Open Telekom Cloud for Business Customers

After Schrems II: Play it safe with a European cloud

by Editorial Team
A Europe flag with castle icon in the center of the stars.
Without transferring data to third countries, European cloud solutions offer data sovereignty and the greatest possible security.

In this article you will read about, 

  • the background to the ECJ's "Schrems II" ruling,
  • what the new developments mean for companies, public-sector institutions, and IT service providers that rely on US cloud services,
  • and how choosing the right public cloud helps to ensure EU-compliant data protection.

Whether exchanging order information with international subsidiaries or research results in university collaborations, whether processing information in commercial enterprises or in digital public administration: data knows no borders. And cloud computing is indispensable for implementing a wide range of requirements. For many companies and public-sector institutions, processing data internationally has long been part of everyday life. According to market researchers at Capgemini, 73 percent of all companies in Germany, Austria, and Switzerland exchanged data with suppliers in 2020, six out of 10 with supervisory authorities and three out of 10 with commercial data providers. Personal information must be particularly well protected. Realizing that one's own data, which is stored in the public cloud, is now in foreign hands after a cyber attack or government access abroad? That’s a worst-case scenario.

Call for more data protection

The Privacy Shield agreement between the United States and the European Union also served to protect European data abroad. In its Schrems II decision, however, the European Court of Justice (ECJ) overturned the Privacy Shield in July 2020 – just as it had overturned its predecessor, the Safe Harbor agreement, several years earlier. This is because, according to the European General Data Protection Regulation (GDPR), all data transfers to countries outside the EU must ensure that the level of data protection in the destination country corresponds to that in the EU. However, according to the ECJ, the Privacy Shield could not guarantee adequate protection and was therefore overturned.

Open Telekom Cloud in the public sector


Standard contractual clauses as an alternative

Another approach to international data transfers that complies with data protection requirements is the use of standard contractual clauses (SCC). In these, the data exporter and the foreign data importer contractually agree on the level of data protection. However, the data importer must actually be able to comply with these obligations. Following the ECJ ruling, the standard contractual clauses continue to be valid – even for transfers to the US. However, a case-by-case review and, if necessary, the implementation of further measures is always required. In addition, the SCCs date back to before the GDPR. The consequences for many companies and public institutions: unacceptable legal risks and fear of high penalties on the one hand, costly and uneconomical processes for implementation in new contracts on the other.

What triggered Schrems II

  • The Irish data protection regulator prohibited Facebook from transferring data to its US headquarters. As a result, Facebook threatened to withdraw from the European market.
  • The Berlin data protection regulator called for coordinated action to stop data protection abuses
  • Data protection activist Max Schrems filed a complaint with his NGO "noyb" against more than 100 EU companies that relied on US processors with inadequate safeguards.

New clauses, new chance for EU-US data protection

What now? For long-term secure business relationships that rely on digital everyday life, the ruling created an enormous hurdle. After all, companies, universities, and public administration face great uncertainties when exchanging data overseas, especially when it comes to the question of what additional measures they have to take. Accordingly, the EU was under pressure to eliminate these uncertainties and reconnect the market internationally in a future-proof manner. Therefore, the European Commission presented new standard contractual clauses in June 2021.

The new EU standard contract clauses

  • four modules for the respective application area
  • clearer language, more flexible design
  • new documentation and audit obligations for data exporters, notification and defense obligations for importers
  • transition period for existing contracts until 27.12.2022

The new version of the SCC is intended to provide "user-friendly instruments for the transfer" for companies and public authorities. This means that if companies still exchange personal data with third countries such as the US on the basis of the old clauses, they must review existing contracts and adapt them to the new SCC within 18 months. What kind of effort will this involve? It could be considerable, depending on the size of the company or public authority and the international integration of processes. Given the gap between the requirements of the GDPR and the self-image of many third countries, a new agreement is not likely for the foreseeable future.

Armed with European clouds for Schrems III

It remains to be seen how the ECJ would rule in the event of a lawsuit over the new SCC or even a potential new Privacy Shield. The European Commission's expectations of the US are very high. Would such a new regulation be compatible with EU law? Or is "Schrems III" looming? Even if users of Microsoft Azure and Amazon Web Services were more protected by the new clauses: There is no such thing as 100 percent certainty. European cloud environments, on the other hand, offer certainty. Because without transfers to third countries, there is no need for additional provisions. For companies and municipal, federal, and state institutions this means: data sovereignty based on European solutions is the most effective means of long-term security for all cloud applications. Against operational failures, unauthorized access by authorities, and data leaks that can endanger the reputation and personal data of customers and citizens, but also research results. True to the motto: If you don't export, you won't be affected by surprising changes and stricter requirements.

Book now and claim starting credit of EUR 250


Do you have questions?

We answer your questions about testing, booking and use – free of charge and individually. Try it! 
Hotline: 24 hours a day, 7 days a week
0800 3304477 from Germany / 00800 33044770 from abroad

  • Communities

    The Open Telekom Cloud Community

    This is where users, developers and product owners meet to help each other, share knowledge and discuss.

    Discover now

  • Telefon

    Free expert hotline

    Our certified cloud experts provide you with personal service free of charge.

     0800 3304477 (from Germany)

    +800 33044770 (from abroad)

    24 hours a day, seven days a week

  • E-Mail

    Our customer service is available free of charge via E-Mail

    Write an E-Mail