“Get Out of U.S. Clouds” recently headlined the renowned German computer magazine c’t. Editor Jo Bager conceded, “At this time, we cannot recommend storing your data or even the data of your customers in the United States.” So it’s really not surprising that IT experts are now advising European companies to store data in clouds within Germany or the EU. However, the situation concerning cloud computing in the U.S. has become significantly worse.
It began just one week after the new president took office: Donald Trump signed an Executive Order on January 25, 2017 to ‘enhance public safety’. This order requires U.S. authorities to exclude personal data of non-U.S. citizens from the protection of the Privacy Act, which is primarily directed against undocumented people residing living in the U.S. In the future, this could also mean that the data of EU citizens will no longer be protected in the United States.
Thus, the Trump directive could make it legally impossible for European companies to use U.S. clouds!
From Safe Harbor to Privacy Shield
Transatlantic data transfers are problematic from a legal perspective anyway, since personal data (i.e. data that can be used to identify a person) may only be transmitted from the EU to countries with an ‘appropriate level of protection’. Whether such a level of protection exists in the U.S. has been questionable for some time now. However, on the basis of the Safe Harbor Agreement, it was possible for European companies to transfer data to U.S. companies or have this data processed in U.S. clouds, as long as the American companies pledged to comply with EU data protection standards.
In a crushing verdict in October 2015, the European Court of Justice (ECJ) declared Safe Harbor invalid, claiming that the data of EU citizens in the United States be inadequately protected. The virtually unrestricted access of U.S. authorities to this data was one of the primary issues.
The EU Commission and Obama Administration quickly conjured up a subsequent agreement – the EU-U.S. Privacy Shield. The core component is once again a database where U.S. companies can be registered if they guarantee that they comply with European data protection laws.
However, the corresponding EU Commission’s adequacy ruling on Privacy Shield from July 2016 was largely based on assurances given by the Obama administration, which included that U.S. data protection provisions would also apply to the data of EU citizens, provided that these provisions didn’t contradict any other applicable laws. ‘This might be over soon’ fears Peter Schaar, the former Federal Commissioner for Data Protection and Freedom of Information, since Trump’s order could annul these assurances.
Trump’s fundamentally ambivalent attitude toward data protection indicates that this is actually very probable. The new U.S. government has already established that U.S. Internet providers may monitor, collect and sell their customers’ data without their consent. As Wired magazine reports, in addition to usage data, this even includes the right to collect and sell the social security numbers of their customers.
Data in European Clouds
Should the data of EU citizens (in U.S. clouds) under the Trump government no longer be deemed sufficiently protected, the EU Commission will in all likelihood have to revoke Privacy Shield. Either way, it is doubtful that the agreement will survive the legal examination already underway in the ECJ.
In both cases, it will be extremely complicated for companies to transfer personal data to the U.S. Should other available data protection instruments (Binding Corporate Rules (BCR) or EU standard contract clauses) become invalid under Donald Trump, the transmission, storage and processing of that data would be completely prohibited. This would also apply to companies that are located within the EU but process their data in U.S. data centers (e.g. via Amazon Web Services)!
Therefore, numerous experts advise that applications such as backups in the cloud should only be used by companies located in Europe and at data centers in the EU. But even in such cases, caution is necessary. Currently, the trust construct of Microsoft and the Deutsche Telekom subsidiary T-Systems are highly praised. It means, that customers will make their contracts for storage space and applications in the cloud (Office 365 Germany) only with T-Systems. All data remain exclusively in German data centers. Microsoft itself does not have access to the data – and neither do the U.S. authorities for now.
However, Deutsche Telekom has a subsidiary in the U.S. According to Jörg Wirtgen at c’t, this is ‘far enough away from T-Systems’ such that U.S. courts cannot gain access to the data of EU citizens. On the other hand, the data protection specialist of activeMind AG, Michael Plankemann, sees this more critically: ‘No one can say with certainty how this will look in a serious situation. Ultimately, the U.S. judge will decide.’
Conclusion: ‘Better Safe Than Sorry!’ – Also in the Cloud
The renewed debate on the lack of data protection in the U.S. clearly shows that companies must make important strategic decisions when choosing their cloud provider. Data protection and data security in the cloud are absolutely crucial criteria for making these decisions. Ultimately, keeping the trust of your own customers is what matters most, not just complying with the current legal requirements.