Since the Patriot Act of 2001, US companies have been required to disclose data at the request of the US authorities. With the CLOUD Act of 2018, the authorities can also seek access to foreign servers. From a compliance perspective, this is a major problem. Companies which rely on servers that are under the management of US corporations face a delicate privacy risk: potential access to confidential and strategic data by US authorities.
And in times of digital transformation, data is one of the most important assets a company has. In this article, you can read about what the CLOUD Act means for companies, the dilemma of the CLOUD Act versus the EU General Data Protection Regulation (GDPR), and reasons for you to opt for GDPR compliant cloud storage.
The US CLOUD Act is the abbreviation for the ‘Clarifying Lawful Use of Overseas Data Act’, otherwise known as the CLOUD Act. It gives US authorities the right to access data stored abroad. Up until March 2018, the only way for the American government to access overseas data was through an agreement between two countries, known as the Mutual Legal-Assistance Treaty. The agreement allowed them to consent to share information and work together to solve a legal investigation.
Yet, with the CLOUD Act, all US-based companies need to provide data upon request, no matter if their servers are on American or foreign soil. As the CLOUD Act applies to all big cloud providers based in the USA - Microsoft, Google or Adobe, this led to a legal dispute between US authorities and Microsoft. The company did not want to hand over customer data stored in a server located in Ireland.
For many companies that need to comply with GDPR, the US legislation raises extra compliance issues. The CLOUD Act creates an international conflict of applicable law, which in turn, can lead to legal disputes and severe consequences. Companies should be aware of the CLOUD Act and its effects.
In 2019, the UK and the US signed a bilateral agreement on access to electronic data. The agreement specifies the cases in which governments can request data from service providers, without permission by data owners. According to the EU Commission's dedicated bodies, this type of agreement is the only option to allow compliance in data protection, as stated in an EDPB (European Data Protection Board) & EDPS (European Data Protection Supervisor) Joint Response on Cloud Act. But this agreement is not applicable to other European countries. The double legislation breaks GDPR provisions on lawfulness and data protection since CLOUD Act requirements are not acceptable under GDPR art. 6 and art. 49. As a result, many companies continue facing the dilemma of the CLOUD Act versus EU GDPR.
Little by little, the US CLOUD Act versus EU's GDPR made its way to the top on the long list of issues on data security and the challenges of digital transformation.
In 2018, Die Welt headline was: "US company buys Dax corporations data vault".1 Many European companies relying on the Munich-based software house's solution for the exchange of sensitive information for the board of directors and management found themselves in a delicate situation. The acquisition granted potential access to data by US authorities.
The takeover caused surprise and nervousness in the market. Brainloop, the German provider merged with US software provider Diligent, and the company lost its sovereignty in data protection law.2 The sale created a sensitive situation in Europe, one which made companies question the need to opt for GDPR compliant cloud storage providers. According to an EY study on the board of directors' digitalisation skills, about half of the participants regularly deal with topics related to data security, leakage, protection and data sovereignty.
Following the merger, Brainloop customers were forced to examine the new structure and consider the challenges that came with having an American owner. In spite of Brainloop constantly promoting the message that their servers are located in Germany and Switzerland, this is not a guarantee of them offering their customers GDPR compliant cloud storage. Questions on which provider owns the data and who has access to it because of ownership are still valid even today.
Diligent admitted compliance with US CLOUD Act law that grants US authorities access to sensitive data without notifying data owners. So, in case of hardship, the CLOUD Act "Clarifying Lawful Overseas Use of Data Act" can be used to gain access to data on foreign servers, owned by both Diligent and its associated companies.
It is clear that US Cloud providers operate under a different legal framework. More often than none, this conflicts with EU GDPR and data security requirements. The dispute is critical especially when dealing with sensitive information, like personal data or Stock Exchanges contents. For this reason, companies should opt for GDPR compliant cloud storage and avoid the uncertainty of having to trust their data with organisations complying with both legislations.
For example, Switzerland is one of the best server locations worldwide:
This makes the country an ideal location for many companies. Under the Swiss law, data outsourced abroad is subjected to meticulous scrutiny. Outsourcing for banks and insurers are regulated in detail by FINMA, the Swiss Financial Market Supervisory Authority. That means, data may only be outsourced abroad if:
This is a good reason for more and more companies to relocate their servers to Switzerland and opt for GDPR compliant cloud storage.
For numerous companies that want to avoid fines of up to €20 million or 4% of annual global turnover because of conflicts with compliance requirements, Sherpany is a good example of a European provider of GDPR compliant cloud storage.4 The Swiss company offers exclusively cloud hosting in highly secure data centers in Switzerland. In addition, Sherpany offers its customers a dual strategy by combining the advantages of a private cloud with data storage at the company itself (hybrid cloud). Sherpany is ISO 27001 certified, has an ISAE 3000 certification (Type 2) and is compliant with FINMA for outsourcing. Customers of Sherpany are not affected by the CLOUD Act and ensure compliance with the GDPR.
Note: This article has been updated in July, 2020.
1. 'US-Firma kauft Datentresor der Dax-Konzerne', WELT, July 2018.
2. 'CLOUD Act: Weltweiter Zugriff auf Nutzerdaten bei Internet-Unternehmen', Steiger Legal, March, 2018.
3. 'Microsoft vs. USA: Supreme Court entscheidet nicht über internationalen Datenzugriff', Heise Online, April, 2018.
4. 'GDPR Fines / Penalties', Intersoft Consulting.