Cloud Visibility
Application Performance
Network Performance Optimization
Industries
Platform
About Us
Learn
Blogs
Improved delivery, better visibility: How Accedian and VMware are working together to help CSPs navigate the 5G world
Adding a new dimension of visibility to the Cisco Full-Stack Observability portfolio with Accedian Skylight
Tools & Support
How will cloud computing change due to GDPR?
Today, it’s no secret that more and more enterprises are moving to the cloud as it brings many advantages, such as better optimization of IT resources, but also potentially some substantial costs. One of the challenges faced when migrating to the cloud is the sensitivity of entrusted information – this is where the GDPR regulation comes into play. Below we delve deeper into the challenges posed by GDPR and how to address these when creating your cloud migration strategy.
GDPR in a nutshell
The EU General Data Protection Regulation (GDPR) introduced in May 2018, is an ambitious effort that seeks to fill a gap in the field of internet privacy. This regulation aims to protect the privacy of European citizens by regulating the conditions under which Personal Identifiable Information (PII) can be processed by what GDPR called a “controller”.
The definition of a controller is not limited to organizations located in Europe, in other words, US-based companies are also subject to this GDPR regulation.
The article 4 of GDPR defines “data processing” as “any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means”.
In a nutshell this means that simply storing data is considered data processing.
Furthermore, the processing does not need to take place in Europe, as long as PII from European citizens are being processed – no matter where and by whom in the world – this processing is subject to the GDPR regulation!
Engaging a data processor to protect PII
While the controllers are first responsible for protecting the PII, they often engage organizations that will process the PII for them. Using Cloud Service Providers (CSPs) to store data is one example of engaging a processor.
When data is transferred internationally, the controller has to make sure there is a contractual agreement in place with the processor to ensure that PII will be adequately protected, in accordance with GDPR.
In the past, typical safeguards that were deemed appropriate were:
- Standard Contractual Clauses (SCCs)
- Ad-hoc contracts approved by the supervisory authorities
- Approved processor Binding Corporate Rules (BCRs)
- The EU-US Privacy Shield
For many US-based companies, when transferring and storing EU personal data in the US the EU-US Privacy Shield was the royal road to GDPR compliance.
One of the main reasons was that the adoption of this framework is a self-certification process – which clearly eased the compliance process! Well, those days are now over!
The end of the EU-US Privacy Shield
This EU-US Privacy Shield framework protected the fundamental rights of anyone in the EU whose personal data was transferred to the United States for commercial purposes. It allowed the free transfer of data to companies that were certified in the US under the Privacy Shield.
The EU–US Privacy Shield was a replacement for the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015. In a ruling dated July 16, the European Court of Justice invalidated Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield. The ruling however added that it considers the EU Commission decision on Standard Contractual Clauses (SCCs) for the transfer of personal data to processors established in third countries is valid.
The impact
The invalidation of the EU-US Privacy Shield does not mean that companies cannot process European personal data in the US. They can still make use of standard contractual clauses (SCC) and binding corporate rules (BCR) to keep compliance to GDPR requirements.
However, this invalidation decision now requires data controllers to assess the level of data protection in the data recipient’s country and to suspend transfer if deemed non-adequate. It also underlines the strong obligation of each data protection authority in all EU member states to suspend the transfer of personal data if they deem them unsafe according to EU data protection requirements.
Whether or not a company can transfer personal data on the basis of BCRs or SCCs will depend on the result of their assessment, taking into account the circumstances of the transfers, and supplementary measures that could put in place. These supplementary measures, along with BCRs/SCCs, following a case-by-case analysis of the circumstances surrounding the transfer, would have to ensure that U.S. law does not impinge on the adequate level of protection they guarantee.
In conclusion, if taking into account the circumstances of the transfer and possible supplementary measures, appropriate safeguards would not be ensured, you are required to suspend or end the transfer of personal data.
The invalidation reaction of the “Big 3” major cloud service providers
Microsoft, Google and Amazon quickly reacted to this announcement – without surprise. According to them, using their respective SCCs guarantees compliance with GDPR.
“We want to be clear,” wrote Julie Brill, Microsoft CVP for global privacy and regulatory affairs and chief privacy officer. “If you are a commercial or public sector customer, you can continue to use Microsoft services in compliance with European law. The Court’s ruling does not change your ability to transfer data today between the EU and US using the Microsoft cloud.”
Pablo Chavez, VP government affairs and public policy at Google Cloud, wrote: “Given the European Court of Justice has upheld the SCCs, it is important to know that your use of G Suite and Google Cloud Platform meets GDPR’s standards for transfer of personal data outside the EU.”
AWS chief information security officer, Stephen Schmidt, wrote similarly, citing the continued use of SCCs. “AWS customers can rely on the SCCs included in the AWS Data Processing Addendum,” Schmidt wrote. “As the regulatory and legislative landscape evolves, we will always work to ensure that our customers and partners can continue to enjoy the benefits of AWS everywhere they operate.”
I guess it’s time to rethink your cloud migration strategy
Even if the big players’ armada of lawyers will ensure they keep compliance with the GDPR requirements through SCCs, what about other smaller players out there that made use of the previously-quite-open EU-US Privacy Shield?
In your data controller role, your organization has to make sure that personal data processed in the US remains adequately protected. Having the adequate tools to guarantee full visibility of data transfer behavior is key in order to be able to take the correct corrective actions.
Skylight delivers high definition visibility across applications and the network, from all sources of data, no matter where it lives. Accedian Skylight ensures that you gain total control and full visibility into the end user experience.
Hurry up – there is no grace period! As of July 2020, processing data in the US without any adequate SCC or BCR is now illegal… be aware!