Use of Azure AWS And GCP illegal under EU Law (Schrems2) when personal data is processed

Unlike Tik Tok in the US, Azure, AWS or GCP are not banned in the EU. However, they can only be used to deploy applications that do not require to store personal data of EU citizens.

France's National Commission on Informatics and Liberty (CNIL) ruled yesterday the 8th October 2020 that it was illegal to store personal data on any cloud operated by a US company or even by a European company with business in the US.


Due to a recent ruling by the Court of Justice of the European Union (CJEU), an equivalent in EU of US Supreme Court, France's CNIL had no choice but request that any personal data stored on a cloud registered in the US or operated by a company with business activities in the US should be transferred to another cloud which guarantees fundamental liberties.

The reason behind this decision is simple: EU citizens have no appeal if US authorities remotely access their personal data, even stored in Europe, through legal enforcement laws such as CLOUD Act, FISA and Executive Order 12333.

CNIL suggests that in order to preserve fundamental liberties, cloud should be operated in Europe by juridical entities that are completely independent of any business activity in the US. CNIL suggests technology licensing approaches for Azure, AWS or GCP to operate legally in EU whenever personal data of EU citizens needs to be stored.

It is likely that similar decision would happen with Chinese cloud providers because of China Internet Security Law.