the Court of Justice of the European Union in Case C-311/18 -Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems: https://edpb.europa.eu/sites/edpb/files/files/file1/20200724_edpb_faqoncjeuc31118_en.pdf  
5. #DSGVOwirkt: Microsoft passt sich europäischem Datenschutz an: https://www.baden-wuerttemberg.datenschutz.de/dsgvowirkt/
6. EU: GDPR: Rules for business and organisations: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations_en