NOYB advice to EU businesses post-Schrems II

Posted on by

If independent EU cloud providers aren’t ready for this opportunity now, they may never get it again… @NOYBeu (chair: @maxschrems) has published advice to European data controllers on #GDPR-compliance following the #SchremsII judgment from the CJEU: “Most US cloud providers fall under #FISA 702 and you will not be able to use them anymore.”

It’s important to realise “FISA 702+EO 12333 have no territorial limitation. They also apply to servers in the EU that are operated by a US ‘electronic communication service provider’ or where certain operations are outsourced to a US provider. The location for hosting is therefore irrelevant.” So most of the big US cloud services’ European servers and localisation guarantees do not help. Although “providers may have sufficiently limited the factual access (‘possession, custody or control’) from US entities, so that an EU/EEA server is factually beyond the reach of the US govt”, I wonder if such controls are possible without a full corporate separation ?

Data exporters and importers must “implement appropriate technological and organisational measures to protect transferred data from NSA/FBI tapping.” I don’t know if this is factually possible, given the NSA’s extensive capabilities (see Snowden) to insert bugs in, and hack systems providing, transit encryption?

“Any non-EU/EEA provider had the duty to inform you about laws like #FISA 702 and EO 12.333. If they have not done so, they are liable for all costs that result from cancelling the SCCs and transferring data back to the EU/EEA…”

I am looking forward to THIS case >> “The #PrivacyShield Decision was an incorrect executive decision by the European Commission. In theory, damages claims can be brought against the EU under Article 340 TFEU.”

Excellent work @NOYBeu ?? (and bravo for helping EU companies ask the right questions about their SCCs, very constructive.)

I assume @EU_EDPB is now rapidly updating this >> “One will notice that the CJEU used at least two points from [WP29] guidance to invalidate the #PrivacyShield.”

If we are *really* lucky, the update will make clear the UK’s obligations if it wishes to remain viable for data transfers even via #SCCs. Could these extend effectively to membership of the ECHR, or close enough to its standards that leaving would make no difference? ?

European Court of Human Rights “meddling” on national security issues is one of the key attractions to authoritarian Conservatives of the UK leaving the Human Rights Convention (alongside the ability to break up families, send people to be tortured, stop prisoners voting… did I miss any? ?)

Anyway: The Article 29 Working Party’s four “European essential guarantees” would make it very difficult to UK to weaken the protections in the Investigatory Powers Act 2016, and the oversight regime of @IPCOffice, Investigatory Powers Tribunal and parliamentary Intelligence and Security Committee ? No more obscure powers hidden in the Regulation of Investigatory Powers Act 2000, Telecommunications Act 1984, etc. (“clear, precise and accessible rules”). And EU citizens would have to retain their effective remedies, which will grind some Tories’ gears ??