EU court: withdraw personal data of EU citizens from US cloud services immediately

Originally published at: https://nextcloud.com/blog/eu-court-withdraw-personal-data-of-eu-citizens-from-us-cloud-services-immediately/

Mid July, the European Court of Justice struck down the Privacy Shield agreement between the EU and the US. The court ruled US law incompatible with EU privacy regulations, as US government agencies have access to data of EU citizens managed or stored by US firms. This violates the Charter of Fundamental Rights of the European Union and the GDPR.

In essence the ruling means that US companies can not handle data in compliance with the GDPR. European data centers or Standard Contractual Clauses (SCCs) are no solution, as access to data already defines a data transfer and US law supersedes contract law. The only legal solution to regain compliance with EU law is to immediately stop data transfers to the US businesses and repatriate data currently residing with them (source)

EU Court of Justice in session

The European Court of Justice in session (image via Court of Justice of the European Union)

Summarizing the main points

The court’s decision

The European Court of Justice ruled that the US government infringes on the data protection rights of EU citizens and thus invalidated Privacy Shield, the agreement covering data transfers between the EU and the US. Either the US will have to change its laws (FISA and Executive order 12333 in particular) and keep its security agencies and courts from snooping in data of EU citizens, or the EU will have to change its laws and reduce it’s legal security and privacy guarantees.

Consequences

As US firms can no longer comply with the GDPR, businesses in Europe have to immediately stop giving US businesses access to personal data of EU citizens. Cloud services like Google services, Dropbox or Microsoft365 can no longer be used for personal data. On premises solutions from US firms can still be used, as can purely EU hosted and managed cloud platforms.

What to do

To ensure compliance with EU privacy laws, European firms should stop data transfers to the US and thus move to on-premises or EU hosted alternatives. For example, Mirosoft Office Online Server can still be used, as can alternatives like Collabora Online or ONLYOFFICE. For full online productivity, solutions like IONOS’ Nextcloud offering can easily guarantee GDPR compliance by using Europe’s largest hosting provider with worlds’ most deployed on-premises collaboration platform.

To learn more about the ruling, we recommend the FAQ of the European Data Protection Board.

3 Likes

what dose this mean?

You must not use US clouds for sensible data anymore, you may use EU hosted nextcloud instead.

2 Likes

That last bolded sentence is utter BS, on par with Donald Trump coronavirus musings.
Nowhere in the linked document does it say anything remotely similar.

Jos is back to his traditional self…

Mind to elaborate?

Just read the linked article…

The SCCs were NOT declared illegal (although ECJ considered them)…
Microsoft even proudly claims to be doing just that for a while.

The language used in the Q&A section:
About SCCs

It was said before: Jos’ shock statements do more harm than good…

The simplest solution to conform with the GDPR framework would be to forget about not only storing data on the US soil, but to deal with any of the US cloud giants.

This does not mean it is the only legal solution…

You skip a few crucial sections, just like Microsoft conveniently did in their statement.

I do not say SCC’s are no longer legal, but that they can only be used in countries where the legal framework does not invalidate them. FISA and Executive Order 12333 DO invalidate SCC’s with companies that have to comply with them. That is not ALL us companies, but the majority. The court was very clear about that.

Let me quote:

I am using SCCs with a data importer in the U.S., what should I do?
The Court found that U.S. law (i.e., Section 702 FISA and EO 12333) does not ensure an essentially
equivalent level of protection.

In other words, a SCC is NOT enough, the law in the country has to be compatible with EU law and and Privacy Shield is no longer valid:

I was transferring data to a U.S. data importer adherent to the Privacy Shield, what should I do
now?
Transfers on the basis of this legal framework are illegal. Should you wish to keep on transferring
data to the U.S., you would need to check whether you can do so under the conditions laid down
below.

Now let’s talk about those “conditions laid down below” as you also quote. They essentially don’t give any clear guidance when it can be legal, they just say that it COULD BE, based on ‘individual assessment’:

The supplementary measures along with SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.

-> so you have to guarantee that US law does not apply for the data you have or the company you work with. How do you guarantee that the US government can not ask data from Microsoft under the FISA? You don’t, of course. Because you know they can, they have done so already, many times.

Then about those “derogation foreseen in Article 49 GDPR”, another possible exception, they say:

In relation to transfers necessary for important reasons of public interest (which must be
recognized in EU or Member States’6 law), the EDPB recalls that the essential requirement for the
applicability of this derogation is the finding of an important public interest and not the nature of
the organisation, and that although this derogation is not limited to data transfers that are
“occasional”, this does not mean that data transfers on the basis of the important public interest
derogation can take place on a large scale and in a systematic manner.

So those can be used for only for ‘public interest’ organizations and also only for exceptions, so not for your daily usage of Office 365. That’s not ‘occasional’, in any realistic sense of the word.

So what I stated:

The only legal solution to regain compliance with EU law is to immediately stop data transfers to the US businesses and repatriate data currently residing with them…

Is correct for the vast majority of cases, certainly for bulk data transfers. There might be exceptions in corner cases, but Privacy Shield was the reason why SCC’s were legal with the USA, and it no longer exists.

I’m not a lawyer, and I probably mis-use some terms (like, with ‘illlegal’ I meant ‘not GPDR compliant’ - but that’s also the wording the EDPB used) but I can read, and if you want to refute my claim, read the entire document a little more carefully before you call my reading bull* please :wink:

1 Like

… or on-premises solutions from other companies, including Microsoft Office Online and SharePoint for example. Although some of those have also been shown to send data to Microsoft and a bunch of other companies. Here’s just a history of the Dutch government finding such leaks from 2018-2019-2020:

These are not incidents - but they keep happening, year after year. MS adds data leaks faster than they can be removed, it seems. And this is JUST in NL, I happen to read Dutch very well - but many countries have similar stories, if their DPA’s are a bit independent.

So let’s be honest, my conclusion is not at all controversial - just very inconvenient for Microsoft and other US companies, and their army of well paid lobbyists. See earlier statements from the Swedish or Germans like this one - they often get softened due to pressure from lobbyists.

Exactly!
It is one thing to make outlandish statements about Nextcloud or security (as you said, some of the Nextcloud features are developed for purely PR reasons) and another to post articles with titles like “EU court: withdraw personal data of EU citizens from US cloud services immediately

Legal comments from a psychology major!
If you weren’t Nextcloud co-founder, I’m sure you’d be fired by now…