Schrems-II – At what cost?
With more than a year since the Schrems-II verdict, I am wondering if it has really left us with any better privacy, or if it has actually been a net loss for European citizens.
To make a very brief (and probably somewhat unfair) summary: The Schrems-II decision by the European Court of Justice decided that Facebook had broken European law by transferring the personal information of Max Schrems to the United States under the Privacy Shield agreement. This invalidated the agreement, and also set the precedence that the US justice system could not provide adequate protection to the fundamental rights of Europeans.
With this backdrop, the European Data Protection Board (EDPB) issued a set of guidelines to how transfers to the US could be done in the face of the new judgement. A crucial issue then arose: Can you transfer data to a European company if that company in turn is owned by an American company? Will this constitute a transfer to the US, and thus be in breach of the Schrems-II decision?
Those who argue yes, say that the American owners can be forced by the US justice system (and in particular the FISA-courts) to make their European subsidiaries break European law and hand over data that the US seeks. The face that this possibility exists, they argue, is in itself a transfer, and thus in violation of the Schrems-II ruling.
This has caused many businesses to question the use of American owned services such as Google Cloud Platform, Amazon Web Services, and Microsoft Azure, the three leading providers of cloud services. Instead, they may have remained with on-prem solutions, or sought out smaller European providers without American owners.
What's the big deal?
This is most likely not a good thing for Europeans! There are great security and privacy benefits when moving to the large cloud providers. These companies spend enormous amounts of money and resources at keeping their platforms secure. Microsoft has said at one point that they employ 3 500 security professionals and spend more than $1 billion on security alone. That is most likely more than the entire staff and operational budget of most medium sized cloud providers.
Security is a key feature of privacy, and those who have chosen what might be less secure providers in order to mitigate what seems to be a largely theoretical threat might have done what is legally correct, but I would argue that it might be the wrong choice for their customers in the long run.
The chances that a company hosting data with Google in Europe will be the target of a FISA case, that culminates in the court forcing Alphabet Inc. to secretly make their European company break the GDPR and hand out customer information, is extremely low for most users of the platform. In addition, most such cases are much more easily solved by the American government asking the local government in the country of the company that owns the data to use local laws to force the release of the information.
In the meantime, real threats to our privacy are all around us. Both individual hackers, criminal gangs and nation state actors attempt to steal information to publish it or sell it. Every day loads of personal information that should have been kept secret is leaked, and this has real consequences for real people. The time spent trying to wrap our heads around how we can comply with a highly unlikely scenario has most likely cost us the opportunity to protect against the actual threats to our users.