On March 23, 2018, a US law was launched that is supposed to regulate the authorities’ access to data stored on the Internet: the Cloud Act. The stated aim of the law was to provide law enforcement authorities with a powerful tool to effectively combat organized crime and terrorism. The Cloud Act allows US authorities and law enforcement officers located abroad to direct access requests to cloud operators.
The law obliges all cloud providers headquartered in the USA to comply with the requests of the respective authorities. This gives them an insight into all of the suspicious people’s data stored in the cloud. However, since the requested information also contains personal data, data protection experts repeatedly criticize the Cloud Act. Above all, the danger that innocent companies and citizens in the EU could get caught in the crosshairs of state actors for no reason left a bad taste in the legislation.
Also interesting: A secure cloud for all industries? Confidential Computing makes it possible
Compliance guarantee is not optional, but the basis for trust
Many companies, especially in the EU, made themselves in the Follow great concerns about legal security. In times of digitization, cloud and big data, hardly any company can resist the trend to outsource their data to the cloud. And there is a good reason for that: The constant and location-independent availability of business-relevant data is a necessary component of success in the international competition for customers.
Who here does not keep up, has a disadvantage and will sooner or later be pushed out of the market by the competition. True to the motto “if you arrive late, life punishes you”, the market leaders in all industries outdo each other with new innovations and new ways of using the advantages of their cloud-based services. This race for user favor has given digitization a considerable boost and enabled companies and private users to convert the full range of Internet services into speed and productivity.
Since most (and largest) cloud providers are in the USA, many companies are now concerned about their customer data. Since these are often supraregional and mostly on servers in the USA or are transmitted to US servers for processing, they all fall within the scope of the Cloud Act. Even if the data is stored or processed in the EU, the following applies: If the server in question belongs to a US company or a subsidiary, the data must be released by US authorities upon request. This fact sets the alarm bells ringing for many companies. Many now ask themselves: “Am I liable to prosecution if I save or have processed the personal data of my customers and business partners with a US service? Can the GDPR be reconciled with the Cloud Act at all? “
These concerns are quite justified, because with the end of the EU US Privacy Shields (Schrems II judgment of the ECJ) now lack any legal security when exchanging data between the EU and the USA. Now, however, a trusting customer relationship and legally compliant order data processing is the cornerstone for future business and the associated growth of your own company. The question of possible compliance problems is therefore justified and should be asked by every data protection officer. The answer, however, is not that simple and requires a more in-depth look at how US companies deal with this problem in their day-to-day business.
Not every request from the authorities automatically leads to a data release
The cloud market is highly competitive, after all, it is a key technology of the future. Since practically all market leaders are in the USA, the regulations relating to the Cloud Act primarily affect the heavyweights of the industry. So it is not surprising that the greatest resistance to impending national arbitrariness comes from the cloud top dogs – i.e. directly from the USA.
Who now fears that any data set on servers from Microsoft, Amazon, Apple or Google will automatically end up in the hands of the American authorities, they are mistaken. The tech giants are defending themselves with all means at their disposal in order to prevent the general disclosure of their customer data to criminal prosecutors. If a request is unjustified, the corresponding individual case usually ends up in a US court. There, the inquiring criminal prosecutors must first present solid evidence that the respective customer is really a member of organized crime or a terror suspect.
The data will only be released if the requesting authority follows the applicable legal procedures. Only if the cloud provider is legally forced to do so will the prosecutors receive the key to the encrypted information. In addition, there are currently lawsuits from all major providers aiming at better transparency and information options for their customers; Because according to the Cloud Act, US providers are not allowed to inform their customers about the release of their data.
Also the basic one The rejection of official inquiries has been very successful in the recent past and makes European companies and private users look to the future with optimism. For example, 42 of 91 inquiries in the first half of 2020 were rejected after they were challenged by Microsoft in a US court.
European cloud as a secure alternative: We have to strengthen our own structures in Europe
If we protect privacy To take our fellow European citizens really seriously, we have to strengthen our own structures and markets. But it is not enough for politicians to formulate melodious declarations of intent for the distant future. We need a competitive and innovative IT industry in Europe, from innovative startups to established players who can face the US competition on an equal footing.
There are already promising projects, such as Gaia-X, which is intended to serve as a counterweight to the US competition and has set itself the goal of making the European cloud a successful project.
The European founding members, including many well-known German corporations, are pursuing the following goals with Gaia-X: Openness, transparency and European connectivity as the basis for a European “digital ecosystem” that is competitive at the same time and is in line with European values.
When it comes to data protection, there is a strong emphasis on confidential computing (also known as trusted computing). Originally, confidential computing was understood to mean the approach of encrypting data not only during storage and transmission, but also protecting it from attacks during processing. Data is only processed within a secure area – also called an enclave – or “Trusted Execution Environments” (TEE). This can be implemented on the processor level – as Google, Microsoft, Intel, IBM and Co show – or, as in the case of confidential or sealed computing, on the server level. This means that data processing takes place on protected server architectures that consistently lock out intruders. In this way, unlawful access or manipulation of the data can be prevented. Confidential computing is thus one of the most powerful weapons in the fight against industrial espionage and cyber crime and also protects against the curiosity of foreign authorities.
Of ideas and technological concepts We certainly do not lack it in Europe. But in the end it is the user who decides whether such initiatives are successful or not. It is therefore of vital importance to convince European companies and fellow citizens of the advantages and the competitive quality of local IT products. But we still have to do a lot of persuading. We have never lacked expertise and ingenuity in Europe. Now it is important to productize and communicate the progress and milestones of your own IT industry in a clear and understandable way