Until now, data protectionists in European companies thought they were on the safe side with a cloud provider with data centres in the EU. But the CLOUD Act is not limited to companies headquartered in the US, but also to those with a branch office or business activity.
The CLOUD Act regulates the handling of data that is physically located outside the USA, but for which a US company is responsible. However, it not only requires US companies to disclose data to US authorities even without a court order, but also other companies if they are part of a US company or exchange data with US companies.
This means that data stored in European data centres does not automatically ensure that they meet the requirements of the GDPR. The following situations can be distinguished:
Subsidiary of a US company With a company operating in Germany or in the EU which is located within a US group structure, the CLOUD Act applies even without data transfer to the USA. The parent company is subject to US law and therefore all subsidiaries are also subject to US law. An objection is not possible.
German or EU company with subsidiary in the USA For a company headquartered in the EU, which has a subsidiary in the USA and has a data transfer with the USA, in the event of a request for data release by a US authority, the request could initially be rejected with reference to national law, such as the DSGVO. However, reprisals against the US subsidiary can be expected to increase the pressure.
German or EU company with US service providers Through the CLOUD Act, not only companies are required to publish own data, but to any data in their possession, their custody or their control. For a German or EU company that has its data processed by a hosting provider or cloud service provider with a connection to the USA, for example, is affected by the CLOUD Act.
Therefore, data protectors must thoroughly check which cloud provider they use. If they choose a US cloud provider, they accept the risk of unauthorized access by third parties - without ever knowing about it. So they wouldn't know if, where, how long, and by whom the data is being accessed.
"As a result of the CLOUD Act, companies today have to carefully consider which (software) provider they choose. The server location plays a decisive role here. With a German cloud solution like DRACOON you can exclude external access to your data", confirms Christian Volkmer, data protection expert and managing director of Projekt 29 GmbH & Co. KG.
>>> To be on the safe side, data protectionists should therefore rely on German or European providers like DRACOON who neither have a branch in the USA nor are a US subsidiary.