What Does the Schrems II Ruling Mean for Your EU, US, or UK-Based Business?

 The effect of the Schrems ll ruling and subsequent invalidation of the EU-US Privacy Shield varies depending on the location of your business and your hosting provider’s locations – including where their servers are installed. Read on to find out what the ruling means for your business, how Brexit affects this decision, and what we are doing at Leaseweb to ensure total data protection. 

For more background information, please refer to What is the Schrems ll Ruling?

1. You Use a US-Based Cloud Service Provider

As an EU-based business, if you are using a US-based cloud services provider, your personal data is being exported from the EU to the US.

  • The US Privacy Shield no longer provides adequate protection levels for data export from the EU to the US. You will need to apply Standard Contractual Clauses (SCCs) with additional safeguards for an adequate protection level for the data export and processing outside of the EU.  
  • US cloud services providers must deliver enhanced SCCs (which are still a valid transfer mechanism for the personal data transfer from the EU to the US) with additional safeguards and adequate protection levels. 

European Data Protection Board Recommendations Adopted by Leaseweb USA Inc.

Leaseweb USA Inc., as a cloud hosting provider in the US with data center services and servers located in the US, is capable of delivering the supplementary safeguards as recommended by the European Data Protection Board (EDPB). For that purpose, Leaseweb USA Inc. offers enhanced SCCs, including additional safeguards that follow the EDPB recommendations, to all EU-based customers.  

Leaseweb USA Inc. also offers an extensive informational whitepaper to EU customers regarding its adequate levels of data protection. Leaseweb USA Inc., as a US-based subsidiary of the European-headquarters Leaseweb Global B.V. in Amsterdam, is acting as an independent sales company and applies GDPR rules as a global compliance policy to ensure and align with the highest privacy standards. 

Moreover, taking into account the strategic position of the EU-based headquarters, there will be no additional centralized data sharing in the US since there is no US-based mother company or shared services center in the US. Additionally, no data is exported from the EU Leaseweb sales companies to the US at any time, as there is an entity split between Leaseweb USA Inc. and the EU-based Leaseweb companies.

2. You Use an EU Cloud Service Provider for Your EU Hosting

If you don’t want to be confronted with the privacy risks and consequences outside of the EU, the best option is to select an EU cloud service provider based in the EU. If you select a true EU-based cloud service provider with no US headquarters or other US centralized or shared services, your privacy will be adequately protected as the true EU-based cloud service providers are fully compliant with GDPR. If you are an EU-based customer and do business with an EU-based cloud service provider with servers in the EU, you can be assured in your role as a controller that no personal data is exported to the US – hence no Privacy Shield and SCC issues.

  • If you are an EU-based customer of Leaseweb’s EU-based sales companies (Leaseweb Netherlands B.V., Leaseweb Deutschland GmbH, and Leaseweb UK Ltd.), the invalidation of the Privacy Shield does not affect your business as it is based in the EU with services also in the EU.
  • The Leaseweb sales companies offer its EU-based customers state of the art data processing agreements and privacy statements. Our one-stop-shop principle has been applied, and Leaseweb’s Data Protection Officer (DPO) is positioned in our headquarters in Amsterdam at Leaseweb Global B.V. 
  • In case of no Adequacy Decision, Leaseweb UK Ltd. will offer its EU-based customers enhanced SCCs. The EDPB issued a Statement on December 15, 2020, regarding the end of the Brexit transition. Further information can be found here.
  • Leaseweb UK Ltd. has a designated representative in the EU, the one-stop-shop DPO in The Netherlands as required by article 27 GDPR.
  • No personal data will be transferred out of the EU. 
  • If you are a US-based customer and do business with an EU-based cloud service provider, EU-based cloud services providers are required to apply the GDPR at all times. This meets all adequate levels of privacy protection.

3. You Use a US Cloud Service Provider for Your EU Hosting

The largest cloud services providers for hosting services in the EU are originally established in the US. For example, many have their headquarters and shared services in the US. This is a US-based cloud services provider for your hosting services in the EU. If you select this type of US cloud service provider for your EU hosting, the following privacy risks and consequences need to be recognized:

  • If you are using a US cloud services provider with EU-based subsidiaries, it is highly likely that personal data is being exported from the EU subsidiaries to the US mother company. These US cloud services providers include hyperscalers such as Amazon Web Services (AWS), Microsoft, and Google. If this the case and you are dealing with a true US cloud service provider with its subsidiaries in the EU for your EU hosting services, you cannot rely on full GDPR privacy protection.

Thinking of Switching Hosting Providers?

At Leaseweb, we are strongly represented in the EU with our Leaseweb sales companies Leaseweb Netherlands B.V, Leaseweb Deutschland GmbH and Leaseweb UK Ltd, and our European headquarters. All companies actively apply GDPR. Also, in the EU, Leaseweb is a member of the CISPE association under the CISPE privacy Code of Conduct. 

If you are unable to switch to a hosting provider that is fully located in the EU, and if you need hosting services in the US, we advise you to switch to an independent US-based cloud service provider with an EU headquarters. Leaseweb USA Inc. fulfills this requirement, as it a US-based subsidiary of the acting as an independent sales company with no US-based mother company.

  • In any case, ask your current cloud service provider what they offer in terms of SCCs. Any US-based cloud service provider should provide you with enhanced SCCs, including additional safeguards and measures to ensure data security.

For more information, see our cloud hosting offerings here. Based in the US? See our privacy statements for every sales company here and look at our previous blogs on GDPR 

In case you have questions or remarks, please let us know at privacy@leaseweb.com to contact us (Jacqueline van de Werken (General Counsel Leaseweb Global B.V.) and Guisanne Yarzagaray (Legal Counsel, Leaseweb Global B.V.)). Thanks for reading!