{"id":5700,"date":"2019-03-26T10:00:13","date_gmt":"2019-03-26T10:00:13","guid":{"rendered":"https:\/\/nextcloud.com\/?p=5700"},"modified":"2025-12-05T14:35:27","modified_gmt":"2025-12-05T13:35:27","slug":"eu-and-us-government-agencies-converge-on-conclusion-us-cloud-platforms-not-compliant","status":"publish","type":"post","link":"https:\/\/nextcloud.com\/es\/blog\/eu-and-us-government-agencies-converge-on-conclusion-us-cloud-platforms-not-compliant\/","title":{"rendered":"EU and US government agencies converge on conclusion: US cloud platforms not GDPR compliant"},"content":{"rendered":"

We have covered the risks of public clouds frequently<\/a> and governments seem to take notice. While the German Federal Government has already decided to rely on a Nextcloud-provided, private cloud solution<\/a>, other governments are still searching. Many rely on US cloud services and, like the Dutch recently found out,<\/a> have to conclude that these leak data. Now the Swedish government has essentially concluded US clouds are not GDPR compliant<\/strong> while US privacy regulators admit they haven’t been able to do any oversight in the last two years.<\/p>\n

It is time to take back control over enterprise data in Europe!
\n\"\"<\/p>\n

\n

the use of services delivered by US controlled
entities is in breach of GDPR<\/p><\/blockquote>\n

The Swedish Government Procurement Office<\/p>\n<\/div>\n

Incidents and reports<\/h2>\n

The Dutch incident, involved data, including what people wrote in documents and the subject of emails, being collected on US servers for diagnostic purposes. A report from the ministry of Justice noted that the use of Microsoft’s solution \u00abbrought high risk for the privacy of the users\u00bb.<\/p>\n

In Sweden, the government procurement office published a report<\/a> which confirmed that the use of services delivered by US controlled entities is in breach of GDPR Articles 44 to 50 in many ways. This was later confirmed again:<\/p>\n

The Swedish Social Insurance Agency, one of the largest authorities with 14000 employees, concludes that there is a conflict between the Cloud Act and GDPR.<\/p>\n

American cloud solutions therefore cannot be used neither for confidential information, nor personal data.<\/p>\n

Furthermore, they see cloud storage of public sector data as giving up sovereignty.<\/p><\/blockquote>\n

Link to original article<\/a> and link to a English PDF translation<\/a><\/p>\n

\n

for 20 months the board had no quorum,
it has insufficient funding and it doesn\u2019t
receive the information its entitled to<\/p><\/blockquote>\n

The state of US Privacy oversight<\/p>\n<\/div>\n

Now, the US government’s Privacy and Civil Liberties Oversight Board (PCLOB) has published a set of statements made by the members of the board.<\/a> From the statements, it appears that PCLOB hasn\u2019t been able to operate to its full capacity and exercise its oversight duties as for 20 months the board had no quorum, it has insufficient funding and it doesn\u2019t receive the information its entitled to from the Intelligence Community which would allow it to perform its duties.<\/p>\n

The statements confirm also that several intelligence operations affecting EU citizens have been ongoing:
\n\u201cThe permitted purpose of surveillance under E.O. 12333 is quite broad, encompassing all activities and intentions of non-U.S. persons. This broad authority has resulted in broad surveillance programs, including \u2018Co-Traveler\u2019, through which the U.S. captured billions of location updates daily from mobile phones around the world, and \u2018Muscular\u2019, through which the NSA intercepted all data transmitted between certain Google and Yahoo! data centers outside the U.S.\u201d<\/p>\n

In another section the collection from third party \u201cdata brokers\u201d, that could be anything from credit rating agencies to web sites analytics, used for \u201cbig data\u201d analysis has drawn their attention:
\n\u201cWe are particularly concerned with the possible disclosure by data brokers to governmental entities of metadata which, if sought by the government directly from a communications service provider, could not be disclosed to governmental entities without legal process.\u201d<\/p>\n

The board noted they only knew what was happening due to the Snowden revelations and they have since been kept in the dark: \u201cNow, nearly six years removed from the Snowden revelations, we are receiving very little new information.\u201d Moreover: Although the government often defends its foreign intelligence surveillance authorities as important tools in its effort to detect and prevent terrorism, the reality is that the authorities sweep far more broadly.\u201d So what else is collected and what is it used for? \u201cThe extent of the government\u2019s use of its surveillance authorities to target journalists, dissidents, and others not engaged in wrongdoing is not known.\u201d<\/p>\n

Europe has noticed<\/h2>\n

It is probably not a big surprise that the current situation hasn’t gone entirely unnoticed. The European Data Protection Board (EDPB) stated in January of this year: \u201cAs a conclusion, the EDPB is not be in a position to conclude that the Ombudsperson is vested with sufficient powers to access information and to remedy non-compliance, and it can thus not state that the Ombudsperson can be considered an \u2018effective remedy before a tribunal\u2019 in the meaning of Art. 47 of the Charter of Fundamental Rights.\u201d<\/p>\n

And Giovanni Buttarelli, European Data Protection Supervisor (EDPS), stated in a recent interview:
\n\u201cAt the moment there is too much power in the hands of a few mega tech companies and governments. We need to decentralise the internet, give more power to people over their digital lives. Engineers have a valid voice but they need to be part of a conversation with lawyers, ethicists, experts from the humanities. IPEN, our initiative, seeks to do this.\u201d<\/p>\n

It isn’t unlikely action will come – for example, a challenge to the Privacy Shield regulation. If that goes through, companies currently betting on it will have to scramble to find other vendors and get their data back in Europe.<\/p>\n

What does it all mean<\/h2>\n

Recapping the statements by the US and EU government, we can conclude:<\/p>\n