An investigation on the legal status of transfers to third countries when using American cloud services in the light of the Schrems II-ruling
Student thesis: Master Thesis and HD Thesis
- Jakob Bjørn Sørensen
4. term, Laws, Master (Master Programme)
This paper will describe the investigation of cross border transfers from the EU/EEA to the U.S. by virtue of the usage of American cloud service providers, such as Microsoft, Google and Amazon. It will revolve around how data exporters, subject to the General Data Protection Regulation (“GDPR”), can continue to use American cloud services even though these are subject to U.S. surveillance laws, including FISA 702, EO 12.333 and CLOUD Act, seen in the light of the infamous CJEU judgment in the Schrems II case.
The investigation is carried out by the author by applying the legal dogmatic method as the purpose of the investigation is to describe the current legal status within this field. To achieve this purpose, the investigation entails an analysis and explanation of the Schrems II-ruling. This will be used to gain a full understanding of the interpretation and application of the GDPR, where personal data is being processed by a data processor in the U.S on behalf of a data controller in the EU/EEA.
Based on the ruling, EDPB released their recommendations on supplementary measures, which constitutes a valuable and decisive interpretative contribution for this investigation. The recommendations are used during the investigation to apply in a fictional scenario, created by the author, to put the recommendations in to the context of a somewhat “normal” data exporter within the EU/EEA, which are using American cloud service providers for various purposes.
Furthermore, decisions taken by various supervisory authorities within the EU will be subject to a discussion aiming to clarify whether - and how - the continued usage of American cloud providers is possible within the law.
The investigation does conclude that some lawful use cases of American cloud services exist, however not without the functionality of these services being significantly limited to storage purposes only. Furthermore, it concludes that there’s still a fair amount of uncertainty within this field due to the lack of a uniform application of the GDPR across the EU/EEA.
The investigation is carried out by the author by applying the legal dogmatic method as the purpose of the investigation is to describe the current legal status within this field. To achieve this purpose, the investigation entails an analysis and explanation of the Schrems II-ruling. This will be used to gain a full understanding of the interpretation and application of the GDPR, where personal data is being processed by a data processor in the U.S on behalf of a data controller in the EU/EEA.
Based on the ruling, EDPB released their recommendations on supplementary measures, which constitutes a valuable and decisive interpretative contribution for this investigation. The recommendations are used during the investigation to apply in a fictional scenario, created by the author, to put the recommendations in to the context of a somewhat “normal” data exporter within the EU/EEA, which are using American cloud service providers for various purposes.
Furthermore, decisions taken by various supervisory authorities within the EU will be subject to a discussion aiming to clarify whether - and how - the continued usage of American cloud providers is possible within the law.
The investigation does conclude that some lawful use cases of American cloud services exist, however not without the functionality of these services being significantly limited to storage purposes only. Furthermore, it concludes that there’s still a fair amount of uncertainty within this field due to the lack of a uniform application of the GDPR across the EU/EEA.
| Language | Danish |
|---|---|
| Publication date | 12 May 2022 |
| Number of pages | 54 |