On July 10, 2023, the replacement to the Privacy Shield, the EU - US Data Privacy Framework, was adopted. Many businesses are now asking whether it is the green light to process information in US cloud services?
Our assessment is that it is still inappropriate.
Per Tuvall, a data protection expert, has summarized the main effects of the EU-US Data Privacy Framework in a preliminary analysis providing a snapshot of the agreement:
EU - US Data Privacy Framework
Preliminary summary by Per Tuvall (2023-07-11) - What does the new adequacy decision mean?
Using cloud services such as Microsoft Teams, Zoom, Amazon AWS and the like is likely to become legal as soon as companies join the DPF framework. Which is likely to happen soon. More info from the US Department of Commerce and the Privacy Shield website. However, there are questions about transfers to US authorities from data processors such as Microsoft, Zoom, Amazon etc.
The use of social media remains problematic as the only possible legal basis for advertising based on profiling is consent. See press release from the European Court of Justice.
Confidential data still cannot be transferred to US-based cloud services such as Teams, Zoom, AWS, etc. because the data would be disclosed. Conducting a general threat assessment on large amounts of data that may contain classified information is difficult, even after the new law on breach of confidentiality comes into force.
A new venture into US-based cloud services is a risky strategy. According to NOYB and Max Schrems, the adequacy decision is a result of political pressure and the US changes to surveillance laws are cosmetic. A Schrems III judgment with an uncertain outcome is to be expected.
In summary, there is still a high level of uncertainty associated with managing data in foreign clouds. We believe that Swedish data should be managed in Swedish clouds, under Swedish legislation and with Swedish integrity.