On July 16th, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield with the introduction of the so-called ‘Schrems II Judgment’. The EU-US Privacy Shield was a certificate that enabled US cloud services providers to lawfully gather personal data from EU citizens. More than a year after the verdict, new regulations for transatlantic data transfers have yet to materialize. At the same time, the European Data Protection Supervisor (EDPS) announced an investigation into the use of Amazon Web Services and Microsoft by EUIs, adding further uncertainty to an already unclear situation. This raises the question of whether there are any viable alternatives for those embarking on or already making headway in their cloud journey.
According to Adriaan Hoogduijn, COO of Hyarchis, the answer is a firm yes. Hyarchis operates in the highly regulated banking environment and recently experienced a challenging setback when a major customer put a halt to its cloud journey. The direct cause of the setback was the Schrems II Judgment, which froze the project’s tight deadline. After several back-and-forths on possible solutions, a solution was found in utilizing an EU-based cloud services provider. However, the solution wasn’t easy to implement for either party.
Schrems II: a bolt from the blue
Adriaan Hoogduijn: “The project in question concerned a large-scale customer’s due diligence remediation trajectory, which was a mere press of a button away from execution. After more than six months of carefully preparing our infrastructure, setting up security, and obtaining all the required approvals from the cloud advisory board, the executive board of the customer suddenly pulled the plug on all cloud-based projects. The project team now saw itself confronted with a seemingly impossible mission: meet the project’s deadlines while all required technology to meet these deadlines was put off limits”.
With time becoming increasingly scarce, the joint project team of Hyarchis and the Dutch bank had to come up with a solution, fast. As an added obstacle, the manual processing of hundreds of thousands of customer files, a core aspect of the project, not only seemed to be much slower than expected, but also a lot less accurate. After considering migrating the Hyarchis tools in use to an on-premises environment for as long as was necessary to complete the project, the team decided to investigate the possibility of an EU-based cloud services provider, thereby circumventing Schrems II limitations altogether.
EU-based Cloud Services Provider
Contracting an EU-based cloud services provider is not as straightforward as it may appear, says Hoogduijn: “European cloud services providers offer a significantly more limited infrastructure than their American counterparts and collaboration requires in-depth research into the ultimate beneficial ownership. Both factors can absorb a frustrating amount of time as the documentation of EU-based cloud providers tends to be a lot less exhaustive than those of hyperscalers such as Amazon, Microsoft, IBM, and Google”.
Even if the ultimate beneficial ownership does not lead back to the United States and the gaps in documentation have been filled, Adriaan reiterates that the task of setting up a European cloud is far from complete: “A European cloud typically offers a more barren infrastructure and is a step back from the ‘Platform as a Service’ (PaaS) philosophy of the American hyperscalers. Whereas the hyperscalers focus on a wide variety of security, database, logging, and monitoring services which allow users to focus on core solutions, European cloud services providers typically deliver their infrastructure as a blank canvas. This means that users need to have (access to) a solid engineering team to bring all security, deployment, and database related functions to the same level as those provided by American cloud services providers. This arguably goes against the main driver of procuring a platform as a service in the first place”.
Multi-cloud strategy as a must
The investment in the European cloud infrastructure, as well as getting everything in place, took the Hyarchis team several months. The choice was a necessary measure to ensure that project deadlines were met, but does Hyarchis see any long-term value from a European cloud? Adriaan Hoogduijn: “Certainly, and this is not just because we have made a large investment into getting our European cloud up and running. The Privacy Shield has been a complicated topic from its inception and was not well received by the Trump administration – an administration that deliberately delayed implementing the requisite safeguards. So far, the Biden administration has not prioritized the topic to a point where there are any tangible outcomes. The general feeling is that Biden might be more amenable to reaching an agreement, but this remains to be seen”.
In the meantime, Hyarchis has joined the ranks of a growing number of technology firms that, instead of awaiting a replacement for the EU-US Privacy Shield, actively seek to establish alternatives for their customers. Adriaan Hoogduijn: “The cloud journey of our customers is a strategic decision at the end of which they aim to obtain a competitive advantage in a highly regulated environment. We see it as our duty to support them in navigating the rocky roads of regulatory compliance and help them avoid stalling their ambitions for an unknown period of time. A multi-cloud strategy helps us, as does it many other technology firms, to achieve this goal”.