This post is also available in: German
In today’s digital world, cloud services and software solutions have become indispensable tools for businesses, institutions, and authorities. Especially in the context of digital transformation, there is a growing desire to create and strengthen digital processes, often involving the purchase of appropriate software.
However, a careful and critical examination is necessary to assess which systems are integrated into the IT landscape and where hidden dangers may lie.
Particularly concerning compliance with European data protection regulations, a close look behind the scenes of software and its providers is recommended. This is crucial because many of these providers are located abroad and are subject to foreign regulations.
A prominent example is the US Cloud Act, whose introduction has raised significant questions about data privacy and security. Companies and institutions in Germany and Europe must urgently address these concerns when choosing new software solutions.
What is the Cloud Act?
Behind the simple term “Cloud Act” lies the possibility for US authorities to access personal data stored in data centers in Europe and other parts of the world without prior approval. The US Cloud Act, formally known as the “Clarifying Lawful Overseas Use of Data Act,” is a law passed in the United States in 2018.
It provides a framework for clarifying the lawful handling of data stored abroad. This law allows US authorities to access data stored by US companies in the cloud, regardless of whether this data is stored on servers in the USA or outside the USA.
Origins of the US Cloud Act
The US Cloud Act originated from a decision primarily aimed at counterterrorism efforts after the September 11, 2001 attacks. The “Patriot Act” allowed the FBI and US authorities to access data from US companies abroad. This decision was already met with criticism in Europe. Several years later, this led to the economically expanded US Cloud Act.
The US Cloud Act came into being around the same time as the General Data Protection Regulation (GDPR). It was passed on March 23, 2018, in response to a lengthy legal dispute between Microsoft and the US government. The core issue was whether Microsoft was obligated to provide customer data stored on servers in Ireland to US authorities without a court order.
The answer was yes; as a US company, Microsoft was required to do so, regardless of where the servers were located. The US Cloud Act was enacted to provide clarity on this matter and grant US authorities unrestricted access to such data. This puts the Cloud Act in clear contradiction with the European data protection regulation.
The Danger of the US Cloud Act
The US Cloud Act raises significant concerns regarding European data protection and privacy. As it grants US authorities unrestricted access to data stored outside the US, European companies and organisations using American cloud services or software solutions could potentially be monitored by US authorities without their knowledge. There is no obligation on the part of the US to inform affected parties.
Implications for European Companies and Organisations
European companies and authorities face the challenge of complying with EU data protection regulations, especially the GDPR, and ensuring full data protection and data sovereignty while using American software and cloud services. Compliance with data protection standards becomes challenging once they come into contact with US cloud computing in any form.
There is a fundamental rule: stored data processed in Europe is subject to the regulations of the European Union and, therefore, the GDPR. There is no agreement between the EU and the US specifically addressing the Cloud Act. Therefore, the mere transfer of data stored in the EU automatically constitutes a violation of the GDPR. This can only be avoided by using European software that complies with the European GDPR.
In addition to complying with the GDPR, responsibility toward one’s own customers should be paramount. Companies continuing to use cloud services from US providers can no longer ensure GDPR compliance. This not only has legal consequences but also significantly diminishes customer trust.
Not Like This! The German Administration as a Current Example
A current example of the challenges posed by the US Cloud Act for European data protection regulations is the framework agreement between the German federal administration and companies like Microsoft and Oracle. These agreements allow these companies to provide cloud services and software solutions for the German government. This has raised concerns about data protection and sovereignty, as data belonging to German citizens and authorities could potentially be accessed by US authorities.
Differences between the US Cloud Act and GDPR
The GDPR and the US Cloud Act fundamentally differ in their approach to data protection. While the GDPR emphasizes the protection of personal data and requires consent from the individuals concerned for further use, the US Cloud Act grants US authorities unrestricted access to data regardless of the consent of the individuals concerned. This difference in approaches can lead to conflicts, uncertainties, and ultimately crimes concerning the protection of data in European organisations.
Cross-Border Law Enforcement as Part of the US Cloud Act
The US Cloud Act introduced the concept of cross-border law enforcement. This means that US authorities can access data outside the US at any time to conduct criminal investigations. This presents a new dimension of law enforcement that potentially jeopardizes data protection in Europe, as it extends far beyond this intended purpose.
US authorities emphasize the urgency of cross-border crime prevention and ensuring comprehensive security through US law. Although companies theoretically have the option to refuse the transfer of sensitive data, this is often challenging in practice.
The European Union’s GDPR allows international transfer of sensitive data only under certain conditions, including the existence of mutual legal assistance agreements in criminal matters or other agreements between third countries and the EU under Article 48 of the GDPR. Moreover, justifying reasons for the transfer of personal data to third countries must exist according to Article 5 of the GDPR.
The Solution: Be Cautious with US Software and Cloud Services!
Companies, especially public institutions where IT system security and the protection of sensitive data and business information are necessary, should be extremely critical when choosing the right cloud provider.
First and foremost, it should be thoroughly examined where the potential cloud provider’s headquarters and data centers are located. From a data protection perspective, European companies are on the safe side if they only use applications provided by a European cloud provider with data centers in Europe. This is also the case with Conceptboard.
Therefore, especially when high demands on data protection and data security exist, it is advisable to completely refrain from using American cloud providers. Companies play it safe when they exclusively use cloud services located in the EU. Additionally, using encrypted cloud services is highly sensible. The request for data disclosure applies only to data transmission, not to the obligation to decrypt beforehand.
If, nevertheless, a request for data disclosure is made by US authorities, it is advisable to file complaints with the relevant US government authorities and argue that the data does not concern US citizens and, therefore, falls under the data protection laws of the respective EU country.
No Power to the US Cloud Act! Conceptboard is from Germany
As a German company, the provider of a collaboration tool primarily used in the public administration sector, we stand for security and data protection. Security and the protection of personal data are of the utmost priority for us and our customers. We meet this standard every day and ensure 100% data sovereignty. Therefore, Conceptboard is not only developed entirely in Germany but has also deliberately chosen Germany as its server location.
To meet our own standards and ensure the best data protection for our users permanently, Conceptboard hosts entirely in Germany. This ensures that all data is protected from unauthorized access by third parties.
Not only today but also in the future. For those who do not find this secure enough, we offer the option of a dedicated server or hosting in their own data center.
As the first visual whiteboard solution, we are ISO 27001 certified and, unlike American providers, compliant with the GDPR. We are committed to maintaining the confidentiality and integrity as well as the accessibility of information. We have demonstrated this with the ISO 27001 certification, officially confirming the effectiveness of our information security management system.
Conclusion
Overall, the impact of the US Cloud Act on European companies and data protection in Europe is a complex and controversial issue. The use of American software and cloud services requires a careful assessment of risks and the implementation of suitable security measures to protect privacy and data security. However, when making this decision, data protection should always take precedence over price or other advantages—without compromises!
However, for those who want to play it safe, choosing a cloud service located in the EU is the way to go. With Conceptboard, data protection, data sovereignty, and privacy are a given.
