Ever since the European Court of Justice declared the bilateral treaties on the transatlantic exchange of data (Safe Harbor and later Privacy Shield) invalid at the instigation of Austrian data privacy activist Max Schrems, a growing number of US cloud providers have resorted to using standard contractual clauses (SCC). In our customer projects, we are asked time and again to give our opinion on this approach. Adding to the uncertainty are laws such as the US CLOUD Act, which governs the provision of data to authorities by US providers – even if the data in question is not stored in the USA, but for instance on servers within the European Union.
Schrems also skeptical of revised standard contractual clauses
While a blog post could certainly never take the place of proper legal counsel, we would nevertheless like to take this opportunity to refer you once again to our virtual Fire Side Chat [available in German only] with the man himself – Max Schrems which took place last year. In the course of the event, Schrems explicitly expands on what he sees as the “circumvention” of the issue by way of SCCs. He especially takes aim at the revised version commonly used since June 2021, which is significantly more complicated to put into practice as each case in principle requires its own individual assessment.
European data centers of US providers not safe from access by authorities
The scenario of US providers using geographically distributed processing of data, common in the provision of email, security and content delivery services, remains particularly difficult to assess. According to Schrems, at least one thing is perfectly clear: Even if US cloud providers are running their own data centers in Europe, the data stored there is not protected from access under the the Foreign Intelligence Surveillance Act (FISA), as the law does not stipulate any geographic limitation.
Impacted parties not informed of access due to secrecy requirements
Considered especially problematic in this regard are the secrecy requirements imposed by the National Security Letters (NSL) and FISA, which explicitly prohibit providers from informing those involved about the authorities’ requests for data – much to the displeasure of large US providers such as Microsoft, by the way.
Schrems advises: Question providers directly and place them under scrutiny
Getting back to the question posed at the beginning of this blog post: What does Max Schrems advise for companies which are apprehensive following the demise of Privacy Shield? In our Fire Side Chat he was also crystal clear on this point: Rather than pouring their money into the legal counselling industry, companies would be better advised to approach their providers, question them directly and scrutinize their processes. To assist you in this regard, we have compiled a list of the essential aspects to consider on our website. There you will also find a questionnaire to forward to your IT service providers.