A new agreement which could allow data to flow safely between the European Union and the United States has been welcomed by cloud computing providers. But legal details of the Trans-Atlantic Data Privacy Framework have yet to be ironed out, and it may not bring about big changes for businesses deploying workloads on the major US cloud platforms.
The new EU-US data transfer framework was announced on Friday after talks between the EU and the US government that culminated during US President Joe Biden’s visit to Brussels. Announcing the agreement, Biden said it would “once again authorise transatlantic data flows that help facilitate $7.1trn in economic relationships”.
The legality of data transfers between Europe and America has been in limbo for almost two years after court action saw a previous agreement invalidated.
Earlier today Google Cloud, one of the big three public cloud providers, voiced its support for the new plan. “People want to be able to use digital services from anywhere in the world and know that their privacy is respected, and their information safe and protected,” said Marc Crandall, director and global head of privacy at Google Cloud, said. “This agreement acknowledges that reality: it commits the parties to a high standard of data protection while establishing a reliable and durable foundation for the future of internet services on both sides of the Atlantic.”
Google’s statement today follows a similar one issued last week by Microsoft in the wake of the agreement. “Microsoft applauds the European Commission and the US government for achieving this important milestone,” the company’s corporate vice president for global privacy and regulatory affairs and chief privacy officer, Julie Brill, said.
But legal experts who spoke to Tech Monitor are less convinced that the Trans-Atlantic Data Privacy Framework will solve cloud computing’s data transfer problems.
Why does the EU-US data transfer framework need updating?
Two previous versions of the data transfer agreement, known as Safe Harbour and Privacy Shield, have been invalidated by the European Court. The most recent decision, in 2020, followed a case brought by privacy campaigner Max Schrems. The ruling in the Schrems II case declared the Privacy Shield was not compatible with Europe’s general data protection regulations (GDPR). This is because US law allows its government to requisition client data from companies on national security grounds, something which is prohibited under GDPR.
Since the ruling, transatlantic data transfers have continued using standard contractual clauses (SCCs), another legal mechanism that wasn’t invalidated by the Schrems II judgement, but these apply more stringent controls on how information is processed. These were updated by the EU last year, and have since been mimicked by the UK. Though it has been widely used for almost two years, the legitimacy of this method has yet to be tested in court.
The new framework will seek to put more stringent controls on how data can be collected for national security purposes, as well as compelling US law enforcement agencies to “adopt procedures to ensure effective oversight of new privacy and civil liberties standards”.
A new method for EU citizens to take action if their data is misused will also be put in place through an independent Data Protection Review Court that “would consist of individuals chosen from outside the US Government who would have full authority to adjudicate claims and direct remedial measures as needed”. This was a major bone of contention in the Schrems II case.
Is the Trans-Atlantic Data Privacy Framework compatible with GDPR?
While legal details of how the new agreement have yet to emerge. Schrems, who successfully challenged both previous EU-US agreements, has already voiced his concern about it, writing on Twitter that it is too similar to the approach that has “failed twice before”. He said: “What we hear is another ‘patchwork’ approach but no substantial reform on the US side. Let’s wait for a text, but my first bet is it will fail again”.
Seems we do another #PrivacyShield especially in one respect: Poltics over law and fundamental rights.
— Max Schrems 🇪🇺 (@maxschrems) March 25, 2022
This failed twice before. What we hear is another “patchwork” approach but no substantial reform on the US side. Let’s wait for a text, but my frist bet is it will fail again. https://t.co/y6RFUyB8eG
Jagvinder Singh, international and UK head of IT at law firm Mills & Reeve, says some of the high-level aspects of the new framework, such as that “the US will strengthen privacy and civil liberties, also confirmation that appropriate oversight will be put in place,” will reassure businesses transferring data to the US. But once full details of the agreement are published he expects further court challenges to follow.
“It would be surprising if Schrems didn’t have another go, he’s probably looking for his hat-trick,” Singh says. “The courts highlighted several issues [in Schrems II] and there will be aspects that haven’t been addressed by this new framework and operations which still happen in a way that don’t provide the necessary assurances.”
The new independent regulator for settling disputes may be of little help for regular EU citizens wanting to bring a complaint, says Frank Jennings, a partner at Wallace law firm who specialises in cloud computing, because it is based in the US and bringing action there is likely to be impractical. “If you’re somebody like Max Schrems this might be an acceptable compromise,” he says.
What does the Trans-Atlantic Data Privacy Framework mean for cloud computing?
European businesses largely rely on the US hyperscale providers – Amazon’s AWS, Microsoft Azure and Google Cloud – for their cloud deployments.
Businesses in the EU and UK can expect few changes in the short term, Jennings says, as the process of agreeing the legal text to underpin the agreement is likely to be lengthy. The big cloud companies have already adapted their operating models since the Schrems II judgement, with Microsoft stating it will ringfence all European data on the continent by the end of 2022.
And with SCCs still in place, Jennings questions whether the new framework will affect how cloud providers operate. "It's been nearly two years [since Schrems II] and it will be probably longer than that before this actually gets implemented," he says. "By that time you have to question whether there's a huge benefit to this for Google, Microsoft and Amazon?"
He explains: "They've all adopted these SCCs anyway to keep their businesses going, so I don't see them changing unless there are benefits from a legal or risk point of view to abandoning them. That might be because the new regime is slightly lighter on [the cloud providers], but in that case, you would have to ask what the point [of the data transfer framework] is?"
Singh adds the agreement will not solve all the problems the Schrems II judgement causes for the cloud hyperscalers, because their global nature means similar issues will crop up in other territories. "Schrems II applies to all international data transfers where there isn't a data adequacy agreement [in place with the EU]," he says. "The cloud providers will still have to contemplate how this works in other jurisdictions. All the focus is on the US at the moment, but the same kind of safeguards need to apply with any country. I don’t think the headache for the cloud service providers that Schrems II has caused is going to go away."