The Verge reports how Microsoft and the US Department of Justice have withdrawn the Supreme Court Case about accessing data operated in different countries. The reason is that the new CLOUD Act, signed by President Trump, guarantees US access to data under jurisdiction of US companies. In other words, if Microsoft can access the data, an US court can order them to hand it over. That the data might be in a German, Dutch or Indonesian data center does not matter. For obvious reasons, this is a decision the Electronic Frontier Foundation strongly disagrees with. What does this mean for European and international companies handling data of European customers? We think that the full access guaranteed to US authorities and law enforcement means no US owned or operated cloud service can legally be used for any privacy-sensitive data of Europeans.
Giving up the fight
With Microsoft and other US cloud companies basically giving up the fight for privacy and security of their users, US legislation guarantees law enforcement and government agencies in general have full access to cloud data hosted by US companies. It does not matter if that data is located in the US, Europe, China or anywhere else. This means European companies who think they are safe and can ignore US law, using for example European-hosted services from US companies, are up for some potentially huge fines under the GDPR (or DSGVO in Germany).
What does this mean? Microsoft is pretty honest about it:
- We will not disclose data hosted in Microsoft business services to a government agency unless required by law.
- If we are compelled by law to disclose customer data, we will promptly notify the customer and provide a copy of the request, unless we are legally prohibited from doing so.
We know pretty much any request for data of companies or users comes with a so called ‚gag order‘, forbidding any communication to the targeted organization or individual, so when the data is given, you won’t know. That’s one big advantage of a local data center: if you’re compelled to hand over data to a government agency, at least you’ll know and can take appropriate measures. And, of course, it can only be the government in the country you’re operating in – not the government of any country your hosting company operates in.
Serious business risk
It should be rather obvious that when the US government can compel Microsoft, Google, Dropbox or others to hand over data of users and businesses (in secret), you can count on other governments to be able to do the same. From Australia to Zimbabwe, if Microsoft wants to have a presence, they have to and promised to abide by local law. And if that law requires them to hand over data and not talk about it, they will.
Perhaps you trust government 100% with the data of your customers. Maybe you don’t. In either case, if data of your customers leaks due to incompetence or malice of any of those governments that can compel your hosting provider to hand over data; or if your customers simply find out you (or your hosting provider) handed over data to the government of Zimbabwe, China, Japan or Monte Negro, lawful or not, they can sue you under the GDPR in Europe.