It’s now three years since the US CLOUD Act was signed into law, but many firms still aren’t fully aware of how it affects the security of their data. In simple terms, the CLOUD Act requires US IT service providers to provide data stored or processed outside the United States to US authorities upon request. European firms are also subject to the CLOUD Act if they’re a subsidiary of a US cloud or IT service provider, even if headquartered outside of the United States.
Crucially, the CLOUD Act requires US IT service providers to disclose any data in their possession, including customer data.
In other words, if you’re currently hosted by a big-three cloud provider and the US government wants to look at your intellectual property or sensitive customer information, that provider will be obliged to hand it over. “That’s concerning,” says Felix Grundmann, head of cloud product management for IONOS, a leading cloud provider headquartered in Germany.
For European companies working with US cloud providers, it’s unclear if and when data is being retrieved from the servers, what kind of data is being retrieved, to what extent and so on,” he explains. “That’s because the cloud provider isn’t required to notify the European customer that their data was scraped from the platform and handed to a US government agency.”
Hosting with a European cloud provider is the easiest way of ensuring your data, and that of your customers, won’t be compromised. It also addresses another complication that the CLOUD Act contradicts the General Data Protection Regulation (GDPR), which protects the data and privacy of EU citizens.
A European business using a US-based cloud provider could wind up caught between both regulations, potentially incurring a hefty fine under the GDPR if data relating to its customers is shared with US agencies.
“The conflict between the CLOUD Act and GDPR leaves room for interpretation and that creates a big problem for the end-customer,” says Grundmann. “If a company is hosting its data with a US-based company and its end-customer data is transferred to US agencies, that’s in direct conflict with European law.
“There’s a lot of discussion going on between the European Union and the US government on how to resolve this issue. But at the moment, it’s hard to say in which direction things will go as both sides claim their needs are more important and should therefore take precedence.”
His feeling is that there will eventually be concessions on both sides, but until then the uncertainty about which laws companies may be at risk of violating will remain. Thankfully, however, there’s an easy way to avoid getting caught up in this transatlantic conflict by using a cloud provider with EU headquarters and datacentres.
Cloud hosting providers subject to EU law must act in accordance with the GDPR. If they are also exempt from any association with US companies, there is no danger of being obliged to disclose data under the CLOUD Act. That means their customers have maximum protection from the CLOUD Act and minimum risk of violating the GDPR.
Data encryption would also seem to solve some of the issues associated with the CLOUD Act but, as Grundmann points out, you cannot be certain US authorities wouldn’t be able to decode the information somehow. So if you’re currently with a hyperscaler headquartered in the United States, can you really say your data is 100 per cent secure?
He believes it’s a question European companies can no longer afford to ignore. “Those who aren’t with a European cloud provider that has made a point of raising these issues may not be aware of the risks and you don’t see US cloud providers saying, ‘Here’s why your data may not be safe’. But we’ve been upfront about it because we believe it is important,” Grundmann concludes.
For more information on how the CLOUD Act affects your data visit www.ionos.co.uk/cloudact
Promoted by IONOS