When choosing a cloud service provider, the regulatory network is becoming ever tighter for many corporate customers. In particular, strong protection when storing personal data in the cloud, but also cybersecurity laws and regulations such as the KRITIS umbrella law or the NIS2 regulations to be expected later this year are placing ever higher demands on cloud service providers, but also on decision makers in organizations.
The central question for many companies is whether their data is stored and protected in the cloud just as securely with US providers as with domestic services. In order to be able to answer this question, it is important to take a look at the respective laws.
Starting point: General Data Protection Regulation (GDPR)
For all companies and organizations within the EU that process personal data, the General Data Protection Regulation (GDPR), which has been binding since 2018, is relevant. According to the GDPR, a transfer of personal data to authorities in third countries outside the EU and the EEA is only possible if there is a legally binding international agreement between the EU and the requesting third country, such as a legal assistance agreement.
If cloud service providers within the scope of the GDPR transfer personal data to third countries without the corresponding legal premises being met, fines of up to 20 million euros or four percent of the global annual turnover of the unlawful company may be imposed in accordance with Article 83 (5) GDPR, with the higher value being relevant in individual cases.
In the USA, on the other hand, there are several laws and presidential instructions in force that cannot be brought into line with the GDPR:
The Patriot Act
The so-called Patriot Act was passed in response to the terrorist attacks in New York on September 11, 2001 and regulates the transfer of personal data by communication service providers to US authorities. According to him, cloud service providers in the USA must release such data to local authorities upon request if the data is stored within the USA. The Patriot Act has gained some notoriety in recent years in the context of so-called National Security Letters issued by US authorities.
These are official orders that prohibit communication service providers from providing information about the transfer of data to data subjects. As a result, they do not even know when US authorities conduct a corresponding investigation against them and have come into possession of the personal data.
The cloud act
The CLOUD Act (acronym for “Clarifying Lawful Overseas Use of Data Act”) enacted by the first Trump administration in 2018 expands the Patriot Act and allows US authorities to access personal data stored abroad if the corresponding servers are operated by a US company or its subsidiary abroad.
With this law, Microsoft, Google, Amazon and other US providers are therefore forced to release data to American government institutions upon request, even if the data is not stored directly on servers in the USA. It is irrelevant whether it is data from private individuals or companies.
European cloud providers, which are taken over by US competitors and are therefore under their control, will also be subject to the CLOUD Act in the future and will be required to release data on official instructions. However, American courts can block the release if the data concerns citizens without US nationality.
The CLOUD Act also allows US authorities to demand the surrender of all data stored on US cloud services from foreign companies without individual court approval. As a result, foreign companies lose data sovereignty and also sovereignty over their intellectual property as well as business and trade secrets when they are stored in the cloud of a US provider.
Data protection undermined by FISA
Another problem in the context of personal data protection is the FISA Act (acronym for “Foreign Intelligence Surveillance Act”). Section 702 FISA — and here in particular the 50 U.S. Code § 1881a — allows US authorities to access all communication data processed by US companies.
According to these regulations, the Attorney General and the Director of the US Security Services may grant permission to obtain information about persons of foreign citizenship, even if they are outside the USA. Obtaining the information simply has to be in the interest of the USA. The FISA Act applies extraterritorially, meaning that its effectiveness is also not limited to the territory of the USA.
The Executive Order 12333
Executive Order 12333 proves to be an additional problem in the context of data protection among US cloud service providers and their descendants. This provision, issued back in 1981 by then-US President Ronald Reagan, allows US intelligence services to carry out surveillance outside the USA.
The focus is also on communication data, although this does not address companies or individuals, but nodes of the global communication infrastructure, such as submarine cables, via which data is transferred to the USA.
Doubtful intergovernmental regulations
With the entry into force of the General Data Protection Regulation (GDPR) in 2018, there were significant contradictions in ensuring legally compliant data protection for cloud providers from the USA and their local subsidiaries. In Articles 44 to 49, the GDPR explicitly prohibits the transfer of personal data to countries outside the EU (so-called “third countries”) unless an adequate level of data protection has been established in the third country.
