Demo Contact
Contact us now 📧︎
Useful Information About IT Security and More
– Blog

US law in European data centres? The CLOUD Act makes it possible

Imagine storing sensitive data in a data centre in the middle of Europe. GDPR-compliant, ISO-certified, physically secured. What if this very data - customer information, payslips or project details - could suddenly end up on the desk of a US authority?

US law in European data centres?

 

What many people don't realise: Several US laws reach far beyond the country's borders. Even data that is stored exclusively in Europe can be affected - without your knowledge. Without your consent. 
In addition to the much-discussed CLOUD Act, the Patriot Act and the Foreign Intelligence Surveillance Act (FISA) require companies to hand over data at the request of US authorities - regardless of where this data is physically located.

This obligation applies not only to parent companies based in the USA, but also to their European subsidiaries. Anyone with even one foot in the USA cannot escape this and be forced to hand over data.

"American law applies in clouds with American roots - and this is followed without restriction", according to a recent post on CloudComputing-Insider.

This makes it clear that anyone who relies on providers such as AWS, Microsoft or Google Cloud is giving up control over their own data and thus part of their digital sovereignty.

Data access by law: what the CLOUD Act actually means

The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was passed in 2018 to enable US investigative authorities to access data - even if it is stored on servers outside the USA. Companies such as Microsoft, Google and Amazon are therefore obliged to provide personal and business-critical data on request - even if this violates European data protection law such as the GDPR.

In addition, neither the data subjects nor European authorities need to be informed. Legal recourse is also excluded in many cases.

It is precisely where confidentiality, data protection and regulatory requirements are non-negotiable that this legal situation becomes a weak point.

A recent report at Heise Online illustrates just how real this risk is: In a hearing before the French Senate, Anton Carniaux, Chief Legal Counsel of Microsoft France, stated that Microsoft cannot guarantee that data from European authorities will not be transferred to the US government. Even if such cases have not yet occurred, Microsoft must co-operate with formally correct requests for information from US authorities. What is particularly critical is that the affected entities may only be notified if the US authorities authorise this.

Questions that organisations should ask themselves

Whether companies, public administration or critical infrastructure - wherever sensitive or personal data is processed, decision-makers should ask themselves the following questions:

  • Is my infrastructure fully compliant with the European legal framework?
  • What does possible access by US authorities mean for my confidentiality obligations?
  • Can I, as the controller, ensure compliance with the GDPR at all times?
  • Is my organisation prepared to no longer have control over its own data in case of doubt?
  • What alternatives are open to me - also with a view to long-term digital sovereignty?

OpenCloud: Collaborative file management under your own control

For European companies, authorities and organisations that require maximum control over their data, this legal situation poses a real risk - not only for data protection, but also for confidentiality, competitiveness and decision-making sovereignty.

OpenCloud offers a sovereign alternative: a cloud infrastructure for collaborative, secure file management that is exclusively subject to German and European law - developed, operated and hosted in Germany. What's more, OpenCloud is also available as an on-premises solution. This means that our platform can be operated in your own infrastructure or in a data centre of your choice - completely under your control, without dependence on third countries.

This not only protects your data from unauthorised access - you retain full control over your IT - both technologically and legally.

Conclusion: Confidential data in someone else's hands? Not a good idea.

The impact of US laws on European data processing is an important factor when choosing an IT infrastructure. Anyone who relies on providers that are subject to US law should be aware of the possible consequences and carry out appropriate risk assessments.

The Heinlein Group is pursuing a strategy with OpenCloud, OpenTalk and mailbox.org: Digital infrastructures that are exclusively subject to German and European law - developed, operated and hosted in Germany.

Transparent. Secure. Independent.

🐱︎ 🦣︎ 🦋︎ 📡︎