Could Cloud Firms Be Fined Next by the EU?

News that Meta Platforms (Nasdaq: META) has been fined $1.3 billion by European officials for violating the European Union’s General Data Protection Regulation (GDPR) raises questions about the exposure faced by public cloud service providers.

To recap: The Meta fine follows a 2020 ruling by the European Court of Justice that invalidates the use of the former EU-US Privacy Shield protocol jointly set up between the U.S. Department of Commerce and the EU governing the transfer of personal information from EU countries to the U.S. Not only did the 2020 ruling void that methodology, it made clear that another longstanding tack for data transfer would be more closely scrutinized. Specifically, Standard Contractual Clauses (SCCs), which guarantee EU users’ redress if their data is mishandled or lost by the entity transferring the data, must now be augmented with measures that ensure data is protected on par with European Commission rules that limit government access to it.

The U.S., the EU court determined, does not limit government surveillance of personal data on par with EU rules.

The latest EU regulations took shape after complaints by attorney and privacy activist Max Schrems of Austria were taken up by the EU court. Schrems maintained that despite the GDPR mandates, Facebook continued to use SCCs to collect his personal information and send it to U.S. servers, where it was potentially liable to government intelligence gathering.

A String of Sanctions

Meta’s fine and order (which calls for a cessation in data collection in the EU and the erasing of data already collected) is just the latest in a string of fines leveled against Meta by the EU. By the end of 2022, the Facebook parent had been charged about $900 million by EU authorities. Some of that was owing to Facebook data being exposed in data leaks; other fines pertained to children’s data collected by algorithms on Instagram.

Other U.S. companies have also been fined under the GDPR. Amazon (Nasdaq: AMZN) was fined over $800 million by EU authorities in 2021 for personal data collections related to its advertising system. And in 2019, Alphabet (Nasdaq: GOOGL) was fined over $56 million for the same thing.

In all cases, the companies argued the fines and orders were unfair and called for reformed agreements between the U.S. and the EU. In a blog on Meta’s site, Nick Clegg, Meta’s President, Global Affairs, and Jennifer Newstead, Chief Legal Officer, stated:

“The ability for data to be transferred across borders is fundamental to how the global open internet works. From finance and telecommunications to critical public services like healthcare or education, the free flow of data supports many of the services that we have come to rely on. Thousands of businesses and other organisations rely on the ability to transfer data between the EU and the US in order to operate and provide services that people use every day.

“Without the ability to transfer data across borders, the internet risks being carved up into national and regional silos, restricting the global economy and leaving citizens in different countries unable to access many of the shared services we have come to rely on. That’s why providing a sound legal basis for the transfer of data between the EU and the US has been a political priority on both sides of the Atlantic for many years.”

Back in October 2022, U.S. President Joe Biden signed an executive order outlining measures to be taken to protect personal information at the government level. The measures are supposed to be part of a wider EU-U.S. Data Privacy Framework that has yet to be finalized. (According to the Wall Street Journal, negotiations are in limbo.)

Actions Taken So Far

Cloud firms clearly have a stake in ensuring data flows between the U.S. and Europe proceed unhindered. They also have been proactively navigating the GDPR requirements for a couple of years now. AWS claims to support the GDPR specifically, for both its customers and any businesses those customers deal with. AWS also says it has over 500 services and features that support data privacy anywhere in the world. Azure makes similar claims. Google Cloud’s website specifically outlines exactly how it complies with GDPR.

But the hyperscalers don't have sufficient guarantees, at least in the EU's eyes, that government demands for their servers' data won't lead to personal data exposures. Though the cloud firms can oppose any government interference, they will be unprotected until the U.S. and Europe establish a framework for transatlantic data transfers. Meanwhile, these cloud providers are operating in a defensive mode, hoping to cover all bases to guard against potentially punishing fines and orders.

There's more: In early May 2023, the European Union Agency for Cybersecurity (aka ENISA) issued a document calling for cloud providers to get special "labeling" to handle sensitive data. To get certified, a cloud provider would have to manage data through an EU-owned joint venture in which it had only a minority stake. The data would have to be stored and handled within the EU and access to the data would only be provided to EU citizens.

Clearly, the stakes are getting higher for cross-border information sharing, and cloud service providers will not be exempt from the tightening measures.