US Cloud Act: What is it - and is it GDPR compliant?
“Even though most companies in Europe are insufficiently informed about the Cloud Act: It has major implications for our digital data. The bill has already been effective since 2018 and affects everyone who processes or stores data in a cloud offered by a US company, whether as a private individual or as a business.
The law passed by the USA forces US cloud providers such as Google Cloud, Microsoft Azure, Amazon Web Services or Dropbox to make the data stored in the cloud accessible to US authorities upon request. It effectively overrides the regulations of the GDPR. In short: Data in US clouds is thus fundamentally viewable by American authorities.
Using US servers? Loss of data sovereignty threatens
US providers of cloud services are put in the unfortunate position of having to act illegally due to the Cloud Act. It proves impossible for companies to comply with both the GDPR and the Cloud Act simultaneously: They contradict each other. A US company with server locations in the EU is obligated to grant US authorities access to the servers, although the GDPR prohibits this. It is therefore to be feared that data processed or stored in the cloud can be retrieved or searched.
However, the protection of personal information is only considered one half of the problem. The other is the question of data sovereignty. The Cloud Act legitimizes American authorities to demand the release of all data of a company stored in American cloud services. As a result, companies effectively lose sovereignty over their information and thus over their intellectual property, especially their business and trade secrets.
Cloud Act: Protecting data from US access
However, interventions in one’s own data sovereignty and violations of the GDPR can be avoided. All that’s needed is a good cloud provider from the European area. And open-source software that ensures data protection and data sovereignty. Because its source code is open, software cannot contain backdoors through which data can flow to unauthorized third parties. Another advantage: Since open-source software consistently relies on open standards and can be individually adapted and further developed, no manufacturer dependencies arise.
Ensuring data sovereignty in compliance with GDPR
Open-source providers have long been working on integrating their applications to offer solutions from a single source as a real alternative with comparable user-friendliness. Already today, companies use the cloud services of Hyperscaler without putting sensitive information at risk and risking violations of the GDPR.
However, high standards in terms of data protection and data sovereignty can only be maintained in Europe if European companies achieve a certain level of self-sufficiency in the digital market. This requires an increased prioritization on creating favorable framework conditions. These must promote the development of domestic IT solutions that can compete with services from overseas. But it can certainly be possible to manage without the US giants – after all, there are plenty of good alternatives.
