To what extent is the Cloud Act, which allows the US judicial system to seize any data, including data outside the national territory, compatible with Article 48 of the GDPR, which prohibits the transfer or disclosure of data outside the EU?
"Pragmatically, long before the Cloud Act, there were already cases where this access to data was operated legally in the US but illegal from the point of view of an EU member state, for example for reasons of national security. Nothing changes on this point.
The Cloud Act mainly forces open access to data on a cross-border basis in the context of judicial investigations where this need is " plausible " and " defensible ". This would be fully compatible with Article 48 which does not prohibit the exchange of data if there is a (cross-border) legal framework. I see it as an immediate benefit in the fight against cyber-bullying. Some platforms, for example micro-blogging, will now have to work with law enforcement in an EU country to combat this scourge. There are also cases where application can be harmful.
In the past (i.e. pre-Snowden era), the legal services of large US Cloud Service Providers (CSPs) have fought some battles to defend their data protection obligation (i.e. status quo) however they do yield to US law when all remedies are exhausted. The Cloud Act changes this paradigm to remove this (defence) responsibility from CSPs and facilitates access to data for US institutions, and countries that have joined the agreement.
The danger is therefore around the negotiations of agreements that will take place between the EU and the US and above it all is necessary to foil the traps/abuses that could hide in the thousands of pages of the document.
I will end by saying that it is already possible to protect oneself from such abuses through security technologies or services. This must be further integrated into modern application design and enterprise cloud project specifications."
"Article 48 of the GDPR does not in itself prohibit data transfers outside the European Union, but strictly regulates them. A decision by a court or administrative authority of a third country requiring such transfers is not sufficient and must be based on an international agreement.
As a result, the United States will have to negotiate bilateral agreements with the countries of the European Union.
Under the Cloud Act, bilateral agreement negotiations are conditional. Thus, any request should take place in the context of a criminal investigation, target a specific person and be based on credible evidence. Theoretically, therefore, data collected in an investigation could not be used to restrict freedom of expression.
In addition, the Cloud Act gives US CSPs a timeframe of 14 days to respond in the event of a legal dispute with the country concerned. Within this period, a court must be seised in order to analyse the conflict.
In light of these various elements, it does not seem to me that there is a real "incompatibility" between the Cloud Act and section 48 of the GDPR.
Nevertheless, the application of the Cloud Act is likely to lead to misuses with regard to the GDPR, in the sense that it could initiate risks to European clients of American cloud service providers."
In this context, what are the margins of manœuvres which are offered to the European customers who host their data in the datacenter of a US Cloud provider but who want to remain in conformity with the GDPR?
- Setting up a master data management (MDM) for a Big Data or Deep Learning project.
- Modularization of an application through Multi-Cloud : for example an application distributed between SaaS (CRM, API Gateway) and a Hybrid Cloud (ERP, Data Repository on-premise)
- Open Banking, IoT, IA, others.
- With clearly identified business challenges, it is possible to combine services and security measures to be implemented (e.g. tokenization, behavioral analysis probe, etc.) depending on the type and location of the data.
Finally, "sovereign" clouds (European) are credible options for hosting data, even if a change in legislation could undermine this protection, hence my preference for a more modular approach by application."
"Indeed, data storage and localization are key issues for European customers. In order to have sufficient guarantees in terms of security and confidentiality of data, and with regard to the GDPR, the (European) sovereign clouds can be an interesting alternative to these customers (at least for critical applications of the company)."
Johan Soula, Cyber Security Lead at InterCloud
Hanaé Desbordes, Legal Expert at InterCloud