Despite promises of new data agreement: Copenhagen does not dare to move on a huge cloud project
Copenhagen Municipality should have saved 15 million kroner over the next few years by putting the entire digital infrastructure in Microsoft’s cloud solution.
But the Schrems II ruling has led the municipality to put the big project on hold.
Right now, one can not go over to the cloud of the American technology giant, and therefore the municipality is waiting for the European Commission to find a solution to the problem that plagues thousands of organizations throughout the EU.
Scratch cases
In October 2015, the European Court of Justice rejected the “Safe Harbor” agreement between the EU and the US with the Schrems I ruling. Just as after the two parties entered into an agreement, Privacy Shield, some European companies used as a basis of transfer to the United States for the next five years.
In the summer of 2020, the European Court of Justice ruled in the Schrems II case, which ended with the transfer of the Privacy Shield basis being rejected. Prior to the decision, European companies had used the Privacy Shield to, among other things, use American cloud services.
Well, the farm must instead use standard contracts with supplementary measures, and it is a very difficult task to find measures that are good enough to make personal data transfer to the USA legal.
It has created a fusion of many: Should one end the use of American cloud services? Or should we wait for the European Commission to reach a new agreement?
However, the EU seems to have found a solution. In March, Commission President Ursula von der Leyen and President Joe Biden agreed on a new data agreement that “will lead to predictable and credible data transfers that balance security, the right to privacy and data protection”, writes von der Leyen in a Twitter message.
But that is not enough for the Danish capital, the financial administration states in an e-mail:
– Copenhagen Municipality is waiting for the political proposal from the EU and the USA to be concretized and for new rules to be adopted in the area, cf. the Danish Data Protection Agency’s proposal in March.
Confidence in the data agreement is faltering
As after the EU and the USA had entered into the new agreement, the Danish Data Protection Agency said that the organization that wants to switch to an American cloud solution must wait for a written agreement:
– The Data Inspectorate naturally welcomes the work of the EU Commission […] welcome. The scheme may eventually become very important, but for the time being it is just an agreement on the general lines. It is thus still not so specific that it allows organizations to transfer personal information to the United States. This is because there is still no new basis for transfer or any new adequacy assessment, the Authority writes in a press release.
Although the new agreement in its current form cannot be used to realize Copenhagen City’s cloud ambitions, it loves that the US implements measures to limit the massive surveillance the country’s intelligence services are allowed to carry out by EU citizens.
Right now, U.S. law enforcement is providing access to European citizens’ personal data. It is a violation of the EU’s human rights principles.
Problematic American legislation
FISA 702 is a US law that allows the country’s intelligence services to look at so-called “electronic communication providers” over the shoulder to see what personal data they have lying around. Sky providers in the United States fall into that category.
Executive Order 12333 «enables the NSA to access information that is in ‘transit’ to the United States from the submarine cables lying on the seabed in the Atlantic Ocean and to collect and store this information before it arrives in the United States and is subject to FISA’s provisions, it is considered in recital 63 in Schrems II judgments.
The Cloud Act gives US authorities the right to request US companies to disclose data wherever in the world they are stored.
Conflict formed the basis for the European Court of Justice’s Schrems II decision from the summer of 2020, but now the USA is trying to new initiatives which will make the country a safe third country.
A presidential order must ensure that the intelligence services can only collect information that is “necessary and proportionate”. An EU Court of Appeals will also be established.
But the solution proposals have met with criticism from, among others, privacy activist Max Schrems, who is behind the previous EU cases.
Municipalities believe in an EU solution
Although Max Schrems and experts such as the Danish professor Henrik Udsen are skeptical of the new agreement, Copenhagen Municipality is optimistic. It is still expected to be able to resume the cloud project within a year:
«Based on the political proposals from the EU and the USA, the municipality expects a solution before the end of 2022, but we do not know the specific timetable for establishing a new regulatory framework. The expectation can therefore change as new information comes in », the financial management informs in an e-mail.
The National Association of Local Authorities (KL) also has great confidence in the new agreement, said Pernille Jørgensen, chief consultant for digitization and technology at KL, in early April:
– We’ve shouted cheers in here. It’s no secret, because it’s a huge relief. Once it is written, you have a transfer basis that makes the USA a safe third country to transfer data to. And then problems are solved.
Version2 has tried to get an interview with Stig Lundbech, director of Group IT, or with another relevant employee from Copenhagen Municipality. The municipality has rejected both.
This article was first published on Version 2