We have covered the risks of public clouds frequently and governments seem to take notice. While the German Federal Government has already decided to rely on a Nextcloud-provided, private cloud solution, other governments are still searching. Many rely on US cloud services and, like the Dutch recently found out, have to conclude that these leak data. Now the Swedish government has essentially concluded US clouds are not GDPR compliant while US privacy regulators admit they haven’t been able to do any oversight in the last two years.
It is time to take back control over enterprise data in Europe!
the use of services delivered by US controlled
entities is in breach of GDPR
The Swedish Government Procurement Office
The Dutch incident, involved data, including what people wrote in documents and the subject of emails, being collected on US servers for diagnostic purposes. A report from the ministry of Justice noted that the use of Microsoft’s solution “brought high risk for the privacy of the users”.
In Sweden, the government procurement office published a report which confirmed that the use of services delivered by US controlled entities is in breach of GDPR Articles 44 to 50 in many ways. This was later confirmed again:
The Swedish Social Insurance Agency, one of the largest authorities with 14000 employees, concludes that there is a conflict between the Cloud Act and GDPR.
American cloud solutions therefore cannot be used neither for confidential information, nor personal data.
Furthermore, they see cloud storage of public sector data as giving up sovereignty.
Link to original article and link to a English PDF translation
for 20 months the board had no quorum,
it has insufficient funding and it doesn’t
receive the information its entitled to
The state of US Privacy oversight
Now, the US government’s Privacy and Civil Liberties Oversight Board (PCLOB) has published a set of statements made by the members of the board. From the statements, it appears that PCLOB hasn’t been able to operate to its full capacity and exercise its oversight duties as for 20 months the board had no quorum, it has insufficient funding and it doesn’t receive the information its entitled to from the Intelligence Community which would allow it to perform its duties.
The statements confirm also that several intelligence operations affecting EU citizens have been ongoing:
“The permitted purpose of surveillance under E.O. 12333 is quite broad, encompassing all activities and intentions of non-U.S. persons. This broad authority has resulted in broad surveillance programs, including ‘Co-Traveler’, through which the U.S. captured billions of location updates daily from mobile phones around the world, and ‘Muscular’, through which the NSA intercepted all data transmitted between certain Google and Yahoo! data centers outside the U.S.”
In another section the collection from third party “data brokers”, that could be anything from credit rating agencies to web sites analytics, used for “big data” analysis has drawn their attention:
“We are particularly concerned with the possible disclosure by data brokers to governmental entities of metadata which, if sought by the government directly from a communications service provider, could not be disclosed to governmental entities without legal process.”
The board noted they only knew what was happening due to the Snowden revelations and they have since been kept in the dark: “Now, nearly six years removed from the Snowden revelations, we are receiving very little new information.” Moreover: Although the government often defends its foreign intelligence surveillance authorities as important tools in its effort to detect and prevent terrorism, the reality is that the authorities sweep far more broadly.” So what else is collected and what is it used for? “The extent of the government’s use of its surveillance authorities to target journalists, dissidents, and others not engaged in wrongdoing is not known.”
It is probably not a big surprise that the current situation hasn’t gone entirely unnoticed. The European Data Protection Board (EDPB) stated in January of this year: “As a conclusion, the EDPB is not be in a position to conclude that the Ombudsperson is vested with sufficient powers to access information and to remedy non-compliance, and it can thus not state that the Ombudsperson can be considered an ‘effective remedy before a tribunal’ in the meaning of Art. 47 of the Charter of Fundamental Rights.”
And Giovanni Buttarelli, European Data Protection Supervisor (EDPS), stated in a recent interview:
“At the moment there is too much power in the hands of a few mega tech companies and governments. We need to decentralise the internet, give more power to people over their digital lives. Engineers have a valid voice but they need to be part of a conversation with lawyers, ethicists, experts from the humanities. IPEN, our initiative, seeks to do this.”
It isn’t unlikely action will come – for example, a challenge to the Privacy Shield regulation. If that goes through, companies currently betting on it will have to scramble to find other vendors and get their data back in Europe.
Recapping the statements by the US and EU government, we can conclude:
It seems safe to say that, given the problem is now widely acknowledged, organizations still putting sensitive data abroad face a growing legal risk and should be searching for solutions that keep data under their control.
Self-hosting data continues to be the easiest way to be compliant with privacy regulations. Of course, self-hosted solutions have to be competitive to the cloud services offered by US vendors.
