Cloud Act vs. GDPR
What you have to know for your Cloud and Data Projects
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a U.S. law in place since 2018 regarding the U.S. government’s access to stored data on the Internet [1]. The CLOUD Act from the USA requires the surrender of data regardless of whether it is located in the United States or elsewhere. This conflicts with the law of the EU and its member states. Without a mutual legal assistance agreement, personal data may not be handed over to US authorities simply because of the GDPR. Affected companies must therefore decide which law they are violating.
Status Quo
There is still no way out of the dilemma. A few weeks ago, a joint statement by the EU Justice Commissioner Didier Reynders and U.S. Commerce Secretary Gina Raimondo merely said that they wanted to intensify negotiations on an improved EU-US Privacy Shield framework in order to comply with the ECJ ruling [2].
Severe penalties for non-application
Personal data is the core concept of data protection. Data protection law only applies when data relates to individuals. The GDPR for example increases fines up to 20 million EUR or, in the case of large companies and groups, up to 4% of the global group turnover of the previous year [1]. When working in the field of Big Data, Data Science or related fields it is essential to know about these laws and how anonymization and pseudonymization give the possibility of still using the data for your use cases.
Solutions
Anonymizing data offers one solution. When data is anonymized, it is no longer personal data. The situation is different with pseudonymized data. With the appropriate additional knowledge, it is possible to determine the reference person.
Possibilities would be to use mechanisms for example in your database like scrambling — An approach would be to mix letters [3]. Scrambling techniques are encryption and hashing or to mask your data . Some of the information is hidden using random characters or **** for example. Scrambling and masking and how ever you implement them, could be seen as anonymization or pseudonymization. Here, it depends on who can cancel the pseudonymization — here, good data access roles and rules model so as the principle of zero knowledge and zero trust is the key.
The zero trust model is a security concept based on the principle of not trusting any device, user or service inside or outside one’s own network. It requires extensive measures to authenticate all users and services and to audit network traffic. In a zero knowledge protocol, two parties (the prover and the verifier) communicate with each other. The prover convinces the verifier with a certain probability that he knows a secret without disclosing any information about the secret itself. In simple words: The cloud provider does not know the client’s encryption keys. This means that data from European companies cannot be passed on to US authorities.
Summary
At the moment, the issue around Cloud Act vs. GDPR seems unresolved. One can only hope for a solution between the two parties soon, so that corporations no longer operate in grey areas. Data protection is becoming an increasingly important issue. Companies want to avoid the risk of horrendous fines, however we all personally should handle personal data with confidence, because everyone wants their personal information to be handled responsibly. For this, I have shown you the general basics to be compliant in the US-Cloud even as an European company. With regard to the painfully high fines for violations of the GDPR, companies are encouraged to identify risks in advance and to develop the product in accordance with the regulations.
Sources and Further Readings
[1] US Congress H.R.4943 — CLOUD Act. (2021)
[2] Handelsblatt, Streit über Cloud-Nutzung in den USA — Wirtschaft sendet Hilferuf an die Bundesregierung (2021)
[3] Johner Institut, Anonymisierung und Pseudonymisierung (2020)