Bonum Certa Men Certa

EPO and Microsoft Collude to Break the Law -- Part VII: Lipstick on a Pig…

Previous parts:



Safe Harbour pig
The Privacy Shield was derided by its critics as "lipstick on a pig"



Summary: The Schrems II judgment has significant implications for "cloud computing" services

As we saw in the last part, following the invalidation of the Safe Harbour by the CJEU in its "Schrems I" judgment a revised framework for regulating transatlantic exchanges of personal data was pulled out of the hat in the form of the Privacy Shield.



From its very inception the robustness of this arrangement was questioned and it was derided by its critics as "lipstick on a pig".

The hurried manner in which the Privacy Shield was cobbled together meant that it always smacked of being a flaky and legally unsound last minute political compromise between the EU and the Obama Administration.

In the eyes of its critics it was nothing more than a comfort blanket to calm post-NSA revelations nerves among non-US cloud services buyers, rather than a legally sound framework to protect data from intrusive examination by American intelligence services.

"The hurried manner in which the Privacy Shield was cobbled together meant that it always smacked of being a flaky and legally unsound last minute political compromise between the EU and the Obama Administration."The first signs that the revised arrangement might not last very long came in January 2017 during the early days of the Trump Administration when the incoming POTUS signed off on a new Executive Order on "Enhancing Public Safety in the Interior of the U.S."

Among other elements, this Executive Order directed US government agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information".

This prompted certain commentators, such as MEP Jan-Philipp Albrecht, to express concerns about the tenability of the Privacy Shield and to call for its suspension pending clarification of the legal implications of Trump's Executive Order.

The European Commission was quick to dismiss these concerns.

Others who remained sceptical about the tenability of the Privacy Shield arrangement confidently - and accurately - predicted that its days were numbered.

"The Schrems II judgment has significant implications for "cloud computing" services."The final nail in the coffin came in 16 July 2020 when the CJEU delivered its judgment in the case of Facebook Ireland Ltd. v. Maximillian Schrems – known as "Schrems II" – which not only invalidated the Privacy Shield agreement but also put other data transfer mechanisms into significant doubt.

The CJEU found that due to the possibility of access to personal data of EU citizens by US authorities, the Privacy Shield infringed EU data protection regulations because it did not provide adequate GDPR‑compliant protection of personal data.

Privacy Shield
The Schrems II judgment has significant implications for "cloud computing" services



The Schrems II judgment has significant implications for "cloud computing" services.

Private companies and public sector bodies have increasingly started to make use of cloud services in recent years and this trend is likely to continue in future. The majority of cloud services are provided by vendors located in the US. The servers for the purchased services are partly located in the US, partly in Europe.

And this is where it gets interesting.

Even if a server is located in the EU, US authorities may access the stored data. This access is possible because of the FISA (Foreign Intelligence Surveillance Act) 702 and the EO (Executive Order) 12.333 which apply to all Electronic Communication Service Providers headquartered in the US.

"The majority of cloud services are provided by vendors located in the US. The servers for the purchased services are partly located in the US, partly in Europe."Merely relocating the data to an EU-based region in these clouds is not sufficient, because the problem is not geographical in nature.

The decisive issue here is that US-owned cloud vendors are subject to US jurisdiction and US legislation can be used to them to hand out customer data to the US government, even if the servers storing that data happen to be located on foreign soil.

USA spying on EU
Even if a server is located in the EU, US authorities may access the stored data via FISA (Foreign Intelligence Surveillance Act) 702 and the EO (Executive Order) 12.333 which apply to all Electronic Communication Service Providers headquartered in the US.



In essence, the Schrems II judgment means that US-based cloud providers such as Google, Amazon Web Services (AWS), and Microsoft Azure cannot be used to store data about European citizens in a GDPR-compliant manner.

In December 2020 it was reported that the Swedish data protection authority had imposed the first GDPR-based fine for lack of adequate protection of sensitive data stored in a US‑based cloud platform after the Schrems II decision.

"In December 2020 it was reported that the Swedish data protection authority had imposed the first GDPR-based fine for lack of adequate protection of sensitive data stored in a US‑based cloud platform after the Schrems II decision."In that case the UmeÃ¥ University in Sweden was fined SEK 550,000 (approx. € 54,000) because it was found to have processed special categories of personal data concerning sexual life and health using storage in a cloud service of a US-based provider, without sufficiently protecting the relevant data.

