US cloud platforms are not compliant with the GDPR
While the German federal government has already decided to rely on a private cloud solution provided by Nextcloud, other governments are still looking for solutions. Many use US cloud computing services and, as the Dutch recently discovered, must conclude that this data is leaking.
Now, the Swedish government has essentially concluded that US clouds are not compliant with the DGMP (clouds such as Google Drive, Microsoft OneDrive, Dropbox, Box.net, among others) while US privacy regulators admit that they have not been able to do surveillance in the last two years.
Incidents and reports
The Dutch incident involved data, including what people wrote in documents and the subject of emails, which were collected on US servers for diagnostic purposes. A report from the Department of Justice indicated that the use of Microsoft's solution "presents a high risk to the privacy of users".
In Sweden, the Public Procurement Office issued a report confirming that the use of services provided by entities under US control contravened sections 44 to 50 of the DGPS in many ways.
Europe has noticed
It is probably not surprising that the current situation has not gone completely unnoticed. The European Data Protection Committee stated in January this year: "In conclusion, the EDPB is not in a position to conclude that the Ombudsman has sufficient powers to access information and remedy cases of non-compliance, and therefore cannot affirm that the Ombudsman can be considered an "effective remedy before a court" within the meaning of Article 47 of the Charter of Fundamental Rights.
And Giovanni Buttarelli, European Data Protection Supervisor (EDPS), said in a recent interview: "At the moment, there is too much power in the hands of a few mega technology companies and governments. We need to decentralize the Internet, give people more power in their digital lives. Engineers have a valid voice, but they must participate in a conversation with lawyers, ethicists, humanities experts. IPEN, our initiative, is seeking to do so."
It is not unlikely that measures will be taken - for example, a challenge to the regulation of the data protection shield. If this happens, companies that rely on it will have to struggle to find alternative suppliers and recover their data in Europe.
What does all this mean?
By summarizing the statements of the American and European governments, we can conclude:
- U.S. surveillance of privacy and surveillance is either sorely lacking or totally absent.
- What they can tell us is that:
- Data collection on European citizens is ongoing.
- This data is collected far beyond what would be necessary for counter-terrorism purposes, but it is not known what it is used for.
- Collections and information to be provided include data from "data brokers", Google, Facebook, credit card companies, etc.
- The European institutions are slowly discovering this:
- Germany moves to a self-hosted federal cloud
- Sweden concluded that the use of US cloud services was not in line with the GDPR
- Pan-European organisations such as the European Data Protection Committee and the European Data Protection Supervisor have also warned against this.
It seems reasonable to say that, given that the problem is now widely recognized, companies transferring sensitive data across the Atlantic are facing increasing legal risk and must seek DGMP-compliant cloud solutions to keep the data under their control.