Press release

5 tips to reduce liability risks when using cloud services after the privacy shield verdict

The grace period after the demise privacy shield is over. Data protection authorities in EU countries are now targeting companies for processing personal data with US cloud services.
illustration: reduce liability when using cloud services after the demise of privacy shield

Since the European Court of Justice overturned the “Privacy Shield” agreement, it is official: The use of US cloud services is not compatible with European data protection law. This is a problem that persists even if the data centers in question are located on European soil, because of the US Cloud Act.

Grace period after Privacy Shield is over

For companies and public administrations, the grace period ofter the ECJ’s ruling in July 2020 seems to have expired. The German Data Protection Conference has formed a task force that is currently developing several questionnaires for organizations, to determine whether they violate EU law by using US cloud services, which carries a threat of severe fines.

Some US cloud operators now claim that their offerings are now data protection-compliant due to contract adjustments. Organizations cannot and should not simply trust these marketing-driven claims. Instead, they should rethink their cloud strategies. Here are some recommendations for companies and public administrations:

 

  • obtain clear information about all data flows and all locations where data is processed and stored, including providers’ subcontractors
  • find out if your cloud service providers guarantee a level of data protection equivalent to EU regulation – and if there is an adequacy decisions from the EU for their home country and all data center locations involved
  • check if those guarantees can really be met in practice
  • if this is not possible, as will be the case for US-based cloud services due to the Cloud Act – examine what additional steps can be taken to protect data, such as encryption, anonymization and pseudonymization of personal data
  • if a US cloud service cannot be used in compliance with European data protection requirements, or the effort would be disproportional, check whether there is a suitable alternative in Europe or another country with an adeqacy decision
  • examine if sensitive data could be stored in a private cloud instead for more security and efficiency

“The time to hesitate is through. Organizations need to think about alternatives to public clouds run by US providers for storing and processing user data,” says Tobias Gerlinger, CEO of ownCloud. “They can for example supplement or completely replace Microsoft OneDrive with secure private cloud data. That brings free choice of data center, helps reduce vendor lock-in and also lowers costs in the longer term.”

 

ownCloud CEO Tobias Gerlinger

ownCloud CEO Tobias Gerlinger explains that the grace period after the ruling against privacy shield is over - and organizations need to reduce liability when using cloud services

Tobias Gerlinger, CEO ownCloud

ownCloud

May 11, 2021

Read now:

Full digital sovereignty has 3 levels

Full digital sovereignty has 3 levels

Digital sovereignty is becoming increasingly important for public authorities and companies – and they already have the option of using fully sovereign software stacks. Content collaboration specialist ownCloud explains what sets them apart.

read more
ownCloud Appoints David Walter as CXO

ownCloud Appoints David Walter as CXO

ownCloud, provider of the open source content collaboration platform of the same name, is strengthening its strategic focus on customers and sending a clear signal: With the newly created position of Chief Experience Officer (CXO), the company aims to continuously improve the customer experience and promote consistent communication with all stakeholders.

read more