The General Data Protection Regulation and the problem
The European General Data Protection Regulation (GDPR) is an important tool for European cloud service providers to counter the omnipotence of GAFAM or MAAMA. GAFAM or MAAMA refers to the large tech corporations Google, Amazon, Facebook, Apple and Microsoft or Meta, Amazon, Apple, Microsoft and Alphabeth, which have created a quasi-monopoly in their respective fields. Several US laws ensure that US cloud service providers cannot comply with the GDPR. Bland agreements with the EU such as Safe Harbor or Privacy Shield are always overturned by the highest courts with a time delay.
Privacy Shield no longer applies
The Privacy Shield was an informal agreement negotiated by the EU Commission with the Americans in 2015. The agreement was intended to ensure compliance with European data protection standards for data transfers to the USA. In addition, the Privacy Shield was supposed to serve as a successor to the Safe Harbor agreement, which had already been overturned before, and to ensure adequate data protection for the European population. On 16 July 2022, the European Court of Justice states in the corresponding ECJ ruling that the Privacy Shield, under which data transfers to the USA were permitted, no longer applies.
Accordingly, as of 16 July 2020, personal data may no longer be transferred to the USA on the basis of the Privacy Shield. So called standard contractual clauses used for the transfer of personal data to third countries will continue to apply.
Nevertheless, these standard contractual clauses may only be applied if the third country in question offers a level of data protection equivalent to that of the EU.
In summary, this means that the transfer of personal data on the basis of the Privacy Shield is not permitted and may only take place on the basis of standard contractual clauses if the state to which the data is transferred has a level of data protection that guarantees citizens the same rights as in the EU.
This can be read in the judgment as follows (§ 105):
"...that the appropriate safeguards, enforceable rights and effective remedies required under those provisions must ensure that the rights of individuals whose personal data are transferred to a third country on the basis of standard data protection clauses enjoy a level of protection equivalent in substance to that guaranteed in the Union by the GDPR in the light of the Charter."
The company responsible for the data transfer must ensure that the standard contractual clauses are examined on a case-by-case basis and that an adequate level of protection is guaranteed. The level of data protection in the USA does not come close to that in Europe. This means that in most cases the USA is not a country to which personal data may be transferred on the basis of standard contractual clauses. The transfer of personal data to the USA on the basis of standard contractual clauses therefore constitutes a violation of the General Data Protection Regulation.
Transferring personal data to Europe
One possible option is to move personal data stored in the USA to Europe. A few years ago, large American corporations, such as Microsoft, started to build so called server farms, i.e. huge data centres, in Europe. This means that the data of European citizens no longer has to be transferred to the USA. But is that really the solution?
Foreign Intelligence Surveillance Act (FISA)
The Foreign Intelligence Surveillance Act, or FISA for short, is a US law for the surveillance and regulation of foreign intelligence and counterintelligence in the United States. The law obliges all American providers of communications services to collect and store the data of foreign citizens and make it available to the authorities. US communications service providers are subject to this law regardless of what has been agreed in contracts with European companies.
This allows US authorities to intercept all electronic communications of citizens located outside the US. Metadata can be requested by National Security Letter even without a warrant. Edward Snowden's biography shows that our communications are recorded almost without interruption. He helped build the immense storage facilities on behalf of the intelligence services.
Add to this the Cloud Act
The Cloud Act is a law passed by the US government in 2018. The law obliges all American companies to grant the authorities access to data even if it is stored outside the USA. This means that even if American companies store data in Europe, access to this data must be guaranteed for US authorities. This is in contradiction to the European General Data Protection Regulation.
This is a fundamental right of European citizens and this fundamental right is consistently and deliberately violated by the USA. Since it is unlikely that Europe will change fundamental rights or that America will adapt its own laws, another solution must be found in the long term.
The use of European software as a solution
We at fairkom try to see this immense challenge as an opportunity for Europe, for European independence and economy. The ECJ ruling came into force on 16 July 2020. The effects have thus been legally binding since that day, and the fundamental rights of European citizens are violated on a daily basis to an extent that is hard to comprehend.
Why is this so? - The scope of the effects is so gigantic that people like to bury their heads in the sand for the time being. Added to this is the enormous dependence of European politics and business on software from the USA. American companies are behind much of the software that is used in Europe on a daily basis. As a result, there is little political resistance to the surveillance of European citizens by US companies and authorities.
The measures taken by fairkom to ensure fair handling of data are listed here. The blog post (in German) on alternative tools offers starting points on how US software can be replaced by open source.
Further information:
This Article serves as a foundation for this research. (in German)
Link to the ECJ judgment of July 16, 2020. (in German)
Our own blog post on video conferencing systems in comparison. (in German)