Bonum Certa Men Certa

EPO and Microsoft Collude to Break the Law -- Part VII: Lipstick on a Pig…

Previous parts:



Safe Harbour pig
The Privacy Shield was derided by its critics as "lipstick on a pig"



Summary: The Schrems II judgment has significant implications for "cloud computing" services

As we saw in the last part, following the invalidation of the Safe Harbour by the CJEU in its "Schrems I" judgment a revised framework for regulating transatlantic exchanges of personal data was pulled out of the hat in the form of the Privacy Shield.



From its very inception the robustness of this arrangement was questioned and it was derided by its critics as "lipstick on a pig".

The hurried manner in which the Privacy Shield was cobbled together meant that it always smacked of being a flaky and legally unsound last minute political compromise between the EU and the Obama Administration.

In the eyes of its critics it was nothing more than a comfort blanket to calm post-NSA revelations nerves among non-US cloud services buyers, rather than a legally sound framework to protect data from intrusive examination by American intelligence services.

"The hurried manner in which the Privacy Shield was cobbled together meant that it always smacked of being a flaky and legally unsound last minute political compromise between the EU and the Obama Administration."The first signs that the revised arrangement might not last very long came in January 2017 during the early days of the Trump Administration when the incoming POTUS signed off on a new Executive Order on "Enhancing Public Safety in the Interior of the U.S."

Among other elements, this Executive Order directed US government agencies to “ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information".

This prompted certain commentators, such as MEP Jan-Philipp Albrecht, to express concerns about the tenability of the Privacy Shield and to call for its suspension pending clarification of the legal implications of Trump's Executive Order.

The European Commission was quick to dismiss these concerns.

Others who remained sceptical about the tenability of the Privacy Shield arrangement confidently - and accurately - predicted that its days were numbered.

"The Schrems II judgment has significant implications for "cloud computing" services."The final nail in the coffin came in 16 July 2020 when the CJEU delivered its judgment in the case of Facebook Ireland Ltd. v. Maximillian Schrems – known as "Schrems II" – which not only invalidated the Privacy Shield agreement but also put other data transfer mechanisms into significant doubt.

The CJEU found that due to the possibility of access to personal data of EU citizens by US authorities, the Privacy Shield infringed EU data protection regulations because it did not provide adequate GDPR‑compliant protection of personal data.

Privacy Shield
The Schrems II judgment has significant implications for "cloud computing" services



The Schrems II judgment has significant implications for "cloud computing" services.

Private companies and public sector bodies have increasingly started to make use of cloud services in recent years and this trend is likely to continue in future. The majority of cloud services are provided by vendors located in the US. The servers for the purchased services are partly located in the US, partly in Europe.

And this is where it gets interesting.

Even if a server is located in the EU, US authorities may access the stored data. This access is possible because of the FISA (Foreign Intelligence Surveillance Act) 702 and the EO (Executive Order) 12.333 which apply to all Electronic Communication Service Providers headquartered in the US.

"The majority of cloud services are provided by vendors located in the US. The servers for the purchased services are partly located in the US, partly in Europe."Merely relocating the data to an EU-based region in these clouds is not sufficient, because the problem is not geographical in nature.

The decisive issue here is that US-owned cloud vendors are subject to US jurisdiction and US legislation can be used to them to hand out customer data to the US government, even if the servers storing that data happen to be located on foreign soil.

USA spying on EU
Even if a server is located in the EU, US authorities may access the stored data via FISA (Foreign Intelligence Surveillance Act) 702 and the EO (Executive Order) 12.333 which apply to all Electronic Communication Service Providers headquartered in the US.



In essence, the Schrems II judgment means that US-based cloud providers such as Google, Amazon Web Services (AWS), and Microsoft Azure cannot be used to store data about European citizens in a GDPR-compliant manner.

In December 2020 it was reported that the Swedish data protection authority had imposed the first GDPR-based fine for lack of adequate protection of sensitive data stored in a US‑based cloud platform after the Schrems II decision.

"In December 2020 it was reported that the Swedish data protection authority had imposed the first GDPR-based fine for lack of adequate protection of sensitive data stored in a US‑based cloud platform after the Schrems II decision."In that case the UmeÃ¥ University in Sweden was fined SEK 550,000 (approx. € 54,000) because it was found to have processed special categories of personal data concerning sexual life and health using storage in a cloud service of a US-based provider, without sufficiently protecting the relevant data.

The Swedish data protection authority referred to the Schrems II judgment and took the stance that per se a data transfer to the US triggers a high risk for personal data because data subjects are limited in protecting and enforcing their privacy rights.

