With the Schrems II decision, GDPR requirements may now extend to the choice of a cloud platform. HiQ's Toivanen explains what this means for organisations and consumers.
In February 2022, Meta, the parent company for Facebook and Instagram, admitted that it was considering shutting down its business in Europe. Just a few weeks earlier, an Austrian court had declared Google Analytics to be in breach of GDPR in the EU, and the City of Stockholm had banned the use of Microsoft 365.
HiQ's Vice President and integration expert Antti Toivanen says the tech world is in an unprecedented situation.
"In the past, the US and Europe used to negotiate common data protection practices. For the first time, both have their own regulations, which are not compatible."
In 2018, the GDPR data protection directive came into force in the EU. Meanwhile, in the US, President Trump signed the CLOUD Act, which gives US authorities the right to demand data from US-based companies – even when the data is being stored in the EU.
In 2020, the situation came down to a landmark court case in which an Austrian lawyer sued Facebook for violating privacy regulations and transferring personal data to the US intelligence agency NSA. He won, and the resulting Schrems II decision invalidated the US-EU data transfer agreement.
"The decision inevitably raises the question of whether any operator storing its data in a US-based cloud service such as Azure is compliant with the GDPR in its current form," Toivanen wonders.
Standard Contractual Clauses (SCC), that are widely used in EU, are still valid. The data exporter and data importer to rely on SCC they must verify that there is no reason to believe that any laws or practises applicable to the data importer have an impact in fulfilling its obligations under the SCC.
He cites the example of online shopping, where the consumer gives their consent to the online trader to process their data. However, if the online store in question stores its data in the Azure cloud, the US can automatically have monitoring access. In such cases, is GDPR still respected. With SCCs, the burden is on business.
According to Toivanen, every municipality, organisation, and company must now check that in addition to their own data protection practices, also their backend systems and data storage are GDPR-compliant.
"The threat is real, and there areongoing developments – for example, Google fonts have just been ruled illegal in Germany. Many of our customers have also reacted and requested to move their integration platform to Compliant Cloud."
Toivanen explains that to be 100% sure, you should choose Compliant Cloud or a similar Open-Stack-based platform that is GDPR-compliant even after the Schrems II decision. The data on the cloud platform must be located in the EU and owned by an EU country.
Toivanen says that the worst thing about the current situation is uncertainty. Businesses have naturally sought to circumvent the regulations with standard contract terms that fall helplessly short of EU directives.
The safest play is to ensure from your own technology provider that all systems storing personal data run on a GDPR-compliant cloud platform.
Vice President and integration expert, HiQAntti Toivanen
According to Toivanen, a company's IT infrastructure must be viewed holistically, from the user interface layer, i.e., the online store or customer service, all the way to the integration layer.
"While in 2018 companies focused on their own methods of handling customer data, we now need to extend this to the suppliers and the cloud platforms they use."
Toivanen advises consumers to think critically about which websites they allow to process their data.
"Sites that promise to process cookie data or personal data in accordance with the required regulations cannot necessarily guarantee that this will happen. As consumers, we should think twice before accepting cookies or granting other rights to process our data."
Make sure your online shop or service continues to be GDPR-compliant.