As early as 2020, the European Court of Justice (ECJ) criticized the extent of US surveillance programs and the lack of legal remedies for EU citizens against data processing by the American authorities in its highly regarded Schrems II ruling on the so-called Privacy Shield (Az.: C-311/18 of 16.07.2020). With a lack of legal protection options for EU citizens, the ECJ had also already declared the Safe Harbor Agreement invalid in 2015.
Following these two failed attempts, the EU Commission concluded the so-called EU-US Data Privacy Framework with the USA in 2023 as an informal agreement for electronic data exchange. This framework is intended to determine the adequacy of the level of data protection in the USA when the relevant cloud service providers legitimize themselves with the US Department of Commerce through self-certification. For EU citizens, the agreement also offers marginally improved legal protection.
However, the EU-US Data Privacy Framework is also subject to substantiated criticism. In 2023, for example, the EU Parliament passed a resolution with 306 votes in favour to 27 against, which doubts the compliance of the new framework agreement with existing EU law. In particular, EU citizens are not sufficiently protected against mass surveillance by the US intelligence services.
The non-governmental organization “NOYB — European Center for Digital Rights” is also seeking a negotiation on the EU-US Data Privacy Framework before the European Court of Justice. Its CEO Max Schrems has already brought down the two previous agreements.
Policy developments
Political developments are also questioning the lawfulness of the transfer of personal data from the EU to the USA or to locations of US services in Europe. For example, the Trump administration has announced the review of all executive orders from the elected Biden administration. In addition, the three Democratic Party members of the Privacy and Civil Liberties Oversight Board (PCLOB) were dismissed.
As an independent authority, the PCLOB is intended to monitor compliance with data protection regulations by US intelligence agencies and government institutions and is therefore an important part of the EU-US Data Privacy Framework. The task of the PCLOB is to prevent an overly generous interpretation of the CLOUD Act. The authority, which currently has only two members, is not only significantly limited in its efficiency of action as a result of the dismissals, but is also not politically independent due to easy-to-change executive orders from the respective incumbent US President.
The same applies to the two-stage appeal mechanism for EU citizens, which is provided for in the EU-US Data Privacy Framework. This is also not legally fixed. Only the existence of the PCLOB is legally guaranteed.
Due to the lack of independence of the PCLOB, the German Federal Data Protection Commissioner and the Swedish Data Protection Authority have already doubted the longer-term validity of the Transatlantic Data Privacy Framework under the given circumstances. Even before the Trump administration took office at the end of 2024, the European Data Protection Board EDSA adopted a report calling for improvements to the framework agreement.
Evasive manoeuvres by US cloud providers
Numerous US providers of cloud services have now responded to the fundamental incompatibility between GDPR and US laws. They are trying to defend the lucrative market in the EU with various aid structures. Solutions such as the “EU data protection limit” promoted by Microsoft or various encryption mechanisms cannot hide the fact that such aid moves neither repeal the CLOUD Act nor impress US intelligence agencies.
How US authorities will react to such circumvention practices remains to be seen. A corresponding extension of the CLOUD Act, which prohibits the establishment of such isolated environments in the future, is also conceivable. All companies and organizations based in the EU and the EEA that store and process personal data on US services are thus subject to a legal and legislative sword of Damocles, which entails a significant business risk.
Secure and GDPR-compliant in the long term
For companies and government institutions in the EU who want to process their data in the cloud in a legally secure and optimally protected manner in the long term, only cloud service providers in the EU are therefore eligible who are subject to the appropriate regulations and who cannot create any grey areas when it comes to data protection and data security.
Violations of the GDPR, which can be punished with heavy fines of up to nine figures, not only damage a company's public reputation, but also destroy trust.
Decision-makers who want to commission a cloud service should therefore always pay attention to the origin of potential service providers and their server locations. In addition, relevant important certifications should also be able to be presented by cloud providers so that a correspondingly high level of security is demonstrated.
Secure Cloud is not only completely technically and organizationally independent of US services, but thanks to a current ISO 27001 certification and a BSI C5 certificate, it also has a level of security that only a few medium-sized German cloud providers can demonstrate. With us, your data is therefore always in good hands — without running the risk of operating in a legal grey area.
Interessiert Sie die souveräne Cloud?
Unsere Experten erklären Ihnen gerne mehr.