In the next part we take a further look at the fallout from Schrems II in Europe and how the judgment has given new impetus to the discussion about European "data sovereignty".

Recent Techrights' Posts

Science and Academia Under Attack, Imposters Inheriting or Aggressively Seizing the Top Roles
Academia has turned into a bad place
Sites Writing Fake News About Linux Using LLMs (Microsoft Hype That Promotes Misinformation)
RMS recently called these "bullshit machines"
 
Gemini Links 16/09/2024: billsmugs.com Becomes rainywhile.net, Zaurus on Internet
Links for the day
[Meme] Wrong Priorities at Universities
Because what matters isn't expertise
Microsoft and the Sunk Cost Fallacy
"Microsoft aims for the sunk cost fallacy"
Turning Away Unwanted and/or Predatory Bots
If no human will ever read it, what's the point serving?
Links 15/09/2024: Complicated Music Licensing Schemes and Dangers of Sleep Deprivation
Links for the day
Links 15/09/2024: Sci-fi London 2024 and Outsourcing to Proton Mail
Links for the day
Links 15/09/2024: French Teachers Quit in Droves, Why 'eSports' are Not Sports
Links for the day
[Meme] Red Hat Staff Must Learn IBM's Dark History (IBM Still Boosts Donald Trump, So No Lessons Learned)
This isn't a subject for humour
Don't Fall for Reputation Laundering and Whitewashing
Remember history, don't pay attention to PR and charm offensives
[Meme] Microsoft as a Joke That Writes Itself
"Microsoft confesses its recent security updates…broke Windows 10 security patches"
GNU Turns 41 in Just 12 Days
Can truth and science be resuscitated, please?
[Meme] Large Language Models (LLMs) Destroy the Web With an Ocean of Disinformation and Misinformation, Falsely Promoted as "Intelligence" by Microsoft et al
"Microsoft bribes the media to say 'Microsoft loves Linux'"
Dr. Richard M. Stallman (RMS) Asks People to Stop Calling Large Language Models (LLMs) "Artificial Intelligence" (AI)
"I think that the first step is stop calling them AI"
Even Microsoft Boosters Think XBox is Doomed
"Reports Say Morale At Xbox Is “Very Low”"... a Microsoft booster cited by them
Dr. Richard M. Stallman (RMS): "There are still people who make it their business to try to stop me from getting invited to speak, and it's a slow process working back from that"
From the talk he gave last month
Very Few Invidious Instances Still Work (for Video Playback)
Google has sabotaged Invidious
Gemini Links 15/09/2024: MINIbase and Pocket Reform Experience
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Saturday, September 14, 2024
IRC logs for Saturday, September 14, 2024
[Meme] The Prosecutor and Prosecuted, the Community and Businessmen (Red Hat)
"Social justice is not a corporate slogan or identity politics"
Pushing Nonsense Using the Brand "Linux"
the trademark "Linux" might already lack potency
In China, statCounter Seeing Windows Vista 11 as Falling 2.5% This Month Relative to Other Versions of Windows (Vista 7 Grows Its Gap Over "11")
Vista 7 is bigger!
Dr. Richard M. Stallman (RMS) Explains Why So-called 'Cryptocurrencies' Suck and Why GNU Taler is Better
"I've never used cryptocurrency. There were things I found disappointing and worrisome..."
Links 14/09/2024: Verizon's 5,000 Layoffs and China's 'Runaway' Pension Age
Links for the day
Gemini Links 14/09/2024: Comparing Costs and Being "Tamed"
Links for the day
Wine Took the Bait (Mono), Soon Starts the Microsoft Circus With the Banhammer
large companies are exercising more control over the thing/s they claim to "donate" to
Links 14/09/2024: Science, War, and Politics
Links for the day
Transcript (and Correction) of Dirk Hohndel's Interview With Linus Torvalds in 2014
A lot of things have deteriorated since then
Microsoft Asia President Ahmed Mazhari Leaves the Company
Even everything they say about Mazhari is just "prepared" quotes from Microsoft itself
This is Not a Sustainable Way to Run Microsoft
This is a downward spiral
Contrary to What Microsoft Claims, Teams Were Cut Yesterday, XBox Sales Have Collapsed, Layoffs Announced at 3AM (in the Morning)
There is actually a lot of media coverage about this, unlike prior waves of layoffs at Microsoft
Last Month Dr. Richard M. Stallman (RMS) Explained Why You Should Delete GitHub
RMS explained why
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Friday, September 13, 2024
IRC logs for Friday, September 13, 2024
Gemini Links 14/09/2024: LoRa, ROOPHLOCH, and Crafting a Programming Language
Links for the day