American Companies aren't allowed to process data of EU citizens

I wasn’t aware that there was a ruling of the European High Court in July 16 2020 that nullified the SHIELD agreement. And since US law requires US companies since 2018 to share even data not stored inside the US with the US authorities, there simply is no way for US companies to comply with the European General Data Protection Regulation (GDPR).

Therefore, the only legal way for using any US company to process data of European citizens is by explicit consent of each individual. And it doesn’t seem to be possible to legally get such explicit consent in many cases. (Especially if the concerned people do not have any sensible alternative to say yes to such processing like as students or employees.)

I would argue this makes using software and services from Microsoft, Apple, Google, Amazon etc. basically illegal if you are processing data from EU citizens. Platforms such as Facebook and Twitter might not be concerned by this in general because most private people personally created an account there which arguably counts as an explicit consent to such processing. But it might still be problematic to accept their tracking code on web pages because it would concern all visitors – not only those who did explicitly agree that these companies do process their data (and pass it on to the US authorities).

If I get this right I think most European government bodies, companies and associations are operating outside the law at the moment. Since very few have completely moved away from using such services from US companies.

And this is of course a very problematic situation because it could lead to very costly and in many cases devastating penalties. (If we ignore the founding serious problem of data leakage to untrustworthy bodies in the first place.)

Did you know this and what are your thoughts on it?

Isn’t this an invitation to build on this legal problem and to strongly recommend the move to free distributed alternatives. Even refusing non-free operating systems? Who can ignore the threat of 20 million Euros for a serious breach of the GDPR? Do really all hide in the crowd? … If we are not the only ones breaking the law the consequences won’t be too bad?

Thanks for posting this on the community forum to trigger a discussion. I’m in!
I heard about the ruling in the press, but haven’t read it myself.

I have a questions at the moment, which perhaps you can clarify: Plenty of ‘US’ companies operating in EU are actually a legal entity in Europe acting as a US subsidiary. Does that change anything for this ruling?

I guess most companies are stuck in their ways and will try to continue their current way of working, letting US companies take care of the processing. Each ruling is one step closer to the intention of the law, but it seems we have some more steps to go before organizations will operate that way.

I fear only a competent lawyer in that subject could answer that. To me this sounds like a way out. If the European companies pay taxes in Europe they probably can be viewed just as European companies that are accountable according to European law. It shouldn’t matter with what entities an American company does business. The idea that doing business with an American company would entail the need to hand over all data to the Americans sounds rather strange. Only if the American company itself does some data processing the American law should apply to this data.

I’ve been doing some more reading on this topic trying to answer my own question. The Standard Contractual Clauses (SCC) are considered a way to still process data with US IT companies. In these contracts the IT company promises to abide by the European rules.
In practice however, lawyers doubt this is sufficient, as the responsible company is required to verify the compliance by the IT company. And this is where it gets interesting.
AWS for example has created an addendum to provide more certainty for European companies. However, the guarantee is not definitive, as can be read in the pdf:

3. Confidentiality of Customer Data: AWS will not access or use, or disclose to any third party, any Customer Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends AWS a demand for Customer Data, AWS will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, AWS may provide Customer’s basic contact information to the governmental body. If compelled to disclose Customer Data to a governmental body, then AWS will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless AWS is legally prohibited from doing so. If the Standard Contractual Clauses apply, nothing in this Section 3 varies or modifies the Standard Contractual Clauses.

So to rephrase, if AWS is legally required to hand over data and is not allowed to inform the customer, the customer will never know.

I don’t see how this can be a sufficient guarantee.

European cloud services provider OVH has written a nice blog post describing the issue and their stance on the matter:

Except for services ordered directly from OVHcloud’s US entity, in the course of performing its services, OVHcloud does not transfer its customers’ data to the United States.
Indeed, OVHcloud’s data centers located in the United States do not host any of the services marketed by OVHcloud’s non-U.S. entities; said US data centers being only used to host services marketed by OVHcloud’s U.S. entity. In addition, OVHcloud’s US entity is not involved in the provision of services provided by OVHcloud non-American entities. In particular, none of these services are administered from the United States, and therefore no related data processing can be remotely operated, and notably accessed, from the United States.
Therefore, the invalidation of the Privacy Shield has no impact here.

So it seems OVH has managed to find a way to operate globally whilst not being impacted by the Privacy Shield. This also answers the question how you can be certain that a European cloud provider today will not have to hand over the European data tomorrow if they start doing business in the US.

I’m certain the legal ramifications will become clearer over the coming years. I’m afraid the US will again try to extend their reach over data, making it even more difficult for companies to operate both in Europe and the US. Similar to how companies operating in China use completely separate business entities due to legal requirements.