Contracting with U.S. cloud service providers: when allowed?

In many ways, the Internet is an American invention. In the 1960s, the U.S. Department of Defense was looking for a way for its globally-based personnel to exchange information regardless of where those personnel were located and regardless of the type of device they were working on. That system became ARPANET and ARPANET eventually became the Internet.

Much of today’s Internet infrastructure is still designed and built by American companies. This applies to the hardware (HP, Apple, Dell), the chips (Intel, Qualcomm) and to routers and modems (Cisco, Juniper). The market for web services and platforms for e-mail and cloud storage is also mainly in the hands of a few large U.S.-based players (Google, Oracle, Amazon, Microsoft). As a result, European organizations and companies are in many cases dependent on American parties for their IT needs.

Since 1981, a special legal regime has existed in Europe for the processing and transfer of personal data. This legal regime, which has meanwhile been laid down in Chapter V of the General Data Protection Regulation (GDPR), imposes restrictions on the free transfer of personal data. Under the GDPR, personal data can circulate freely within the European Economic Area (EEA), but the transfer of personal data to a country or territory outside the jurisdiction of one of the EEA member states is only permitted if strict requirements are met. The European legislator thus wanted to prevent the level of legal protection that the GDPR aims to guarantee from being easily circumvented by transferring data processing activities abroad.

Since a lot of computing power and data processing has been moved from local PCs to central servers of cloud service providers since the 10s, the legal regime on international data transfers has grown significantly in importance.

In the event of an international data transfer, it must be assessed on the basis of a three-pronged analysis whether the transfer is permitted. If the European Commission has declared that a country outside the EEA offers an adequate level of protection, then personal data may be transferred to that country on the basis of the relevant adequacy decision. In the absence of an adequacy decision, appropriate safeguards are required. The most important appropriate safeguards in practice are the Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). If there are no appropriate safeguards either, a transfer may still be permitted in a few specific situations under strict conditions.

For the U.S., an adequacy decision has been issued twice by the European Commission. The first decision was better known as Safe Harbor and the second decision as the Privacy Shield. Both decisions were declared invalid by the Court of Justice of the European Union in 2015 (Schrems I) and 2020 (Schrems II), respectively. According to the CJEU, the agreements made in both instruments do not result in a level of protection for personal data that broadly corresponds to the level of protection in the Union. The European Commission should therefore not have issued the adequacy decisions.

According to the CJEU, the ‘shortage’ of protection in the U.S. lies in the fact that the powers of American intelligence agencies are formulated too broadly. Firstly, this concerns legislation that gives intelligence agencies the power to demand information concerning non-Americans from internet service providers and telecommunications companies (FISA 702). Second, it concerns the power to tap on submarine cables on the Atlantic seabed, and to collect and store this data before it arrives on U.S. territory (E.O. 12333). By European standards, this legislation contains insufficient guarantees to ensure that such far-reaching powers are only used when strictly necessary, according to the CJEU.

The Privacy Shield can therefore no longer be used as a transfer mechanism. The question then arises as to whether it is possible to switch to the ‘second’ instrument, the appropriate safeguards. Unfortunately, this is difficult. In Schrems II, the CJEU also ruled that the SCCs and other appropriate safeguards do not operate in a vacuum. Companies wishing to transfer personal data on the basis of these tools must assess on a case-by-case basis whether the safeguards are actually effective. Sometimes additional safeguards will be required.

This reasoning is understandable. After all, SCCs do not alter or limit the powers of U.S. intelligence agencies. Nothing in the SCCs prevents the NSA from requisitioning data under FISA 702 or the CIA tapping submarine cables under E.O. 12333. It would be strange if, because of those broad powers, a transfer could not be based on an adequacy decision, but could still be based on the SCCs that do not contain any guarantees against these broad authorities.

In 2013, Microsoft was ordered by a U.S. judge to surrender emails sent through its email platform (hotmail.com, msn.com, outlook.com) in connection with an investigation into illegal drug trafficking. The emails in question were stored on servers in Dublin, Ireland. Microsoft believed that the U.S. court had no jurisdiction to issue an injunction over data stored outside the U.S. and refused to comply with the injunction.

Microsoft was unsuccessful in first and second instance, but was successful on appeal to the Second Circuit Court in July 2016. According to the Second Circuit Court, there were insufficient leads to believe that the law on which the order was based had “extraterritorial” effect. While the case then went to the Supreme Court, Congress passed a new law called the Clarifying Lawful Overseas Use of Data Act (CLOUD Act). As the title implies, this law clarified that a court order can also apply to data stored on servers outside the United States.

Under the CLOUD Act, U.S. law enforcement agencies can thus recover data held by U.S. cloud service providers, regardless of where that data resides. This risk can be mitigated by making proper arrangements about inter alia encryption and about the IT supplier’s obligation to examine and challenge information requests.

Effectively, the foregoing means that the following attention points should at minimum be considered when contracting with U.S. cloud service providers.

• The transfer of personal data to a cloud service provider in the U.S. who must be able to access the data in the clear is effectively no longer possible since Schrems II. Not even when using SCCs.
• There is still scope to transfer personal data to the U.S. when the data (i) are pseudonymised; or (ii) encrypted with the cryptographic keys remaining under the control of the data exporter within the EEA.
• Today, almost all major cloud service providers offer the option of contractually agreeing that customer data will only be stored on servers within the EEA. Note that such an option generally only applies to data storage at rest and not to (i) customer data in transit; (ii) meta-data; and (iii) data processed in the context of support. Increasingly, cloud service providers are making efforts to keep such data also within EEA borders.
• Even if customer data is stored at rest in the EEA, U.S. cloud service providers may still be required under the CLOUD Act to transfer this data to U.S. government agencies. This risk can be mitigated by making proper arrangements about encryption and about examining and challenging information requests.
• Customers should carry out a thorough data transfer impact assessment (DTIA) to ensure that the above points are reviewed and that a documented risk assessment has been made.

Would you like to learn more about contracting with U.S. cloud service providers or need help conducting a DTIA? Feel free to contact our team.

Jeroen van Helden, attorney at law