The US Cloud Act has a major impact on European companies and cloud providers, even if they do not have an establishment in the US. To avoid hassle, affected cloud companies should always process data through a non-US company.
This is written by the Amsterdam law firm Greenberg Traurig on the basis of a study commissioned by the National Cyber Security Center (NCSC), part of the Ministry of Justice and security. The agency outlines in detail what steps European companies should take in order not to be bothered by the US cloud law and what possibilities exist to reduce the risks. Contrary to popular belief, European companies and data storage in Europe are not immune to US law. Data that is processed and stored entirely in Europe is sometimes subject to US law. U.S. intelligence agencies can request that data, even if they have never been outside of Europe.
The example of this law shows the consequences of legislation if it has an extraterritorial effect. Legislation in the Digital Domain increasingly has such an extraterritorial effect. This makes the security of information in the EU and compliance with EU and national laws and regulations in the field of information security and data protection more difficult.
Greenberg Traurig’s main advice is not to process data through a business entity that has a business relationship with a company based in the US, such as a US subsidiary. However, if there is a business relationship with a company in the US, the US company may not have any ownership, custody or control over the data stored in the EU.
Under no circumstances should an American mother be involved, as this mother would be deemed to have possession of or control over her daughter’s data. Furthermore, it is advisable not to employ US citizens who have access to relevant data.
By the way, there are ways to become “immune” to US cloud legislation. Greenberg Traurig lists them. Also, proper encryption, such as Microsoft’s DKE88, will prevent access to most data. A risk-based approach could lead to the conclusion that the risks are low, the Amsterdam lawyers cautiously argue.
An example of such an approach is the Data Protection Impact Assessment (DPIA) as used by Microsoft Teams. Microsoft’s new EU Data Boundary also seems to prevent data from going from the EU to the US. This can also protect against the law. The French initiative Bleu, from Capgemini and Orange (with Microsoft), also seems to be going in the right direction. Google is reportedly working on similar initiatives.
Furthermore, the lawyers note that the Cloud Act can also reach data through subcontractors/suppliers of hardware and software to and from cloud providers. For example, if Microsoft uses Cisco routers and Cisco has access to data from EU customers/data subjects via these routers, then this must also be addressed.
Chinese Data Security Law
A blog by Arnoud van Petersen, CIO of the NCSC, shows that the US Cloud Act is not the only ‘threat’. The Chinese Data Security Law (DSL) also applies elsewhere in the world. This law regulates the processing of data in China, but also data or information outside China when it is ” relevant to the national security or other social interests of China.”This type of legislation is absolutely relevant because more and more hardware, software and digital services are coming from China. Without the NCSC mentioning Huawei, it is clear that this also refers to this company that exports more and more servers and ai software.