A recent legal opinion of the University of Cologne, published on behalf of the Federal Ministry of the Interior, examines the legal situation in the USA with regard to the access of US authorities to data – even if it is stored in Europe. The core of the report is that several U.S. laws—most notably the CLOUD Act, the Foreign Intelligence Surveillance Act (FISA) and the Stored Communications Act (SCA)—allow access to data physically located outside the U.S. as long as a U.S. provider has control over the data. This means that European data in data centers of US providers such as Microsoft, Amazon or Google are not automatically protected against access by US authorities. According to the report, U.S. authorities may issue surrender or surveillance orders under certain conditions, even without judicial review. In addition, The legal protection of European companies against data disclosure orders is currently severely limited.
Practice: What does this mean for companies?
The report confirms what industry associations such as the Bundesverband IT‐Mittelstand (BITMi) emphasize: Providers with a strong US connection bring real risks for data protection and compliance for European customers.
Specifically, the CLOUD Act provides, for example, that US authorities can also access data stored by US companies outside the US.
The report states that European subsidiaries of US companies can also be affected – it is not enough to host the data only in Europe. Moreover, the US jurisdiction potentially also applies to European companies with links to the US market.
This leads to possible GDPR conflicts because European data protection standards and US access powers partially conflict. BITMi considers European companies with headquarters, management and owners in the EU to be the most legally secure and reliable option for managing confidential data.
Overall, the keyword is the Data sovereignty Currently in focus and is also demanded by BITMi towards politics. In our blog series on data sovereignty, you will learn why they are today the central pillars of modern IT security counts, which current cases concern Europe and which practice-proven strategies companies can implement.
Recommendation on the protection of sensitive data
Based on the legal opinion on access to US authorities, companies should first conduct a risk analysis to assess the impact of global US laws on their data. Under certain conditions, a data protection impact assessment (DSFA) is mandatory for companies.
A good step for the area of GDPR protection is also the conclusion of AVVs and also the examination of whether standard contractual clauses are implemented. These measures, as well as a strong encryption of the data, are helpful, but do not protect against possible access.
Where possible, European providers or hybrid architectures should be used to reduce dependencies on US law. Particularly sensitive information should remain in European data centers to ensure GDPR compliance, digital sovereignty and strategic independence, while less critical data can be hosted internationally.
We are happy to advise you on the subject of security and data sovereignty, so that you retain control over your data!
Do you want your company to be completely safe? For the analysis of possible threats, our team can carry out a risk assessment for your company and put together a tailor-made security plan – this can be done with our professional IT consulting services.
Just talk to us!
Congratulations,
Your TWINSOFT
