Cloud Hosting

Add to favorites

We are still waiting for an interpretation and ruling by the local DPAs in France and Germany as well as the ICO in the UK. However the logic is fairly clear

Twice the USA has signed data sharing treaties with the EU, called Safe Harbor and Privacy Shield, in which each side promised to respect the privacy of personal data shared by the other. Unfortunately, while Europeans see privacy as a human right, America sees national security as a greater priority, writes Bill Mew, Founder and CEO, The Crisis Team. Consequently, while the EU has abided by its privacy obligations under the treaties and introduced GDPR to enhance protection, the US has taken a series of actions to increase mass surveillance at the expense of privacy, thus undermining its treaty obligations.

Examples of these actions would be:

Politicians were keen not to rock the boat and therefore during annual reviews of Privacy Shield, the Europeans expressed their concerns, but avoided taking action against the USA. This shadow dance came to an end recently when Privacy Shield was struck down by the EU courts, and restrictions were imposed on the use of Standard Contractual Clauses (SCCs) the only other legal mechanism for data sharing across the Atlantic.

We are still waiting for an interpretation and ruling by the local DPAs in France and Germany as well as the ICO in the UK. However the logic is fairly clear:

We have already seen guidance issued by the Cloud Services for Criminal Justice Organisations (Police, Courts, CPS, Prisons/MoJ, etc.) and these guys know their law.

It states that MS Teams cannot be used LAWFULLY for discussion/sharing of any personal data and that this also applies to any other Cloud Service hosted in or on Azure, AWS or GCP) for any OTHER type of discussion /sharing (ie. processing) of any personal data.This guidance, if extended across the rest of the public and private sector (as it should be), will impact all use of everything from Gmail and Office 365 to Salesforce, LinkedIn and Facebook.

How do we get around this:

You have different data types:

Possible solutions:

You can continue to use the big US cloud providers for (A) and (B), while using a local cloud provider for (C) within country. This would entail a data management overhead ensuring ongoing compliance across any such multi-cloud environment.

Alternatively you could migrate (A), (B) and (C) to a local player that offers a sufficient variety of services at scale. Unfortunately few regional players have adequate scale or an international presence to support you across multiple nations and regions, and if they have operations in the USA then theyd potentially fall under FISA 702 themselves.

A few players, such as OVHcloud, saw this situation coming and structured themselves in such a manner as to have operations in the EU and US that are separate from one another. As Forrester recently noted, this enables OVHcloud to offer unified services at scale within a CLOUD Act-free European environment. The ruling also provides a shot in the arm for the recent GAIA-X European cloud initiative.

All eyes are now on the ICO though: to see what their guidance is and what kind of fudge they seek to sell us, but the ruling is fairly clear and provides them with little room for maneuver.

Are you a CDO/counsel/data protection specialist? Do you agree/disagree with Bills view? Let us know by emailing our editor

Excerpt from:
The Great Cloud-Quake: US Told to Stop Spying, or Forfeit Right of Access to Personal Data - Computer Business Review