Cloud is a very confusing term suggesting that data is stored somewhere “in the sky”. However, as a matter of fact, data is stored on the ground, in the servers physically located in certain countries with their own jurisdiction. And here is a catch: companies offering cloud-based services to Europeans need to comply with the European data protection rules. Until recently, Europe has known 28 national data protection regimes, often quite diverging. The EU General Data Protection Regulation – adopted on 27 April 2016 and entering into application 25 May 2018 – provided a useful first step: it offered the possibility of a single, pan-European set of rules in the data protection area.
Nonetheless, the EU General Data Protection Regulation is of little help for US technology giants. For 15 years, the leading US technology companies could benefit from the provisions of the European Commission’s 2000 decision on EU-US Safe Harbour. This arrangement allowed US companies to store and treat the data of European citizens on US soil. On 06 October 2015, the Court of Justice of the EU declared this arrangement invalid. After a nine-month period of legal uncertainty, on 12 July 2016, the European Commission adopted its decision on the EU-US Privacy Shield. According to the European executive, this new framework protects the fundamental rights of anyone in the EU whose personal data is transferred to the US.
Yet, US tech giants do not seem to be convinced. Driven by legal uncertainty and privacy concerns, they have ventured to build their cloud facilities on European soil. Microsoft has a technology centre in Munich, Germany, a country with the most rigid data protection regime. In addition, Microsoft is building a € 2 billion data centre in the Dutch Noord-Holland province, in the heart of the region’s agricultural area, attracted by the cheap land, world-class digital infrastructure and sufficient energy supplies. When completed, the cloud centre will be biggest data centre in Europe. Google is following suit and building a data centre in the north of the Netherlands in a region bordering Germany. Two months ago, Amazon Web Services announced its plans to open a data centre in Paris in 2017. Their company is boosting its European presence; it has already two data centres – in Ireland and Frankfurt. Alibaba, a Chinese global e-commerce company, is eyeing Germany too, where it builds its first European data centre. On thing is common: if your cloud services can satisfy the strict German data protection requirements, you can run your European cloud safely.
Despite the encouraging statements from the European Commission about the EU-US Privacy Shield, uncertainty prevails. Just a month ago, on 21 October 2016, privacy advocacy group Digital Rights Ireland launched a challenge in European courts against the EU-US Privacy Shield, claiming it does not adequately protect the privacy rights of EU citizens. The organisation has a successful track record of challenging European data processes. It argued for the striking down of Safe harbour, and in April 2014, the European Court of Justice declared the EU Data Retention Directive invalid. The present lawsuit against the Privacy Shield is expected to take over a year to resolve, contributing to the mounting uncertainty surrounding transfers of personal data from Europe to the US.