France's National Commission on Informatics and Liberty (CNIL) ruled on 8th October 2020 that it was illegal to store personal health data of EU residents on any cloud operated by a US company or by a European company with business in the US:
Unlike Tik Tok in the US or Facebook in China, US clouds are not banned in the EU. However, using US clouds to process or store personal data of EU residents could be illegal. Using EU clouds submitted to US laws to process or store personal data of EU residents could also be illegal.
This situation is a direct consequence of the "Shrems II" ruling by the Court of Justice of the European Union (CJEU), an equivalent in EU of the US Supreme Court, which applies to all EU.
France's CNIL had thus to apply "Shrems II" ruling in its decision. Currently, EU residents have no appeal if US authorities remotely access their personal data stored in EU through legal enforcement laws such as CLOUD Act, FISA and Executive Order 12333.
CNIL suggests that in order to preserve fundamental liberties, personal health data should be stored on a cloud operated in Europe by juridical entities that are completely independent of any business activity in the US. CNIL suggests technology licensing approaches for US clouds to operate legally in EU whenever personal data of EU citizens needs to be stored.
Even though CNIL does not say anything about it, the same legal reasoning could apply to other sensitive personal data.
Conseil d'Etat (an equivalent in France of US Supreme Court) confirms in its decision that it is imposible for French government to control unsolicited access by US goverment to personal data stored on US clouds or on clouds subject to US law. Conseil d'Etat confirms that new projects involving personal health data must not use US clouds or clouds subject to US law.
It is very likely that similar decision would be taken by CNIL for personal data stored on a Chinese cloud provider for similar reasons realted to China Internet Security Law of 2016.
Understanding the reasoning behind the ruling
Let us consider the following parties
Parties in presence
||An EU resident
||A company or government using services of Y to store data of K
||A cloud company with business activity in EU and in country Z
||A country outside EU with some extra-territorial law
Because country Z can request to Y personal data of K stored by X on the cloud of Y, and because K can not appeal against this request of Z, and because Y can not refuse the request of Z due to its presence in Z and some extra-territorial law, then fundamental rights of K are violated. In application of proportionality principle and if X stores a lot of sensitive personal data, X is reponsible of this situation and should thus stop using Y. It does not matter whether data of K is stored inside EU or outside EU.
It is safe to consider that in order to avoid any litigation risk, companies which store personal data of EU residents on the cloud and especially sensitive personal data should migrate to a cloud provider which is not submitted to CLOUD Act, FISA, Executive Order 12333 or possibly China Internet Security Law.
If personal data is not encrypted, it is safe to store it on servers:
- located inside EU, to ensure the absence of foreign jurisdiction;
- controlled by an "independent" EU company.
Here are some examples of "independent" EU companies:
- an EU company with a majority of EU stockholders and no business in US or China;
- an EU company with a majority of EU stockholders and which business in US or China is operated through a subsidiary with an independent governance.
This second example still needs to be confirmed.
If personal data is encrypted, personal data could be stored on servers outside EU in certain cases as long as encryption keys used to access personal data of EU residents do not fall under the control of US or Chinese Law.
One should note that any cloud service which does not have access to personal data does not fall under the scope of CJEU/CNIL decission. An EU company which owns its servers could for example deploy on its own infrastructure a remote orchestration service as long as this remote orchestration service does not have access to personal data on the servers and does not itself store personal data.
CJEU/CNIL decision will likely be reverted by national court and lead to an appeal at CJEU which will likely confirm the original decision of CNIL.
Consequences of CJEU/CNIL could also evolve if a new Privacy Shield is implemented by EU.
Even though some EU governments are deeply influenced by transatlantic social relations and US-EU business opportunities, a new privacy shield is likely to face increased opposition from citizens. Human right values are no for sale for everyone in EU.
Also, due to the nature of CLOUD Act, FISA and Executive Order 12333, it is likely that any new EU Law which authorizes transatlantic data transfer will lead to "Shrems III" unless the US government abandons its global surveillance policy. The same could be said about Chinese governmment and China Internet Security Law.
In EU, states are prevented from mass collecting data thanks to the independence of CJEU. EU clouds which are not subject US or China
Beyond EU, US and China, some countries such as Russia or India have implemented or may implement digital sovereignty laws that prevent storing or processing data in EU. Digital surveillance defined in French law is probably incompatible with some privacy laws in Japan.
Russia or China do not allow storing personal data of staff outside Russia.
Overall, the consequences of "Shrems II" case and CNIL ruling are just one example of similar situations which will happen again in other parts of the word and result from the contradiction between laws related surveillance, fundamental liberties and digital sovereignty.
It is safer to design an IT system based on the observation that privacy should be enforced in every country and that all countries try to surveil each other through extra-territorial laws without any global framework. China's initiative to set global data security rules is unlikely to be accepted very soon by EU, US or Japan.
In a digital world with ever evolving and mutually conflicting national laws, the safest design for an IT system is to store data on servers owned by a local independent company and only rely on global cloud services that do not have access to data stored on those servers and do not store themselves personal data. Self-hosting can also be an option.
Just like GDPR did not lead to lawsuits immediately, CJEU/CNIL will not lead to lawsuits immediately.
However, privacy is important for citizens in EU, in Japan and in some other countries. Litigation in EU is not very costly and can be financed by a single person. Justice in EU is independent: national states can not control decisions of CJEU, ECHR, etc.
The risk of litigation is increasing for multinational companies that keep on ignoring EU cloud companies. Recent foreign policy in US ("America First") and in China (wolf diplomacy) is creating resentment among European population. Litigations against companies which store personal data of EU residents on clouds subject to US or China's laws will likely increase.
GDPR fines can be as high as 20,000,000€ or 4% of a company's yearly incom.
In this context, the safest approach for a company operating in the EU is to increase their use of EU cloud services that respect privacy. Another safe solution is to build their own cloud in the EU based on open source software and guarantee full auditability. One way to ensure that an EU cloud service respects privacy is to request access to operation management procedures and audits, something that companies such as BSO or Rapid.Space already provide. Another way is to verify compliance of the service with privacy standards, something which the Gaia-X project plans to provide in the future.
Some open source cloud software provided by EU companies:
Some EU cloud providers that try to ensure independence from US and China extra-territorial laws:
Some EU cloud providers that provide access to their operation management procedures:
Some unions of cloud providers that meet health data regulations and include EU members:
Gaia-X project: https://www.data-infrastructure.eu/GAIAX/Navigation/EN/Home/home.html