European data protection and digital sovereignty must now go hand in hand

The EU Cloud Code of Conduct (CoC) defines clear requirements for cloud service providers (CSPs) to ensure their processing of customer data complies with the General Data Protection Regulation (GDPR). This is still today the only comprehensive set of guidelines there is. Initiated by the European Commission itself, the Code provides for the technical and organisational implementation of the highest possible standards of data protection in Europe. The latest version is now being checked by the European Data Protection Board (EDPB), the association representing all the national data protection authorities of the EU, prior to its recognition throughout Europe.

Within just a few years, the Code has effectively become a real “brand” that is widely accepted by the European cloud industry.

At Fabasoft too we see the EU Cloud CoC as the strongest possible (voluntary) commitment by European CSPs to provide cloud services that are fully aligned with the requirements of the GDPR. For us, implementing the Code has always been an important factor in building the trust of our customers and consequently also for our market profile. Our compliance with vigorous data protection and security policies based on the EU Cloud CoC is a transparent sign of quality which, together with our annual re-audit, gives our customers absolute certainty that the processing of their exported data is fully aligned with the GDPR.

Data transfers to third countries do not meet European standards of protection

Within the European Union the cloud industry has been working ever more closely together, and by implementing the code as a kind of quality seal is now establishing a European understanding of the protection of personal data and wide-ranging cybersecurity. However, this high level of protection of customer data is not guaranteed when data is transferred to third countries.

On 16 July 2020, the judgement of the European Court of Justice (ECJ) in the “Schrems II” case invalidated the “Privacy Shield” agreement for data transfers between the EU and the US, on grounds that it failed to provide a level of data protection equivalent to that of European data protection. This just confirmed European doubts.

As long as the US is subject to the terms of the US Foreign Intelligence Surveillance Acts (FISA), Section 702, which force US internet giants like Facebook and Google to allow the Intelligence Community opportunities for surveillance of foreign data owners, an appropriate European level of data protection will not be feasible in the United States. EU justice commissioner Didier Reynders is also sceptical as to whether sustainable data transfer regulations can be formulated in the near future without a genuine reform of US surveillance practice.

Many medium-sized European companies, particularly in the cloud, social media and platform sectors, that have been relying on the provisions of the Privacy Shield for their data transfer, now face major problems. Alternatives such as “standard contractual clauses (SCCs)”, “binding corporate rules”, or obtaining the consent of data owners for transfer of their personal data, are legally complex for SMEs and additional protection measures (encryption, data anonymisation) demand a high degree of individual commitment.

The European data protection authorities, on the other hand, have been strengthened by the ECJ judgement and will in future have to penalise infringements in the case of SCCs, to the point where data transfer may be prevented.

In light of the current situation which, in the short term, is certainly difficult and possibly insoluble, the EU Cloud CoC’s initiative to develop an additional module for data transfers to third countries must be welcomed as a start. Europe, however, must not allow fragmentation to slow its work towards formulating sustainable regulations for the transfer of European data to the USA or other third countries, but must now call on all available expertise, such as that of the Council of Europe, for instance (publisher of Convention 108+ “for the protection of individuals with regard to the processing of personal data”, including the Additional Protocol, which is referenced in the preamble to the GDPR, point 105).

Implementation of “digital sovereignty” could be a major ally

Given Europe’s extensive technological dependency in industrial IT applications, in recent months the topic of “digital sovereignty” has become a key issue in public discourse. This culminated repeatedly in the question of whether the Chinese company Huawei should be allowed to supply core components for the development of future 5G networks, or whether this should be avoided for security reasons.

In this context the French-German infrastructure initiative “Gaia-X” is gaining traction. The objectives of greater data sovereignty, better IT security, data portability and data protection, based on European infrastructures and European locations for European cloud data storage, are consistent with the aspirations of the EU Cloud CoC – to guarantee information security and the protection of personal data by means of transparent quality standards.

Nevertheless, this European mindset for infrastructure and services must always strive for a fine balance of IT security with free flow of data and interoperability. This can surely only be achieved by all sides with democratic supervision of intelligence services and by avoiding clumsy protectionism.