Cloud Act versus GDPR - what to do?

In 2018, two new legislations have been implemented, one in the EU and another in the US, which are expected to have a far-reaching impact on the online data processing of individuals. However, these two new laws are as opposite as they can be. One is known as the Cloud Act and the other as the General Data Protection Regulation (GDPR).

This blog post attempts to present in an understandable way the differences between the two laws and highlight their conflict. The aim is to show end users and companies what they need to be aware of when sensitive files on the cloud in order not to inadvertently pass on their own files to third parties, in this case the state, and, for companies, and, for companies, violate the GDPR regulations.

Cloud Act

To begin with, it is important to consider both laws and their respective requirements: What does the Cloud Act entail, and what are the requirements under the GDPR? The Cloud Act mandates that American companies provide US authorities with full access to data worldwide, including personal information, in order to facilitate US law enforcement's demand for access to communication data of suspects stored abroad.

This means that data from companies such as Microsoft, Google, or Amazon can be legally and immediately requested without the need for judicial approval. In such cases, a cloud provider is not obligated to notify the data subject(s) of the release of their data, and the data can be accessed, processed, and used without consent or notification.

This primarily affects providers of electronic communication services and remote computing services, especially cloud providers that are subject to US law. Furthermore, the Cloud Act takes precedence over the laws of other countries and unions.

Here you can find the law of the Cloud Act.

GDPR

On the other hand, the GDPR aims to restrict and regulate the processing of personal data on the internet, thereby strengthening individual privacy in the EU. This applies to all companies that offer their services in the EU. What we see is that these two very contrasting laws overlap in the EU. So, which way should companies that offer or use cloud solutions go?

Especially for companies that store sensitive files on American or non-European cloud servers, they must anticipate the processing of files stored in the cloud. As EU companies are obligated to treat files in compliance with the GDPR, but store these files under the Cloud Act, they are in violation of the GDPR law, which can result in fines.

An organization does not have to be founded in the US to be subject to the Cloud Act. It is enough to have a significant presence in the US to be considered an American company. Thus, the disclosure of data due to the Cloud Act also applies even if it is not stored overseas. The Act can, therefore, affect data stored on servers in Germany or within the EU.

This means that if companies process personal data in the cloud, they must ensure that the data protection level required in the European Union is adhered to. Accordingly, it is considered best practice in European companies to choose a strictly European cloud provider with data centers in the EU. However, this does not automatically ensure that the required GDPR standard is met.

As the Cloud Act is limited to companies worldwide that maintain a presence or engage in business activities in the US, subsidiaries acquired by US companies in the EU can also be affected by the Cloud Act.

Read more about GDPR.

To amend title 18, United States Code, to improve law enforcement access to data stored across borders, and for other purposes.

Corporate data must therefore be reliably secured and encrypted both during transmission and at the storage locations in the cloud. In addition, appropriate key management is advisable to ensure the highest possible level of security. All keys should be hosted within the company.

Those who want to play it safe can also store them "on-premises" in a hardware security module. In this way, companies not only regain control over their data. They also meet the security requirements of the GDPR: If encrypted data is stolen, it is worthless to unauthorised persons.

To prevent such problems, please visit our security and privacy site.