The Swedish data protection authority referred to the Schrems II judgment and took the stance that per se a data transfer to the US triggers a high risk for personal data because data subjects are limited in protecting and enforcing their privacy rights.

In the next part we take a further look at the fallout from Schrems II in Europe and how the judgment has given new impetus to the discussion about European "data sovereignty".

Recent Techrights' Posts

Microsoft Windows Fell to All-Time Lows in Egypt This Summer, Vista 11 Adoption Decreases While GNU/Linux Increases
Vista 11 is going down rather than up
12 Hours Ago The Register MS Published a Fake (Paid-for) Article, But This One for a Change Did Not Promote a Ponzi Scheme
There are also Free software alternatives, but they don't pay The Register MS for "synthetic" so-called 'journalism'
 
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, August 27, 2025
IRC logs for Wednesday, August 27, 2025
Slopwatch: linuxsecurity.com, Slopfarms in Google News, and More
Some readers of ours end up sending us links that are from slopfarms, not realising those are slopfarms
Gemini Links 27/08/2025: Katrina Memories and Google Versus Software Freedom
Links for the day
Links 27/08/2025: Police Against Media Freedom in the UK, Energy-Hungry Countries Targeted by China
Links for the day
Links 27/08/2025: Microsoft Demoralises Staff With Slop Demands, Leaving Mastodon Explained
Links for the day
More People Need to Call Out and Put a Stop to Serial Sloppers
Unless slopfarms are stopped, people will read and share Microsoft propaganda made by chatbots
Gemini Links 27/08/2025: Headphones and Tartarus
Links for the day
Morale at Microsoft is Terrible (Proprietary Plagiarism Machines Have No Future, LLM Slop is a Bubble)
The slop sceptics/critics are going to have lots of "told you so" moments
GNOME "governance issues, staff reduction, etc." amidst Albanian whistleblowing and women trafficking
Notice the connection to Software Freedom Conservancy (SFC) and GNOME
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, August 26, 2025
IRC logs for Tuesday, August 26, 2025
Richard Stallman (RMS) Was Right About "Sideloading" in 1996
We now have computers that treat booting GNU/Linux like an act of "Sideloading"
Panama: Windows Down From 97% "Market Share" to Less Than 30%
In 2009, Windows was measured at 97.24% (compared to 62.32% right now or less than 30% if one also counts Android)
The UEFI 9/11 - Part I - Introduction to Impending Catastrophe (Microsoft Preventing People From Booting Non-Windows Systems)
eight-part series
Why Techrights is Slow Today (Bot Floods)
We don't know if those bots are connected to LLMs (we have not checked), but that is a possibility
Slopwatch: DDoS Slop, LinuxBSDos.com Spam, and Slopfarms in Google News, Including webpronews.com
Among the news we also found fakes, albeit not so much today
Links 26/08/2025: "Ballooning Debt" in France and "Transnational Repression in the UK"
Links for the day
Gemini Links 26/08/2025: Listening to Alcest and Google Doing Evil (Users Installing Software is "Sideloading" and Prohibited)
Links for the day
Links 26/08/2025: DNS Tampering and TikTok Layoffs
Links for the day
Microsoft's Windows "Market Share" Overestimated
Microsoft's income sources are shrinking
We Shall See...
My wife and I are hardly the first victims of Brett Wilson LLP
This New Determination on a Case Echoes the Modus Operandi of Microsoft's Serial Strangler vs Techrights (Its Online Decision/Judgment Says Truth and Public Interest Defend the Publisher)
Noel Anthony Clarke hopefully has enough money left to pay his victims, which include the publishers
Going Offline
There was life before the Net
The Register MS Has Apparently Shut Down Its Office
It is basically a fake address on the face of it
There Are Also Expectations of IBM Layoffs Very Soon With "Narrative Control."
Some of them mention Red Hat and how IBM failed to achieve anything substantial with that acquisition
After at Least Two Rounds of Mass Layoffs in August Microsoft Said to Have "September Layoff Confirmed - Performance Based"
Those "M5 level meetings" sound plausible
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, August 25, 2025
IRC logs for Monday, August 25, 2025