The dark side of the cloud: Why the US Cloud Act threatens the data sovereignty of European cloud users.
What does data sovereignty mean?
Data sovereignty refers to the right and ability of individuals, companies, or organizations to always have complete control of their data and to decide independently how and where that data is used, stored, and processed. Data sovereignty also means that the owner of the data has unlimited control over access to the data, without third parties being able to influence or circumvent these decisions.
Data sovereignty is important in many different areas, especially regarding data protection, data security, and compliance requirements. Legal regulations such as the European General Data Protection Regulation (GDPR) aim to strengthen control over personal data for European individuals and protect their privacy.
The debate about protecting sensitive personal information extends to all areas of private and professional life and has become a top issue recently.
In IT infrastructure and especially in cloud computing, data sovereignty plays an important role. Companies and organizations need to ensure that their data is protected and managed according to their security policies and applicable laws, regardless of whether it is stored on their servers or in the cloud.
In addition, data sovereignty builds trust with customers, partners, and investors. Companies should therefore urgently invest in building their data sovereignty to be able to always act independently.
Key factors of data sovereignty in the cloud environment
Data protection: In the cloud environment, data is stored and processed on external servers operated by cloud service providers. It must be ensured that personal data is adequately protected in accordance with legal requirements.
Compliance and legal requirements: Different countries and regions have different data protection laws and regulations. Each company and organization must ensure that all applicable laws and regulations that apply in their country and region are fully implemented.
Trade Secrets and Intellectual Property: Almost all companies have sensitive data and intellectual property that represents an important competitive advantage. Therefore, it is essential that this data cannot be accessed, stolen, or misused by unauthorized parties. By continuously reviewing their data sovereignty, companies can control access to their data and ensure that it does not fall into unauthorized hands.
Contract and service control: Due to data sovereignty, it is essential that companies retain full control over the contracts and services they have agreed to with cloud service providers. Companies should be able to move their data, change providers, or adjust the scope of services at any time if necessary.
Overall, data sovereignty is important in the cloud environment to ensure control, security, and compliance over data. Companies should ensure that they have full control and visibility over their data, regardless of where it is stored or processed in the cloud.
Lack of data sovereignty at US cloud providers
In an increasingly digitized world, it is crucial for companies and organizations to protect their data. An important aspect of this is control and power of disposal over their own data, i.e. data sovereignty.
Not all cloud providers can guarantee this data sovereignty to their customers. In particular, large providers such as Amazon AWS, Microsoft Azure, Google Cloud, Meta and Salesforce, as US companies, are subject to the US Cloud Act.
Since the Cloud Act allows US authorities to access data of non-US citizens, even if it is stored outside the US, US companies cannot guarantee their customers unrestricted data sovereignty.
For this reason, even European data centers of US companies that are geographically located in the European Union do not provide effective protection against access by US authorities.
Simultaneous compliance with the requirements of the European General Data Protection Regulation within the sphere of influence of the US Cloud Act is not possible.
Google Transparency Report
The US company Alphabet regularly publishes the number of annual requests for information for civil, administrative, criminal, and national security purposes in its Transparency Report. This listing is a good representation of how often the provisions of the Cloud Act are actually applied.
What does the U.S. Cloud Act mean for European cloud users
Any company, organization, or individual using cloud services from U.S. companies should be aware that U.S. authorities can compel the release of all types of stored data without a court order.
The Cloud Act or Clarifying Lawful Overseas Use of Data Act is a US law that was passed on March 23rd, 2018. It regulates access to electronic data in the cloud and affects US companies that offer cloud-based services. All known hyperscalers and countless SaaS providers are affected by the provisions of the Cloud Act as US companies.
The Cloud Act covers two key aspects. First, it allows U.S. authorities to access data stored by US- companies in the cloud, regardless of the physical location of the data. Only the data of U.S. citizens is explicitly exempt.
Secondly, the Act allows foreign authorities to access data stored by US-companies in the cloud if it is needed for criminal investigations or serious crimes, and bilateral agreements exist between the US and other countries. The Cloud Act thus has far-reaching implications for data privacy, data sovereignty, and cross-border law enforcement.
Privacy concerns have caused the Cloud Act to be the subject of intense discussions. The primary criticism is that the Act allows access to data of individuals, companies, or organizations without sufficient court orders. Supporters of the Cloud Act argue that the law is essential to fight crime and facilitate access to evidence.
The Chinese Cybersecurity Law
Recently, Chinese cloud providers such as Alibaba Cloud and Tencent Cloud have also entered the international market. In China, however, there is a law similar to the US Cloud Act: the Cybersecurity Law. The law regulates data handling and cybersecurity in China and gives authorities broad powers to access data stored by companies and users in China. Similar to the Cloud Act, the Cybersecurity Law also allows Chinese authorities to access data stored on servers outside of China.
Many other countries also have their own laws and regulations controlling government access to cloud data. Companies, organizations, and individuals should therefore always consider the laws and regulations in their own country and in the country of the cloud provider when using cloud services and SaaS solutions in terms of data protection regulations.
What can be done for data sovereignty?
European individuals, businesses, and organizations should ensure that sovereignty over their data in the cloud is 100% guaranteed for the reasons outlined above. This includes, for example, choosing cloud or SaaS providers that are not located in countries where data sovereignty is at risk due to the laws in place there.
The use of encryption technologies can help prevent the readability of data, provided that the private key used for this purpose is managed in another secure location and that the data has only been encrypted with a single private key. However, it must be remembered that when encrypted data is used, such as in cloud computing, the data must be unencrypted in the cloud server’s memory. At the latest, they could then be viewed by third parties.
Compliance and regulatory requirements in the cloud
In today’s digital world, the implementation of compliance and regulatory requirements in the cloud is crucial. In particular, compliance with the European General Data Protection Regulation (GDPR) is a relevant factor here. Companies that fail to comply with these requirements can expect to face severe fines or other sanctions.
In summary, data sovereignty is a crucial factor in cloud-based workflows. It enables organizations to comply with applicable regulations and reap the benefits of cloud computing without losing control of their data.
To ensure successful implementation of data sovereignty in a cloud environment, organizations should constantly assess new risks related to security and privacy and educate themselves about their cloud providers’ platforms and capabilities. Training staff on the proper handling of data and selecting a reputable cloud partner with relevant experience is essential to maximizing the potential of data sovereignty. Ultimately, organizations need to develop an adaptive governance strategy to ensure compliance with data protection regulations and safeguard their data sovereignty.
Related topics:
9 questions about cloud security →
Inplications of the Schrems II judgement on cloud provider