What do you store in the cloud? Business related information on your computer, cell phone or other device such as emails, contact information and other documentation, possibly including trade secrets? Many corporations use the cloud though the extension and purpose may vary. The cloud is both efficient and practical, all you need is an internet connection and you are practically at work. But is it safe?
When the General Data Protection Regulation (“GDPR”) came into force last May the personal integrity of anyone within the borders of the European Union (“EU”) was amplified. Additionally, the GDPR brought a whole new set of responsibilities to corporations, to those who process the personal data. Anyone who process personal data has to meet certain criteria, and the sanctions should you fail to meet the criteria are severe. About the same time as the GDPR came in to force, and everyone´s mind was directed at finding data protection officers, performing risk assessments and establishing policies, the CLOUD Act was enacted in the US. The CLOUD Act, short for the Clarifying Lawful Overseas Use of Data Act states that all US cloud service providers shall, when ordered, provide the US authorities with data stored on their servers, regardless of where in the world the data is kept. As a result, US authorities may access and read ample amounts of data relating to, and belonging to, citizens and corporations outside of the US. The CLOUD Act is a result of the difficulties US based authorities like the FBI has experienced with obtaining information stored on remote servers. Furthermore, corporations and individuals concerned are not entitled to be notified when personal data regarding them is being retrieved. Notifying could even result in prosecution in accordance with the CLOUD Act. Since the CLOUD Act applies to all US based cloud providers, major IT companies such as Google, Microsoft and Amazon have to abide by the Act. As a result, the scope of the CLOUD Act can be somewhat problematic in relation to the GDPR.
The Swedish collaboration eSam (sw. eSamverkansprogrammet), consisting of 23 Swedish public authorities such as the Tax Agency (sw. Skatteverket), the Police (sw. Polismyndigheten) and the National Agency for Education (sw. Skolverket) works together to facilitate the digitalisation of the public sector. eSam has evaluated the use of cloud services within the public sector and issued a statement saying that it cannot be excluded that a cloud service provider that is subject to a foreign jurisdiction could assist in the exposure of private and secret information. They state that information stored using foreign cloud service providers should be considered as disclosed. However, eSam does not recommend to refrain from using US cloud service providers altogether, but when doing so the information should not be classified and if it is, the encryption has to be sufficient. Providing sufficient encryption has though proven difficult leading to the statement ending in some ways ambiguous. Furthermore, the medical university Karolinska Institutet in Sweden has taken this a step further and explicitly warns their users as to what information may not be stored in the cloud, in this case a US based cloud service provider. Karolinska Institutet states that any secret information, or information that could be related to patients may not be stored in the cloud since their agreements with the provider do not contain any protection against other jurisdictions, and the provider as a US registered company are not at liberty to waive US legislation.
As stated in the introduction, many corporations do use cloud services to a certain extent. Also, many corporations process and store a comprehensive amount of business related information, personal data and other data that contains business secrets in the cloud. The effects of the CLOUD Act for a corporation acting as data controller for e.g. schools, health care providers, insurance companies, banks or telecom providers could be devastating, for instance regarding the compliance with the GDPR. A corporation may suffer from this, not only when acting as data controller or processor of personal data, but also as regards their own business information and secrets.
To consider that US authorities may lawfully access information stored in a cloud, without prior notification, is to say the least both problematic and serious. In the situation that a US authority has initiated a legal process the cloud service provider has to provide the authority with data, but are not at liberty to notify the corporation (by some called the “gagging order”). Providing US authorities with information could for any corporation constitute e.g. a breach of the GDPR, an unlawful transfer of personal data to a third country (a country outside the borders of the EU or the European Economic Area) as well as breaches of trade secret undertakings to name a few.
Some providers like Tumblr, Reddit and Adobe has used what is known as a “warrant canary”, a method to subtly or silently let your users know that they have been subject to a subpoena for information, without breaking the “gag order”. In reality, the providers have a generic information on their website stating that they have not been issued to provide information as to a certain date. As long as the text is there all is well, but when the text has been taken down or not been updated you as a user can understand that to be a sort of passive notification. Applying the method of a “warrant canary” in the light of the GDPR could imply the use of an informative text in e.g. the privacy policy stating that personal data may be distributed to US authorities should the CLOUD Act become applicable. The practical question is whether that would be considered sufficient to comply with data protection legislation. If personal data is to be transferred to a third country, the corporation needs to safeguard adequate levels of security. Having these actions on a sort of standby just in case a cloud service provider provides the US authorities with information, without the corporation’s knowledge, seems farfetched considering that the processing of personal data in order to be lawful has to be transparent. Transparency according to the GDPR means that it has to be easy to understand whether, by whom and for what purpose personal data is being collected – requirements that fundamentally clash with cloud service providers providing US authorities with information without notifying either the data controller or the data subjects. As for trade secrets and other business related information that might be subject to a subpoena in light of the CLOUD Act, the applicable preventive measures for corporations are harder to overlook. Some information is not meant to be shared, and what preventive measures can heal the possible provision of trade secrets to US authorities?
The use of cloud services is however positive, and the developments point firmly in the direction of more substantial use of cloud solutions in order to store or process data. Lately the use of a sort of “hybrid cloud” solution has appeared as a means to secure information stored in the cloud. A hybrid cloud is a cloud environment that combines the use of both private and public clouds, and where the information is managed between the different clouds giving the information a sort of freedom of movement and gives the user a wider range of flexibility. Whatever method you decide to use, all corporations should start with a thorough evaluation of the information that you have and need, and classify it. Following you need to assess where and how to store the information.
Further developments are necessary to ensure integrity and privacy of information stored using cloud services, and there are no doubt more reactions to the CLOUD Act awaiting. In the mean time we can all ask ourselves “what do we still want to keep in the cloud”?
The authors are Thomas Nygren and Alexandra Sackemark.