Corona was the driver for fast and cost-effective digitization. Zoom, MS Teams and other cloud offerings have become an integral part of work culture since the outbreak of the pandemic. This is the only way millions of workers can network at home and easily exchange data. But there’s a catch: none of the popular systems are fully GDPR compliant. They are mostly located in the US or owned by European subsidiaries of US companies – and are therefore subject to US laws, in particular the CLOUD Act. With the CLOUD Act, US authorities can demand the release of any data, even if it is stored in the EU and publication violates the legal system in the country where it is stored.
In plain English: If the FBI or another US agency reports, US companies and their subsidiaries must also hand over data from EU customers and EU servers. Providers defend themselves if possible, but none of the IT giants provides a guarantee that the data will remain in Europe and will not be transferred. After all, service providers would otherwise be in violation of US law, and Microsoft, Amazon, and Google could afford GDPR violations even less. What’s more, we’re not just talking about personal data here – which GDPR is about. Conversely, US laws extend to company data. Therefore, trade secrets are also at risk because they can be exploited – the Snowden revelations show that this was already the case.
Pragmatism and time pressure prevailed over privacy concerns
The customers, in turn, German and European companies, simply acted realistically two and a half years ago, when they quickly changed their infrastructure and communication to teams and other clouds. They ignored privacy concerns. Especially at the beginning of the coronavirus pandemic, things had to be done quickly. often during the night. Legally, this time pressure wouldn’t help either, but now no one can plead an emergency or ignorance. Because even supposedly secure legal structures for data transfers in the US, such as the EU-US Privacy Shield, were declared ineffective by a decision two years ago – if the use of US service providers is also made on this basis, the use of the US – Service providers are no longer GDPR compliant. Data protection authorities have now moved out of ‘pandemic mode’ and are increasingly looking for breaches of the GDPR. So companies are faced with a choice: just go ahead and risk high fines, or look for GDPR-compliant solutions?
Waterproof solutions with EU service providers only
What the solutions could look like is obvious: companies should use the current market situation and opportunities to convert collaboration tools and cloud solutions to GDPR compliance – and this is only possible with providers located in the EU and they use their technology there. i.e. service providers not subject to the CLOUD Act. This puts you on the safe side legally. But if you also want to literally have your thumb, you can also choose private servers. In this way, companies can host their data within their own four walls and are no longer dependent on external providers.
Either way, you should definitely say goodbye to US service providers. Even if they defend themselves tooth and nail against possible abuse of their security principles, which can only be credited to them. Because it doesn’t help. From a legal point of view, a business relationship with them would be impure. Therefore, many banks and authorities in particular have always kept their hands off US communications service providers. The rest of the German economy must do the same.