By providing an extensible, flexible content collaboration platform, Nextcloud offers a solution for organizations looking to modernize while not losing control over their data.
Nextcloud makes data available to users wherever it is. No need for new storage solutions or moving all data over. Easy integration and quick deployment brings organizations immediately in a compliant, secure state.
Its familiar, easy to use interface on web, mobile and desktop allows users to work efficiently and be confident everybody has access to the same, latest version of data. Its enterprise capabilities ensure IT maintains full control over sharing, retention and availability of data within and across the boundaries of the organization.
Last but not least, Nextcloud is a perfect fit for a Hybrid Cloud strategy, enabling universal access to data irrespective of where it is stored: on an internal network, in the cloud or even at a partner. Through Global Scale, it is possible to host multiple separate Nextcloud servers to ensure data locality rules are while inter-server sharing and encryption of unsafe storage ensure data is both safe and seamlessly accessible at all times.
Why self-hosting?
Simply keeping your data behind your company firewall rather than the cloud makes compliance and security easy.
With Nextcloud, you don’t lose the benefits of modern cloud collaboration and team productivity!
Why file sync and share?
Your FTP or Windows Network Drive simply don’t suffice – employees work around, rather than with them, using Dropbox and other unsafe solutions.
Nextcloud puts your IT back in control over your data.
Why Nextcloud?
Nextcloud provides an unique combination of security and control over data without compromising usability.
Being open source means no vendor lock in and an unprecedented degree of integration in enterprise infrastructure.
Fast deployment: secure your data now
Nextcloud is famously easy to deploy and easy to use, a key reason behind its market leadership.
Learn more about how Nextcloud solves the problem of unsecured and uncontrolled sharing of data in modern organizations.
Thanks to Paolo Vecchi for his research
Nextcloud has been recognized with the World Summit Award Germany that selects and promotes local digital innovation improving society, aiming to contribute to the United Nations' agenda of sustainable development goals.
Read More
Nextcloud has been awarded Platinum at the IT Awards 2024. Today, we celebrate this win together!
Read More
The first ethical, open-source AI assistant that can get a multitude of tasks done for you without compromising your data.
Read More
Nextcloud Hub 9 lets you stay connected. Discover new federation features, workflow automation, big design overhaul and much much more in your favourite open-source collaboration platform!
Read More
DIE ZEIT, a prominent German outlet, interviewed Nextcloud’s founder Frank Karlitschek for an article on Microsoft’s anti-competitive behaviour on the European office software market. Read for a recap of the article and the key takeaways.
Read More
MagentaCLOUD’s migration to Nextcloud in 2021 resulted in a fully equipped Online Storage with an integrated online office suite that further improves the user experience, flexibility and security for customers.
Read More
We bring you a major update to the Nextcloud AI Assistant, plus the news we work with several big hosting providers like IONOS and OVHcloud to bring AI-as-a-Service options to you!
Read More
Bechtle and Nextcloud announce today a complete managed collaboration platform for the public sector that requires no tender and can be deployed immediately.
Read More
Discover how to make the switch from ownCloud to Nextcloud. Our quick guide provides insights into the migration process, helping you make the transition smoothly.
Read More
Today, US-based file sync & share vendor Kiteworks announced their acquisition of ownCloud and Dracoon. Kiteworks points out that their customers now have access to their file-sharing application. It is to be expected they will not maintain 3 similar products, but customers will have to migrate to the US firms’ platform or look for another […]
Read More
Nextcloud founder and CEO Frank Karlitschek earns the honorary SFS Award at the 20th annual SFSCON taking place in South Tyrol, Italy.
Read More
As part of Schleswig-Holstein's state digitization strategy, the state chancellery has announced they will work with Nextcloud to develop AI for working with government documents. This comes just after we announced the first private AI assistant last weekend with Hub 6. The German state already uses Nextcloud and their AI strategy aligns with our work on ethical, local AI technologies.
Read More
Over the last year, AI has become a popular topic. Some is hype, some is substance. Some is good, some is bad. We want to give you the good, not the bad, and ignore the hype! AI has a ton of opportunity – but also risk. So we put you in control – off by […]
Read More
Maintenance updates 28.0.12, 29.0.9 and 30.0.2 for Nextcloud Hub 7, 8 and 9 respectively are here! Read an update summary and access full changelog on the website.
Read More
Frank Dengler from audriga joins the Nextcloud Enterprise Day program with a keynote about migration from SharePoint to Nextcloud. Read this article for more details about the keynote and the speaker.
Read More
