EU-US Privacy Shield, CLOUD Act, GDPR and the Cloud

What companies and authorities need to know now

There is great uncertainty on the subject of data protection since the European Court of Justice (ECJ) declared the EU-US Privacy Shield agreement invalid. This means that there is no clear legal basis for processing personal data of EU citizens at US services. The following article is intended to provide more clarity, clarifies our positioning as LionGate AG and shows necessary action derivations.

The ruling of the European Court of Justice to overturn the EU-US Privacy Shield agreement has a strong impact on data transfer between the EU and the US. European companies and public authorities are very uncertain about what to do now with regard to the CLOUD Act, DSGVO (General Data Protection Regulation) and the cloud: we notice this with our customers and especially with public authorities with whom we are in contact regarding our online learning platform vicole for schools. Often, from our point of view, it is because the terms are used arbitrarily and incorrectly and mixed together.

CLOUD Act vs. EU-US Privacy Shield: Who Accesses Which Data?

The EU-US Privacy Shield was the (predictably) failed attempt at a regulation between the US and the EU on the transfer of data from the EU to the US and processing by service providers located there.

The CLOUD Act (Clarifying Lawful Overseas Use of Data Act), on the other hand, is the basis for U.S. investigative authorities to access stored data in the context of law enforcement and regardless of where the data is stored.

Every company with headquarters or branches in the USA is subject to the CLOUD Act. This therefore applies to IT companies such as Amazon Web Services (AWS), Microsoft and Google, as well as to any “global player” from Europe. The CLOUD Act states that data stored outside the USA must also be made available to the US authorities if a US court has issued a corresponding warrant justifying this. Even then, however, the company still has legal remedies against this.

Using cloud services in Europe in a GDPR-compliant manner.

In Europe, compared to the USA – and of course even more so compared to China – society has a fundamentally different understanding of how to deal with personal data. The GDPR provides a legal framework. Even though there is an area of tension here, it is still possible to operate cloud solutions in a data protection-compliant manner in Europe. As LionGate, we have been implementing projects according to strict data protection criteria for our major customers for years.

In our view, the following must be taken into account:

    • Data storage in German data centers: To ensure data protection, many cloud providers now operate data centers in Europe or Germany. Customers can explicitly specify where they want to operate and store their services and data. As LionGate, we operate our cloud solutions in the AWS data center in Frankfurt, for example

.

    • Data is not a business model: For our customers, we develop and operate cloud solutions tailored precisely to their requirements. Our customers do not pay us for this with their data. We work with the cloud provider AWS, with which the shopping platform Amazon is often associated. However, the two are separate legal entities. AWS provides highly available, highly secure cloud infrastructure. Security and data protection are always top priorities. Regular audits and certifications confirm this. Not all providers of SaaS solutions can do this, which is why companies and government agencies should critically examine this on a case-by-case basis.
    • Contract data processing and technical and organizational measures: In order to be able to use a cloud service, the specific details of the cooperation and data protection must be set out in a Data Processing Agreement (DPA). The ADV also describes the necessary technical and organizational measures (TOM) to ensure data protection and security. Our customers' data protection officers regularly attest to the clarity of our ADV and the consistent implementation of the TOM. Only recently neutral data protection officers confirmed this with our vicole initiative.

The cloud as an enabler of digitization

Not least during the Corona pandemic, it became clear: The time is ripe to press ahead with digitization in Germany and Europe. We have also made this experience in recent months, particularly in connection with our vicole platform for schools. Since spring, we have implemented it at around 50 schools in Germany, thus supporting the digitization of these schools. And we are also continuing to talk to decision-makers in politics and education in order to jointly advance the topic even further.

The cloud plays a central role in the topic of “digital school”. And this also applies to other areas: The cloud is the essential enabler of digitization. Just as electromobility cannot do without electricity, digitization cannot do without the cloud.

The main points to be mentioned here are:

  • Innovation: New technological innovations such as artificial intelligence (AI) and the Internet of Things (IoT) can no longer do without the cloud. This is because AI services generate large volumes of data and require high computing power. Setting up high-performance, scalable systems is very expensive, and in order to be able to access the required computing power quickly and in good time, a company's own servers are not sufficient. Many companies therefore already rely on cloud-based systems. And so call up the computing power they need, whenever they need it. Without consuming resources unnecessarily, for example for servers that they do not constantly utilize. This trend will continue to grow.
  • Elasticity: Only cloud infrastructures offer the necessary elasticity to respond flexibly to customer requirements. Thus, depending on demand, additionally required resources can be made available at short notice for peak demand. If they are no longer needed, they can be released again quickly and easily. One example: schools that quickly needed large computer capacities for online learning platforms during the Corona pandemic. Some districts in Bavaria procured up to 20 servers. But these were only fully utilized at certain times - a waste of resources. And with the return to face-to-face teaching, these capacities are now no longer needed at all. Those who relied on cloud solutions here - and not on their own servers - also conserved the budget resources of the schools or districts.
  • Agility and flexibility: Digitalization requires new flexible and agile models of collaboration. Companies must continuously focus on changing customer needs and be able to respond quickly. The cloud optimally supports this approach and also technical practices, such as Continuous Deployment or DevOps .
  • Collaboration: Digitalization also ensures that individual players within value chains work more closely together. And that value chains are redefined.
  • Costs: Finally, as already explained above using the example of schools, costs can be saved significantly through the sensible use of cloud solutions.

The cloud provider market

US providers such as AWS, Microsoft, IBM and Google dominate the cloud provider market. AWS is by far the market leader, which independent market research companies such as Gartner confirm (see figure “Magic Quadrant for Cloud Infrastructure as a Service, Worldwide”).

We are an AWS partner and primarily use AWS for our cloud solutions. AWS has convinced us in terms of functionality, stability, costs and performance compared with the competition. And we also prefer AWS to its competitors in terms of data protection.

Unfortunately, there are currently no significant European alternatives to AWS in this market. There are indeed a large number of hosting offers. However, these do not meet the minimum requirements for cloud computing, for example, scalability, as stated above.

As a Bitkom member, we follow and support the European initiatives around Gaia-X and the topics of data sovereignty and data sovereignty. However, Gaia-X can only provide a conceptual and organizational framework. We do not yet see any concrete private-sector initiatives in this area.

Conclusion

Even after the EU-US Privacy Shield agreement has expired, cloud services can still be used in a data protection-compliant manner in accordance with the GDPR. However, companies and public authorities should remain critical: Question solutions that are not operated in Europe as to how they utilize your data. In our view, this is an important decision criterion, especially in the area of schools and education. After all, we are talking about the sensitive data of students. Data protection commissioners of the individual German states have clearly articulated this several times in recent months.

 

We look forward to continuing to actively shape and advance digitization with innovative cloud solutions together with our customers and with decision-makers from education and politics.

Do you have questions about cloud and data protection? Feel free to contact us. .


Let's talk.

Your contact at LionGate: Michael Schie├čl, Founder and Board Member