• Legal and regulatory developments related to data protection are forcing significant changes in financial services (FS) firms’ Cloud strategies and operations. 
  • The Schrems II ruling by the Court of Justice of the European Union (CJEU) is a clear example, which adds significant complexity to firms’ ability to use Cloud Services Providers (CSPs) incorporated in third countries. 
  • FS firms must assess the implications of the ruling on their Cloud strategies and take swift action to enhance their governance and risk management frameworks, if required. 
  • As EU and UK Data Protection Authorities (DPAs) further elaborate their response to the ruling in the coming months, FS firms will need to be ready to react to further guidance and directions. 

With digitisation key to post-pandemic recovery and growth, in 2021 we expect FS firms to accelerate the implementation of strategic Cloud projects. Outsourcing to CSPs will continue to be under the spotlight of FS supervisors who remain vigilant to the ability of firms to manage the associated risks. However, increasingly data protection legal and regulatory developments will also have important direct and indirect impacts on Cloud adoption and risk management in FS.

The Schrems II ruling by the CJEU is a clear example. The ruling makes it significantly more complex for FS firms to host data in Cloud infrastructures in third countries that are not deemed adequate under the EU and/or UK General Data Protection Regulation (GDPR).[1][2]

Firms should assess the impact of the ruling on their Cloud programmes and ensure their governance and risk controls environment remains appropriate. In some cases, the impact of the ruling could be significant and require a more substantial review of a firm’s Cloud strategy.

Schrems II ruling and its aftermath

In a landmark ruling last summer, the CJEU quashed the EU-US Privacy Shield as a legal mechanism for international transfers of personal data from the EU to the US. The CJEU also ruled that while Standard Contractual Clauses (SCCs) – the transfer mechanism used by many FS firms in their contractual agreements with CSPs – remain valid, their use must be subject to stricter requirements.

The Court ruled that firms must ensure that the use of SCCs grants data subjects a level of protection that is essentially equivalent to that afforded by EU law. To do so they must assess all relevant aspects of a third country’s legal system and ensure that nothing prevents data importers from honouring SCCs and guaranteeing compliance with the level of protection required.[3] If necessary, firms should put in place additional safeguards to achieve equivalent protection for data subjects. If this is not possible, personal data transfers should not take place or should be immediately suspended. 

Following the ruling the European Data Protection Board (EDPB) issued additional guidance to help data exporters assess data transfers to third countries. The EU Commission also consulted on an updated set of draft SCCs to reinforce the protection of data subjects. The updated SCCs include safeguards to address the effect of the laws of the country of destination, and details on how to deal with binding requests from public authorities in third countries to disclose personal data. They also include a mutual warranty stating that the contracting parties have no reason to believe that any applicable laws in the third country prevent the data importer from fulfilling its SCCs obligations.

Implications for FS firms’ Cloud strategy, governance and risk management

The Schrems II ruling has significant implications for CSPs and their clients, as personal data storage in Cloud infrastructure in, and remote access from, a third country are considered data transfers.[4] 

FS firms’ Cloud governance and risk management processes will need to be updated to ensure that appropriate controls are in place. At a minimum firms will have to map all transfers of personal data to third countries arising from their use of CSPs. If relying on SCCs for international data transfers, they will need to assess the law in each third country and judge whether it may prevent the CSP from fulfilling its contractual obligations. Firms should identify and adopt any necessary supplementary measures to bring the level of protection of the data transferred up to the EU standard of essential equivalence. Such measures could be technical (e.g. encryption), organisational (e.g. enhanced transparency and accountability measures), and/or contractual (e.g. obligations to implement the technical measures).

Firms should pay particular attention to surveillance measures and any extraterritorial effect of the third country’s legal system. For example, personal data stored in EU-based data centres of US CSPs may still fall into scope of the jurisdiction of surveillance tools such as Section 702 of the US Foreign Intelligence Surveillance Act (FISA 702).[5] If FISA 702 applies, the CJEU clarified that protection of data subjects would be reduced to an extent not compatible with EU law. Additional safeguarding measures – e.g. encryption – may also be ineffective in such cases, if they are either prohibited or rendered ineffective by law (e.g. public authorities can demand that encryption keys be handed over). If this is the case, FS firms may need to reconsider their Cloud strategies more substantially, including CSP selection criteria, and further explore hybrid Cloud computing models, such as those where personal data remains stored on firms’ on-premises servers.

It is important to note that the EDPB also clarified that firms need to assess third country risks from a purely objective standpoint. A risk-based approach (e.g. making an assessment based on whether a law or regulation was likely to be applied in practice) would not acceptable in this context.

What happens next?

The response of EU and UK DPAs to the Schrems II ruling is still developing. Additional guidance is expected (and needed) from national DPAs.

The CJEU made clear that DPAs are expected to suspend or prohibit personal data transfers to third countries if they take the view that SCCs cannot be complied with and an appropriate level of protection for data subjects cannot be achieved through additional safeguards. But DPAs’ responses so far have been inconsistent. Some DPAs’ responses have been very strict, while other DPAs have not yet expressed a definitive opinion. In the UK for example, the Information Commissioner’s Office (ICO) is still considering its position and whether additional guidance or clarification are required.

FS firms must be prepared to respond to any further communications from DPAs, and to update their contracts with the updated SCCs, once they are adopted by the EU Commission in early 2021. In the UK, the ICO will need to confirm what it expects firms to do, as SCCs will not be automatically applicable to the UK following the end of the Brexit transition period.

Conclusion

Far from being a back-office function, data protection is now front and centre of FS firms’ Cloud and digitisation strategies. Firms will need to monitor developments closely and take swift action to ensure their data transfers are compliant, secure and efficient.

Looking further ahead, in addition to data protection FS firms will also need to remain alert to competition initiatives, such as the EU Commission’s proposed Digital Markets Act or the recently announced new UK Digital Markets Unit, that aim to address the market dominance and possible anti-competitive behaviours of large technology companies. While still in very early stages, such initiatives will continue to put CSPs in the crosshairs of policy makers, with potential indirect repercussions for Cloud adoption programmes in FS too.

***

Footnotes:

[1] GDPR has been fully transposed into UK law, and is now known as UK GDPR. Following the end of the Brexit transition period on 31 December 2020, the UK is now treated as a third country and is seeking adequacy with the EU Commission under GDPR. In the interim, under the EU-UK Trade & Co-operation Agreement it is deemed lawful to transfer data from the EU to the UK until 1 May 2021. The interim period can be extended until 1 July 2021, if no adequacy decision is reached and there is no objection from the EU or UK. This article assumes the UK will be granted full adequacy by the EU Commission by June 2021 at the latest. The UK GDPR currently permits free transfers of personal data from the UK to the EU/EEA and to any countries which, as at 31 December 2020, were covered by an EU Commission ‘adequacy decision’. 

[2] The Schrems II ruling was issued before the end of the Brexit transition period and continues to have relevance for the UK. 

[3] This includes its data protection framework, international commitments, respect for the rule of law, access to justice, and international human rights norms.

[4] https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf

[5] FISA 702 permits US National Security Agencies to obtain personal data of non-Americans located outside the US stored with electronic communications services providers.