Patriot Act, Freedom Act, Cloud Act… all the various legislation that has been adopted in the United States over the past few years is worrying businesses in Europe. But are they right to be concerned? At a time when the digital revolution is accelerating at an enormous pace, everything rests on the solutions implemented by organizations. The decision to trust an American or a European service provider with your most confidential and sensitive data can make all the difference.
When it comes to data protection, the United States and the European Union have very different visions. The recent revelations about the way Facebook allowed Cambridge Analytica to access the data of 87 million users just goes to show how wide the gap is. While the EU is strengthening the obligations on companies and the power of authorities to impose sanctions, American legislation does not seem to offer the same high level of data security.
Boosting data protection in Europe
Is there a risk that sensitive data belonging to companies – from SMEs to large corporations – could end up in the hands of American authorities? In Europe, the General Data Protection Regulation (GDPR) recently put all EU Member States on an equal footing, heralding a new era of protection for our data and our private lives.
The GDPR is the new framework governing how personal data is processed and distributed, and businesses in Europe are now heavily regulated in terms of the data they collect and how they process it. But the legislation doesn’t just apply to companies in Europe. In fact, any organization outside of Europe that processes the data of European citizens is subject to the GDPR.
American legislation causing concern
On the other side of the Atlantic, the trend in favor of data protection isn’t so strong. Following the adoption of the Patriot Act in 2001 and the Freedom Act in 2015, the American government passed the Cloud Act (Clarifying Lawful Overseas Use of Data Act) in March 2018, much to the irritation of Europe.
The Patriot Act granted sweeping powers to intelligence agencies. Section 215 particularly has attracted controversy, allowing an order to be obtained from the secret FISA court obliging telecoms operators to provide all the metadata of their American customers.
Then, in June 2015, the US Congress passed the Freedom Act, which put an end to the large-scale data collection by the National Security Agency (NSA) and its wiretapping program uncovered by Edward Snowden. But the law continued to allow intelligence agencies to obtain metadata stored by telecoms operators, by making requests on a case-by-case basis.
Seizing data stored abroad… lawfully
The latest twist in the drama came in March 2018, with the adoption of the Cloud Act. This legislation legalizes the seizure of any emails or other data stored on servers in the US and even internationally. Major American cloud companies and their subsidiaries have no choice but to comply, as do international companies operating on US soil. “With complete disregard for the legal sovereignty of other countries because of where the data is stored,” comments law firm August Debouzy.
Making the right choice on storing your data
Companies seeking a high-security solution to manage their data need to think very carefully about which service provider they choose. European partners using on-premises infrastructure are required to comply with EU regulations, including the recently-adopted GDPR. They cannot just treat the data however they see fit. Since the legislation entered into force, data controllers and subcontractors are permitted to send data outside of the EU, but subject to certain conditions. They need to ensure the level of data protection is sufficient and appropriate. Data transfers are also regulated by the legal tools defined in Chapter V of the GDPR.
By resorting to an American cloud service provider, businesses in Europe face running the risks created by legislation in the US. American laws such as the Cloud Act pose a risk to European businesses’ data and consumers’ private lives.
Preserving digital sovereignty in Europe
“As well as the regulatory, economic, and security issues with the French Military Programming Act and the GDPR, cybersecurity and cloud confidence are also a societal matter. We need to ask ourselves what level of protection we want to provide for our citizens, consumers, and businesses, and what kind of role we want to play,” explained Jean-Noël Galzain, CEO of HEXATRUST Cybersecurity & Digital Trust Alliance, to a tribunal on preserving digital sovereignty in Europe.
“France – and Europe in general –need to take control of their own digital revolution and not rely entirely on the United States or China anymore, the main beneficiaries of data flows,” he added. “The nature of these challenges calls for the ability to choose superior, trusted solutions, certified by the French National Cybersecurity Agency (ANSSI).”
Oodrive provides file sharing, online backup, and digital trust solutions for professionals, meeting the most stringent French and international security certifications. To combat sovereignty and security issues, and to comply with the legislation in force, Oodrive’s clients can opt to store their data in France, Europe, or Asia. With ISO 27001:2013, RGS***, Cloud Confidence, and France Cybersecurity certifications, confidentiality is guaranteed.