November 4, 2020
The Schrems II ruling disqualifies the transfer and processing of personal data from EU countries to the US. But how does this affect cyber security products? Products that store and process far more sensitive data than personal data. It can be data that shows vulnerabilities in internal and business-critical systems of government agencies within the EU. In the wrong hands, this data could pose a risk to national security.
Privacy Shield is a self-certification framework for US companies that allows companies in the US to register with the US Department of Commerce, declaring they've met the requirements of the Privacy Shield. According to a decision by the European Commission, EU data controllers have been allowed to transfer personal data to recipients who have joined the Privacy Shield.
On 16 July 2020, the Court of Justice of the European Union issued its decision on the Schrems II case. The Court ruled that the EU-US Privacy Shield Agreement doesn't provide adequate protection for personal data when transferred to the US. The disqualification of Privacy Shield means that personal data controllers in the EU are no longer allowed to transfer personal data to US recipients.
The Cloud Act is a US legislation passed in March 2018 and is an extension of the Stored Communications Act (SCA) which was passed in 1986.
The law gives US authorities the right to request data from US cloud service providers - regardless of where the data is stored. It is therefore irrelevant where the servers on which the data is stored are located physically. If a US company owns the servers and the service, they're bound by the Cloud Act, even if the customers and the customers' data are in another jurisdiction.
Most cybersecurity products handle and store sensitive data. It can be data of critical vulnerabilities in a local network of a European government agency, data that could be used by foreign powers for espionage or sabotage.
Regardless if the supplier is American or not, if the product is provided through infrastructure in e.g. AWS or Google, then the data is still under the control of US authorities.
The Schrems II judgment focuses on personal data, but the ruling clearly shows the risks of the general problems of transferring and storing sensitive data with an American actor. Companies now need to assess their trans-Atlantic and global data transfers based on the court's ruling.
Stefan Thelberg answers questions about the Schrems II ruling.
If data is stored outside the US - is it still in breach of EU regulations?
Yes, it doesn't matter if personal information is stored physically in the United States or if it is under the control of a US company in another part of the world.
Can AWS and Azure be used?
Many US providers have infrastructure and store data in AWS, Azure, Google Cloud, and similar cloud platforms. As soon as personal data is stored in these services, they are no longer secure and in breach of EU regulations.
Can on-premise products from a US supplier be considered safe?
Most products, even if installed in a local data center within the EU, often have connections to the internet for software updates, support, and diagnostics. As these connections go outside the customer's premises, the customer loses control over which data is communicated from the product. As a customer, it's often impossible to ensure that personal data, or other sensitive data, isn't transmitted outside the company.
How are organizations outside the EU, for example, in Norway affected?
Since Norway adopts the same regulations as the EU regarding personal data, US companies may not be an option for Norwegian organizations.
What can we expect in the future in the matter?
The EU has put its foot down properly this time and US companies can expect higher security demands in the future. The United States may have to change some legislation, especially the Foreign Intelligence Surveillance Act, 702A, Executive Order 12333, and probably the Cloud Act before the EU cancels its disqualification. This will most likely be a tedious process.
Why has this not received more attention?
One reason is that the US wants to limit the market's reaction in the short term. It is also difficult for many organizations to action based on Schrems II, simply because they have their entire infrastructure in e.g. Azure or AWS.