Does your use of cloud services lead you to violate the GDPR? Can you store your data on AWS, Azure, … and still comply with the GDPR? The American Cloud Act sows doubt and creates a legal uncertainty which we discussed with Me. Jérôme Tassi, an attorney at the Paris Bar.
The starting point for this article (and the accompanying video) is a thought brought to me by an entrepreneur friend. He was worried that his company’s data would be stored with Microsoft, Google, or Amazon. Because of the Cloud Act, he feared that his data would end up in the hands of his competitors.
The Cloud Act: a very intrusive American legislation
The Cloud Act (“Clarifying Lawful Overseas Use of Data Act”) is a US federal law passed in March 2018. It allows the US government to access data stored by US companies regardless of their geographic location. Me. Jérôme Tassi explained that the Cloud Act was born out of a dispute between the US federal authorities and Microsoft. In one case, the latter invoked the data’s location (in Ireland) to refuse to deliver it to the American government.
This is how the Cloud Act was born, from the desire of the American government to exercise complete control depending on the nationality of the company rather than its geographical location. Except that in Europe, we are supposed to be protected by the GDPR, you might say. So what is the link between Cloud and GDPR?
Is the Cloud Act incompatible with the GDPR?
Article 48 of the GDPR specifies that an international agreement is required to transfer data outside the European Union. Since there is currently no such agreement between the United States and Europe, there is only one possibility: a judicial warrant. In other words, an American court must be convinced of the existence of a federal crime to request the transfer of data stored outside the United States by an American provider. This dramatically reduces the risks.
Nevertheless, the legal vagueness remains, and specific rules are necessary in the absence of case law.
What can you do to comply with the GDPR without fearing the Cloud Act?
Me. Tassi recommends being careful and, if possible to avoid hosting data with Google, Amazon, or Microsoft. The French government has already taken the lead by publishing a doctrine called “Cloud at the center” that prescribes the Cloud as the place to house data for French administrations but prohibits using solutions that do not have the “SecNumCloud” certification. Microsoft, Amazon, and Google, which hold 69% of the Cloud storage market, do not benefit from this certification and are de facto excluded from the French administration.
So if you want to sleep soundly, turn to one of the solutions that benefit from the SecNumCloud certification. To date, there are only 3 trusted Service Providers: Odrive, Outscale, and OVH.
Advice: consider checking what your suppliers are doing
Getting ahead of the Cloud Act and the GDPR also means checking the status of your suppliers. Remember that the notion of joint responsibility was introduced by Article 26 of the GDPR.
We must distinguish two situations:
- If you collaborate with third-party companies and you define the purposes of the processing together, make sure you take the necessary precautions regarding data hosting
- If you use sensitive SaaS services, request where their data is stored. There is a 9 out of 10 chance that it is on a US cloud, in which case it would be appropriate to have them read this article.
The Sovereign Cloud
There is currently a lot of talk about the “sovereign cloud,” the “trusted cloud,” and there has been a lot of news on the subject lately. Slowly but surely, the interest in digital independence is making its way. The Covid crisis has only too clearly shown our dependence on China for electronic components; the situation is the same in the digital sector vis-à-vis the United States. Deutsche Telekom, for example, is the leading European cloud player with a 2% market share, a mere trifle compared to 32% for AWS (Amazon), 20% for Azure (Microsoft), and 9% for Google.
To counter the European slingshot, the American players are getting organized. Microsoft has announced the launch of “Bleu” in partnership with Orange and Capgemini; Google has signed with Thales. So it is American technology that will implement on European infrastructures. One may wonder if this is the right solution because the dependence on Uncle Sam’s technology will always be there. What Europe needs is complete sovereignty, which will allow it to free itself, as China has done, from American pressure tactics and manipulations.