There is no longer a way to justify using US-operated cloud service providers in Europe for processing personal data, from a GDPR perspective. Read on to learn why, and how to mitigate this.
Some background information
The General Data Protection Regulation has been in full effect since May 25th, 2018. The move from on-premises and private data centre deployments to cloud-based services, however, has been going on for a while longer. Cloud services are now used by private companies of every size. Even governments have been moving more and more of their systems to SaaS, PaaS, and IaaS providers. There are many advantages to this, including reduced development costs and increased reliability, but there are some important disadvantages as well.
Cloud computing is a market dominated by US companies. Amazon, Microsoft, and Google together take about 60% of global cloud computing revenues, with the remainder being divided between many smaller companies. The only non-US contenders in the top 10 are Alibaba and Tencent, both Chinese companies. Apart from the troubling shadowy practices revealed by Edward Snowden, there are also above-board legal reasons why EU citizens are justified in being concerned that their data is being processed by US companies, and the Chinese alternatives aren't much better.
Relationship between the parties
A common misconception is that when using cloud service providers the physical location where your data is stored is the most important aspect. This is based on the fact that the GDPR has some very strict rules governing so-called international transfers. If our data is only stored and transferred inside Europe it doesn't count as a "restricted transfer" under Article 44 of the GDPR. So, we're good, right?
While physical location is still important, the fundamental problem here is not with the location at which the processing takes place itself. It’s about the relationship between a controller and a processor or between a processor and a sub-processor. So even if you only pick EU data centres, what matters is that AWS, Azure and GCP are operated by (subsidiaries of) American companies. The data which they process for you can still be transferred out of the EU, without your knowledge, and that's the real issue here.
Contradictions between the US and EU law
In the days of Privacy Shield and Safe Harbour companies could pretend like using services provided by American companies wasn’t a problem, because the European Commission had ruled that United States law provided adequate protection. The EU Court of Justice decision in the Schrems I case already invalidated Safe Harbour, based on the Snowden revelations. This year, Schrems II also invalidated Privacy Shield, based on contradictions between EU and US law. Note that the company that Maximilian Schrems originally sued, leading to both of these court decisions, was Facebook Ireland, an EU-based company with data centres in the EU, not Facebook Inc.
US legislation such as the ECPA and the PATRIOT Act allow US law enforcement agencies to request data that is accessible by a US-based company, even if this data is stored inside the EU. There are limits on what can be requested, and the larger cloud providers tend to fight data requests that they consider to be egregious, but if they do need to comply they are required to do so without disclosing to the data subject that their data has been accessed, leaving no way for an EU citizen to defend their rights.
The only way that is left open for EU companies to still use US companies or their subsidiaries for personal data processing is by using standard contractual clauses that guarantee that the third party will comply with EU law. However, Schrems II also implies that for American companies guaranteeing that they will comply with EU law inherently means breaking US laws. They are therefore caught in a sort of Catch-22.
Unfortunately, many of us are still tied to American company-operated cloud services. Here are some mitigations that could minimise the risk in this tricky situation:
- Using all possible technical measures to make sure that the only significant risk still posed to EU residents’ personal data is directly from the US government.
- Looking into on-premises processing for the most sensitive data or potentially migrating to European service providers if possible.
- Other measures such as making sure that control of encryption keys and other important tools for maintaining the safety of anonymised or pseudonymised data remains firmly in the hands of the data controllers, not maintained by the cloud provider.
We hope this short summary and suggested mitigation measures were useful to you. Contact us to learn more about implementing and managing AI projects with personal data responsibly.
If you'd like to learn more about the basics of GDPR compliance for AI projects, we invite you to read our two previous articles on this topic. Learn how to get started with GDPR here and learn more about the GDPR principles here.