Recently, Brad Smith, president and chief legal officer at Microsoft announcedThe EU has adopted a policy of using technical measures to allow data to be stored and processed only in the EU and to protect it "from unauthorised access by government authorities". Why this is interesting and why you should care where your data is stored, we discuss in this blog post.
A question of location
With the increased focus on cloud services, be it for software, infrastructure or complete service packages, the focus on security and especially the location of data storage has increasingly come to the fore. Especially in the optimization of processes or business intelligence applications, there is great potential for companies, whether to improve internal processes, develop better service offerings and customer experiences, or to better provide existing data as a basis for decision-making. Especially when it comes to innovative ideas, the issue of data security comes on the scene sooner rather than later and is thus often the game changer that kills these ideas. This applies in particular to the questions of where customer data is stored, further processed or how data loss can be prevented in the event of an incident.
As an innovative company, in many conversations about such solutions we hear questions from customers such as, "And where is the data center?" or "How is the data secured?", if the answer is then "Frankfurt" or "that runs on Azure" is almost always done. If you go into more detail, the response is a shrug of the shoulders and a "can't be helped" or similar. While in other areas the topic of control over one's own data is often actively addressed, here a rather noncommittal answer is sufficient to allay concerns.
What remains open
Nevertheless, there are some questions that one must at least be aware of in order to be able to make a decision for or against a solution based on them, or at least to know the issues that may arise. It is often not the classic security issues such as encryption that are relevant here, but what happens to the data when it is in the data centers: where is it replicated to in order to guarantee high availability, who can access it in case of doubt, to name just two.
A short detour to the DSGVO
It should be common knowledge that this topic has been more than explosive since the lawsuits filed by data protection activist Max Schrems. As a brief reminder, the European Court of Justice (ECJ) overturned the "Safe Harbor" agreement in October 2015, and in 2020, at the instigation of Schrems, the successor regulation "Privacy Shield" was also repealed. The basis for this is Chapter IV of the GDPR, which regulates the transfer of personal data to third countries. According to this, it is not permitted to transfer data to countries that do not have a comparable level of data protection as the EU, as the protection of personal data is not provided to a sufficient degree. These include Russia and or Turkey as well as the US. While after the repeal of Safe Harbour, attempts were made to guarantee an appropriate level by means of standard contractual clauses, the situation is clear after Schrems II: this means that there is no sufficient level of protection for the transfer of personal data. The justification for this is that in case of doubt, the government's right of access prevails, in the case of the US this is FISA 702. And yes, Article 49 of the GDPR mentions exceptions, but these refer to individual cases, with emphasis on individual cases. But since cloud services are ongoing services, they don't apply here.
Two more points on that:
- The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) obliges American Internet companies and IT service providers to guarantee US authorities access to stored data, even if the storage does not take place in the USA. This is also the case if a US company has a subsidiary in Europe and there is a possibility that this subsidiary can access this data. Thus, a location in Europe alone is not a protection against access.
- Article 48 of the GDPR states that access by, for example, US authorities to data stored in the EU area is only permitted within the framework of mutual legal assistance agreements. Direct data transfer by circumventing the competent national authorities is not permitted.
Thus, the CLOUD Act is in direct contradiction to the GDPR.
Meanwhile back in the jungle
In practice, as described earlier, it is apparent that in many cases the current situation is simply ignored. Nevertheless, there are surveys that especially new and innovative projects that rely on permanent availability, scalability and flexibility are not implemented due to these restrictions, if not completely, then at least for the moment.
So what can be done about it? On the one hand, you can trust that companies like Microsoft, with announcements like the one at the beginning of this article, will solve the problem with Azure or Microsoft365 by means of technical measures. Here, however, it must be objected that Microsoft, as a US company, is of course still subject to US jurisdiction. Max Schrems remarks: "Microsoft USA apparently continues to have access to the data, they must continue to release the data under US law. The location of the storage is unfortunately of no use as long as access from the US is possible. A legally stable solution would need a completely non-instructional entity in the EU where the data stays."
Our proposal: an end-to-end European solution
So what are IT managers supposed to do now? Shrug your shoulders and hope that everything will turn out for the best? Trust that global corporations like Google, Amazon or Microsoft can't do anything with my data anyway and that the whole thing is therefore not relevant for me? Rely on technical solutions such as special, end-to-end encryption ("zero knowledge")? Actually, cloud services are supposed to be simpler, less complex and cheaper.
Or maybe go for a solution where these issues are already solved, the storage location is 100% in Europe, furthermore redundant and neither subject to the Patriot Act nor compromises on data protection.
ABAX consciously relies on cloud services Exoscale by A1 Digital, a platform that offers all the services that make up modern cloud platforms: highly available servers, redundant data storage and GPU servers for demanding IT tasks, create virtual instances in 30 seconds, pay per use, flexible and scalable according to requirements and features such as load balancing, snapshots and IPv4 and IPv6 addresses.
The servers are located in six European data centers that meet the stringent requirements of the EU General Data Protection Regulation (DSGVO) and are certified according to ISO 27001, ISO 27017 and ISO 27018. certified are. Thanks to a simple and intuitive web administration interface, coupled with a transparent pricing model, Exoscale makes complex infrastructure concepts easy to implement.
And the moral of the story
Therefore, companies cannot be indifferent to where their data is stored, who has access to it and what comes out in case of doubt in legal disputes. We will be happy to show you how you can use the solution securely and profitably for your company. And if you still have any doubts about whether it's all really that secure: the European nuclear research organization CERN in Geneva also uses the cloud as a data storage and platform for petabyte-scale data analyses for its Cosmics Leaving Outdoor Droplets (Cloud) project, and one of its partners is Exoscale. Learn more here.
ABAX builds on years of expertise in IT infrastructure and cloud services. We support your company with a suitable solution. According to the approach "From planning to implementation to ongoing optimization". we are gladly at your disposal for your concerns regarding modern IT systems.
The ABAX IT experts pay attention to problem-free processes in order to support your company as quickly, efficiently and transparently as possible and to ensure smooth processes. We look forward to a collaboration with you!