There is an ongoing discussion on whether or not European companies that use U.S. cloud infrastructure providers, such as AWS and Microsoft Cloud, are compliant with Chapter 5 of the European General Data Protection Regulation (GDPR) which specifies different conditions to be met for international transfers of personal data to be considered sufficiently protected. While U.S. service providers have implemented a variety of measures to ensure compliance, the fact that they fall under certain U.S. surveillance laws made the U.S. a tricky case for data transfers or more specifically data storage ever since the Schrems II ruling.

Back in July 2020, the Court of Justice of the European Union (CJEU) invalidated the U.S. Privacy Shield act in the Schrems II case, stating it does not provide adequate safeguards under the GDPR. Until then, Privacy Shield was a recognised framework that companies could use for the transfer of personal data to the United States from the EEA. The main argument for invalidating this framework was that U.S. authorities had the power to request access to any personal data belonging to EU citizens without a warrant based on Article 702 of the Foreign Intelligence Surveillance Act. This in its essence is against some of the GDPR’s main safeguards mainly that personal data should only be processed on what is proportional for the purpose of processing.

With the ruling, uncertainty flooded the data privacy world on whether or not the use of U.S. cloud infrastructure providers such as AWS and Microsoft Cloud is compliant with the GDPR. The reason this was and still is such a huge topic, is because European companies largely use U.S. cloud providers and often build their entire technical infrastructure on top of them. Switching to EU based providers would for many be a massive financial commitment and disruption to their business. In addition, industries voiced discontent, due to the fact that there are limited European options available that can compete with their U.S. counterparts in terms of services, technology and infrastructure.

As a response, U.S. companies were quick to adopt Standard Contractual Clauses (SCC’s) in their contracts — a set of clauses that have been drafted and approved by EU authorities that tick the regulatory compliance boxes for international transfer of data to countries outside of the EEA that don’t have adequacy status. In addition, companies could switch server location to some of the U.S. companies’ subsidiaries (if they hadn’t done so already) and choose some of the cloud providers server locations in Europe e.g. AWS Ireland, Germany or France.

But even with those measures in place there was still a caveat: While the subsidiaries are based in Europe and comply with the GDPR, they’re owned by companies that fall under U.S. law and so they may be subject to access requests by U.S. authorities. Keeping the situation somewhat ambiguous.

While U.S. companies claim compliance, privacy lawyers and professionals at large argued that even with SCC’s in place, working with an EU subsidiary and using EU based servers, it would still not offer enough protection under the GDPR.

In March 2021 a case in France made the headlines with the Doctolib case. The Conseil d’Etat — France’s highest administrative court — ruled that Doctolib, a platform hosted on AWS used to book COVID-19 vaccinations, sufficiently protected the personal data they process under the GDPR because of the technical and legal safeguards that were put in place in case there was an access request from U.S. authorities.

Since the Schrems II ruling, U.S. service providers have taken extra measures to meet regulatory requirements and give European businesses confidence. On the legal side and on the example of AWS and Microsoft Cloud, both companies have added additional clauses to their service agreements that any access requests from public authorities will be challenged and that affected parties will be informed.

On the technical side, Doctolib took extra measures to ensure the data they process is safe by using a third-party provider for end-2-end encryption so only users with the access key could read the information, ensuring that even U.S. authorities wouldn’t be able to read the data even if they’d access it.

The fact that Doctolib did not process or store sensitive data such as health data on AWS also played ultimately in their favour.

The Conseil d’Etat ruling highlighted yet again that there is no black and white approach when it comes to the application of privacy regulations. The GDPR has been implemented to protect people’s personal data but always with a closing remark to do so without hindering business continuity or innovation.

The Doctolib case gives a refreshing signal to companies that, at the end, its in their control to make cautious decisions on what makes sense for their business. Decisions such as Schrems II don’t put a dead end to things but instead lead to shifts in the industry.

EEA and UK businesses take a closer look at how they operate their business infrastructure while keeping a good data management hygiene in place and U.S. companies re-evaluate how to stay competitive while fulfilling legal requirements in the EEA and UK, ultimately stepping up their game on how to do business more responsibly for the company as a whole.

A good example is a recent Microsoft Cloud announcement at the beginning of May 2021, promising they’ll enable for EU commercial and public sector customers to store and process all of their data in the EU for all of their cloud solutions by the end of 2022.

While industry experts criticise that this is not fast enough or bold enough, it is unlikely Microsoft would’ve taken these kinds of measures without the GDPR in place, let alone AWS. And while they may not be fully compliant in all aspects as yet, it is also economically unviable and impossible to expect from businesses to switch service providers entirely. Rulings such as Schrems II help to bring issues about the status quo to the surface and put pressure on industries to do it better than they’ve done so far.

So rather than jumping ahead to changing all your U.S. vendors, look at the situation more holistically and more importantly get professional expertise and support on the matter.

Be aware about ambiguity in certain areas in the market and observe how things are unfolding before you start investing your money that potentially could’ve been spent elsewhere. That does not mean you don’t need to act, but understand your options to make well informed decisions on what the law says and how that would translate into your case.

For example, if you process special categories of data, such as health data, religious beliefs, sexual orientation and biometric data, you’ll fall under higher scrutiny on how you secure that data and using international service providers outside of the EEA should be carefully evaluated altogether.

Be able to explain your rationale for certain business choices to your customers and stakeholders and make sure to do your due diligence — not only once, but every so often — on the vendors your work with and what additional steps you may want to take to safeguard the data you process.