US CLOUD Act vs GDPR three years later - A struggle for compliance and data security

CLOUD Act vs DSGVO
(PresseBox) ( München, )
On March 23, 2018, the CLOUD Act ("Clarifying Lawful Overseas Use of Data Act"), a controversial US law, was launched[1]. Its goal is to provide law enforcement authorities with a powerful tool to effectively combat organized crime and terrorism. The CLOUD Act allows US authorities and international law enforcement agencies to make access requests to cloud operators and is also intended to make it easier to enforce these requests.

Since the requested information usually contains personal data, data protectionists repeatedly criticize the CLOUD Act. Above all, the danger that innocent EU citizens could get caught in the crosshairs of state actors still leaves a stale taste in the legislation.

Compliance and legal certainty are the basis for trust and growth

In times of advancing digitalization, hardly any company can resist switching to the cloud. However, since most—and largest—cloud providers are located in the US, many EU-based companies worry about their customers' data. The reason for this is that data also falls within the scope of the Cloud Act even if it is located or processed in the EU, as long as the server in question belongs to a US provider or a subsidiary. This circumstance causes many companies to wonder: “Am I exposed to penal sanctions if I store or process the personal data of my customers and business partners with a US service? Is the GDPR compatible with the Cloud Act at all?” These concerns do not come out of the blue. After all, with the end of the EU-US Privacy Shield, there is now no legal security when exchanging data between the EU and the US. The question of possible compliance problems is therefore justified and should be asked by every data protection officer. The answer, however, is not that simple and requires consideration of how US providers deal with this problem.

Not every request from the authorities leads to data release

Anyone who fears that every data record on Microsoft, Amazon, Apple, or Google servers will automatically end up in the hands of the US authorities is wrong. The tech giants are fighting back with all available means to prevent the general disclosure of customer data to criminal prosecutors. Data is only released if the requesting authority follows the applicable legal procedures and can prove the legality of the request. Only then can the cloud provider be forced to hand it over.

Fortunately, the general rejection of official requests has been quite successful in the recent past and allows European companies and private users to look to the future with optimism. For example, 42 of 91 requests were denied in the first semester of 2020 after Microsoft challenged them in a U.S. court[2].

European cloud and confidential computing as a secure alternative

But to really take the data protection of our fellow European citizens serious, we need to strengthen our own structures and markets. This requires a competitive and innovative IT industry in Europe that must include both innovative start-ups and established players that can meet the U.S. competition on an equal footing.

Promising projects such as GAIA-X[3], which is intended to counterbalance US competition, give rise to hope. There are also providers such as TÜV SÜD subsidiary uniscon, who implements effective data protection in the cloud with the help of confidential computing or sealed computing. Confidential computing describes the approach of not only encrypting data during storage and transmission, but also protecting it from attacks during processing.

This is done within a secure area, the so-called "Trusted Execution Environment" (TEE) and can be carried out at the processor level—as implemented by Google, Microsoft, Intel and IBM, among others[4]—or, as in the case of sealed computing, at the server level. Here, data processing takes place on protected server enclaves that have reduced interfaces and consistently block out intruders. This prevents unauthorized access to or manipulation of the data. Confidential computing is thus one of the most powerful tools in the fight against industrial espionage and cybercrime—and also protects against access by foreign authorities.

There is certainly no shortage of ideas and concepts in Europe. In the end, however, it is the user who determines the success or failure of such initiatives. It is therefore of existential importance to convince European companies and fellow citizens of the advantages and competitive quality of local IT products. A lot of convincing still needs to be done. We have never lacked expertise and ingenuity in Europe, but now it is important to produce and communicate the progress and milestones of our own IT industry in a clear and understandable way.

Was this press release forwarded to you? You can subscribe to our press mailing list here.

[1] https://www.congress.gov/bill/115th-congress/senate-bill/2383/text

[2] https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report

[3] https://www.bmwi.de/Redaktion/EN/Dossier/gaia-x.html

[4] https://confidentialcomputing.io/
The publisher indicated in each case is solely responsible for the press releases above, the event or job offer displayed, and the image and sound material used (see company info when clicking on image/message title or company info right column). As a rule, the publisher is also the author of the press releases and the attached image, sound and information material.
The use of information published here for personal information and editorial processing is generally free of charge. Please clarify any copyright issues with the stated publisher before further use. In the event of publication, please send a specimen copy to service@pressebox.de.