During the week, the debate about the potential problem with cloud services owned by US companies has taken off in Sweden.
At the beginning of the week, the GöteborgsPosten concluded that the Cloud Act allows US authorities to access both classified information and personal data – without using the normal routines for intergovernmental requests.
Instead , according to the Cloud Act , US authorities can request data from US companies, regardless of where the servers are located in the world . The company also receives a disclaimer to notify the data owner that the disclosure has taken place.
Despite these problems, the City of Gothenburg lawyers found that Office 365 could still be used because ” the likelihood that data would be unauthorized disclosed is extremely small “.
“The lawyers of the City of Gothenburg solves the problem by ignoring it exists.”
The editorial staff at the Gothenburg Post picked up the topic, and noted that this reasoning may lead to a future scandal similar to the one that hit the Swedish Transport Agency . It is also concludes that “The lawyers of the City of Gothenburg solves the problem by ignoring it exists.”
However, the discussion about the Cloud Act does not end there.
Thursday, DN publishes a debate article from Swedish Social Insurance Agency Director General Nils Öberg. It notes that similar legislation as the Cloud Act exists in many other countries, including Russia, India and China, and states that “ There is no doubt that these rules are in direct conflict with both international law and GDPR and are also incompatible with the Swedish Public Access to Information and Secrecy Act. ”
“… a direct threat to national sovereignty”
They also claim that the use of digital cloud services that are governed by foreign legislation, such as the Cloud Act, is a direct threat to national sovereignty . Because of this , they urge that“ Sweden needs to formulate a clear government-wide strategy and a long-term action plan on whether Sweden’s digital sovereignty can be maintained. “
At the same time we are reached by the news that the Swedish Social Insurance Agency obviously intends to live as it teaches. Therefore , the rollout of its new cloud-based HR system, SAP Successfactors, is being halted. The reason is the uncertainty about how data is handled in the cloud.
During the day we are also reached by the news that Region Skåne’s billion SEK project for a new health information system, supplied by American company Cerner, is delayed. Again, the reason is uncertainty about the legislation of other countries, where Cerner wants all patient data to be sent to twelve different units in Cerner in nine different countries – India, the United States, the United Kingdom, France, Spain, Australia, the Netherlands, Ireland and Germany.
Region Skåne states that the number of subcontractors must be “strictly limited” and that any access to classified information “takes place within Sweden”, but that “the assessment is still that the risk may be considered too high”.
“…there is no way of reducing risk.”
However, when it comes to solve the problem with foreign legislation, such as the Cloud Act, the conclusion is that there is no way of reducing risk – unless another solution is chosen.
Cloud Act is a US law that was passed after a dispute between the US government and Microsoft.
The impact of a legal issue between GDPR and the Cloud Act is vastly larger than the public sector in Sweden, as the public sector is not specifically regulated in the GDPR.
If it is determined that personal data in US cloud services is a violation of GDPR, then this conclusion applies to all organizations that are subject to GDPR.
“The impact is therefore on a global level.”
This includes all European organizations, but also all companies that addresses the European market. The impact is therefore on a global level.
“The global cloud market is estimated at US $ 219 billion annually.”
The global cloud market is estimated at US $ 219 billion annually.