What happens to US-owned services after the Schrems II ruling?

How to remain compliant in the cloud after after the Schrems II.

Two big news from January 2022:

"Google Analytics declared illegal in EU by Austrian court" (source)

"City of Stockholm bans Microsoft 365" (source)

It all began a few years ago. A legal battle between Microsoft and the Department of Justice (DoJ) ended in 2018 as President Trump signed CLOUD Act. CLOUD Act allows US authorities to demand data from US-owned firms - even when that data is on servers abroad. In that case, Microsoft lost. At the same time, in 2018, GDPR (General Data Protection Regulation) and NIS Directive (EU Network and Information Security directive) came to effect in the EU, the latter being EU-wide rules on cybersecurity. Just as the companies in the EU have fulfilled their obligations related to GDPR, an even bigger issue arises: Schrems II.

The destroyer of Privacy Shield: Schrems II

It all started with one person - an Austrian lawyer Maximillian Schrems. Schrems sued Facebook for privacy violation and alleged transfer of personal data to US NSA that violates GDPR. And he won.

On 16 July in 2020, this ruling nullified (C-311/18) the existing Privacy Shield that allowed US and EU privacy legislation to comply with each other. Practically Schrems II means that handing personal data to a party that cannot guarantee it to be safe as defined in GDPR is a direct violation of the GDPR.

So if you are storing personal data that falls under GDPR, can you rely on Azure, Google, AWS, or other US-owned cloud platforms?

If a public company is established in the EU but has moved its headquarters to the US and is listed in NYSE (New York Stock Exchange), is it US-owned? I think it is. The General Terms of contract may say that the legislation occurs in the EU, but as the ownership mandates in CLOUD Act, that doesn't matter. There is much uncertainty in the air, and the worst thing is that US and EU do not have ongoing negotiations about this issue.

In Sweden, for example, municipalities have already started moving their data and operations on compliant clouds like City Network's Compliant Cloud. In a Compliant cloud, the data and legislation stay in the EU, and the company is owned and based within the EU. With EU compliant cloud, these municipalities are free from CLOUD Act and US-based legislation not compliant with GDPR as long as they store and operate GDPR data without US-owned software or storage.

The big question: what happens next?

The answer to the question is: no one knows. People are trusting that the US and EU make some new privacy agreements. Will the US back down from CLOUD Act? Will EU-based companies move to use EU-based applications and cloud platforms? Will schools move away from Google learning environments widely used in the EU? Will we see the rise of the EU-based platforms in 2022?

Integration platforms as central data processors

Integration platforms are typically the center of receiving and moving critical data between systems when automating processes or providing APIs. If the API or process automation built on iPaaS manages data falling under GDPR or HIPAA, or PCI-DSS, the platform itself must be compliant with the requirements of the regulation in hand. The Schrems II practically decides that US-owned service and cloud providers are not GDPR compliant. Yes, this raises quite a lot more questions than just iPaaS compliancy, but as the heart and center of data flow, it is, for a related example, always considered as a GDPR processor. GDPR processor is the party that processes the data for the party that controls it, which is often the party that bought the iPaaS (client for iPaaS provider). The hosting party for the iPaaS in this context is considered a subprocessor. This though leads to an assumption that, if you're going to let iPaaS access personally identifiable information (PII), you cannot do it with a US-owned cloud provider or US-owned iPaaS vendor, as both would have to give PIIs to US-government officials on-demand, based on CLOUD Act, thus, not being GDPR compliant based on Schrems II ruling.

The sure way to be compliant is to remove US-owned parts from processors or subprocessors. Luckily, there already exists a non-US alternative - Frends iPaaS. In addition to Azure, Frends enterprise iPaaS core from version 5.4.4 is available in City Network's Compliant Cloud. You can, for example, have your Frends iPaaS core in a compliant cloud (City Network or any OpenStack cloud) and run Frends Agents anywhere, including US-owned clouds or on-premises. With Frends, the customer can choose the decision on whose legislation applies. Frends iPaaS allows you to ensure that no GDPR related data is managed, stored, or accessible in non-compliant platform parts of the distributed installation.

Several municipalities in Sweden have already moved their Frends iPaaS to Compliant Cloud. You can read about Frends for Compliant Cloud from here.

If you are interested, you can also contact Frends via the form below.