Cloud v Schrems 2: Keep calm and carry on may just not cut it
Implementing any “supplementary measures” suggested by the EDPB may be impossible for organisations that are at the mercy of cloud providers. By Edwin Baker, Alexander Dittel and Marta Dunphy-Moriel of Kemp Little.
When Safe Harbor was invalidated in 2015 in judgment C-362/14 (Schrems 1) of the Court of Justice of the European Union (CJEU), the cloud industry had to quickly adopt fallback positions for data transfers, such as the standard contractual clauses (SCCs) or, those with more time and money to spend, the very reliable Binding Corporate Rules (BCRs) for processors. By the time Safe Harbor’s successor, the Privacy Shield, was finally adopted in 2016, the cloud market had changed. Data centre locations had stopped being a trade secret and became a widely advertised competitive advantage, as US cloud providers started offering EU-based regional servers. This was partially due to the emerging competition in Europe.