The Legal, Financial and Administrative Services Agency of Sweden has conducted an in-depth legal study of the current situation with Swedish and European law with regards to current US legislation.
The question they sought to answer was whether a Swedish authority legally can use cloud-based software services such as Microsoft Office 365 and Google G Suite. The reason for this question is a request to conduct a public procurement of such services.
Relevant legislations are amongst others national Swedish laws regarding information of interest for national security, constitutional law regarding transparency and confidentiality, and the European General Data Protection Regulation.
The findings for GDPR has the largest general impact, since GDPR is a regulation that affects all entities processing personal data belonging to an EU-citizen, no matter if this entity is public or private, or located in the EU or not.
“In the light of the requirements set by the General Data Protection Regulation, FISA Section 702, EO 12333 and the CLOUD Act are each highly problematic from the perspective of the General Data Protection Regulation. Legislations and rules with correspondingly problematic meaning is also found in several other countries, amongst them India, China and Russia. A Swedish authority which allows companies that are subject to such regulations to process personal data are thereby giving the foreign regulations priority over the General Data Protection Regulation, the terms of the personal data processor agreement between the authority and the supplier as well as the rules for international legal aid. “
The conclusions are not a surprise for all privacy professionals that have studied current US-legislation in the light of Cloud Act. It would be difficult to come to any other conclusion, given the very strong rights US authorities gets under the Cloud Act.
It is important to remember that GDPR does not regulate data in itself, but personal data, that resides in data.
This means that the conclusions from Legal, Financial and Administrative Services Agency of Sweden only is true for data containing personal data. Of course, this will by itself create a problem for cloud-based emails, since emails always contains personal data. Probably this will also be true for text processing applications, such as MS Word.
However, there is no legal obstacles to use US-based cloud storage for data not containing personal data.
Companies and authorities seeking to comply should therefore look to hybrid cloud solutions.
What is hybrid cloud?
Hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud and third-party, public cloud services with orchestration between the two platforms. By allowing workloads to move between private and public clouds as computing needs and costs change, hybrid cloud gives businesses greater flexibility and more data deployment options.
Improved orchestration is the solution
Orchestration between the on-premises and the cloud-based parts of the hybrid cloud solution has historically been done with the goal to balance cost-effectiveness with performance.
With the above described conflict between GDPR and Cloud
Act, this calls for a more intelligent orchestration, where also the content of
the data is taking into consideration when determining what data are placed on-premises
and in the cloud respectively.
To comply to GDPR, personal data must not be stored in cloud-environments provided by vendors deemed unfit. Being deemed unfit can be due to the Cloud Act, and the vendor being a US company, but it may also be any other reason, leading to that conclusion.
Of course, in order to secure compliance in already existing and stored data, a personal data inventory must be conducted. Such a personal data inventory must be considered as a pre-requisite for any other investment in data-management and information security to bring ROI, instead of increased business risks.
High accuracy, few false positives
In order for this improved orchestration not becoming an obstacle that eliminates all benefits of the original decision for the cloud-strategy, the number of false positives must be limited at the same time as accuracy is not affected.
As GDPR brings a contextual definition of what constitutes personal data, the combination of a low number of false positives combined with a high level of accuracy is best achieved with artificial intelligence, applying machined trained algorithms to conduct the personal data discovery in the orchestration.