Since the European Court of Justice declared the EU-US Privacy Shield as an invalid legal basis for the transfer of personal data to the US, stipulating increased requirements for the use of the EU standard contractual clauses in July 2020 (C-311/18, 'Schrems II'), uncertainty has been rife within many companies: a legally compliant data transfer to the USA on the basis of the Privacy Shield is no longer possible and the new EU standard contractual clauses announced in November 2020 have still not yet been adopted by the EU Commission (see our report). A clearly legally compliant solution for the use of US cloud services such as Microsoft Office 365, Amazon AWS, Salesforce, Google & Co. is therefore not possible today even if the servers in question are located within the EU (see the interview with the state data protection officer in Baden-Württemberg). However, not only companies have this problem, but also the institutions of the European Union, as they also use Microsoft Office, for example.
The controller responsible for the data protection control of these institutions, EU data protection officer Wojciech Wiewiórowski, announced in a press release dated 27.05.2021 that two proceedings will be initiated to check compliance with EU law when using US cloud services.
What significance does the above announcement made by the EU data protection officer now have for German companies?
Almost a whole year after the Schrems II Decision of the ECJ described above, no legal certainty exists cloud services from US providers are used, even with exclusive use of EU servers. The new EU standard contractual clauses should provide this legal certainty, but they are a long time coming. In addition, even after the publication of the final version for third-country transfers by the EU Commission, it can be expected that it will later be declared invalid by the ECJ, as the US government will probably not change its surveillance practices and, in addition, a no-spy agreement (as is now required for Great Britain) is unlikely. Yesterday's press release from the EU data protection officer shows that things are finally moving forward. Not only are the German supervisory authorities considering a ban on Amazon AWS, Microsoft Office 365, etc., but now also the EU supervisory bodies. That being said, Microsoft regularly concedes and brings new implementation models into play. Microsoft is also increasingly receiving support from the German federal government, which currently sees no real alternatives among EU providers. However, all these efforts and tendencies do not change the unrestrained desire of the US government to monitor international data traffic, so German companies should already prepare themselves for a possible review by the supervisory authorities with regard to the use of US cloud providers. The ITM Institute of the University of Münster recently proposed a possible answer to such hearings.