Cloud in the US legal protection weak!
Posted: Tue Jan 07, 2025 8:53 am
As soon as your cloud provider has 'activities' in the US, or is part of a US-based company, data can always be retrieved directly. Directly via the US branch of the cloud provider or indirectly via its suppliers, such as a backup service.
Privacy protection in the US is also fundamentally different from that in Europe and does not correspond to the level of agreements that European member states have made in the European Convention for the Protection of Human Rights (ECHR). Moreover, the lower legal protection in the US only applies to Americans themselves; the position of non-Americans is even weaker. This legal protection is present if American security services have to carry out requests under Dutch law, because the cloud provider has no activities in the US. With the remark “Dutch users of cloud services enjoy the same fundamental rights protection as North Koreans from an American legal perspective,” the researchers cynically summarize the weak legal protection.
Mitigating the risks, a cloud checklist!
The risks to privacy and information security will be significantly smaller if communication and data are stored with Dutch or European parties that have no ties to the US. With a large part of the (popular) portugal phone data cloud providers 'active' in the US, this is still a difficult task, but certainly not impossible. An important step that precedes the choice of a cloud provider is a risk inventory, which allows for a well-considered decision. Therefore, ask yourself a number of relevant questions in advance;
Does the cloud provider or parts of its services (e.g. backups) fall under US jurisdiction?
How is the deletion of data in the cloud organised? And what happens to the data processed in the cloud in the event of bankruptcy or takeover of the cloud provider or termination of the agreement?
Is it possible to include a specific contractual restriction in the event that the cloud provider is acquired?
Ask the cloud provider to help you make a proper risk analysis and categorize the different types of data that could be requested by the security services (transparency!).
Design decentralized and fragmented storage so that data cannot be easily retrieved in its entirety, and consider encryption for particularly confidential communications and data.
Any suggestions?
Answering the above questions also ensures that a 'lock-in' with your cloud provider is prevented and an exit always remains a realistic option. Perhaps more measures are possible and necessary, additions are always welcome and I would like to read them in the comments below.
Privacy protection in the US is also fundamentally different from that in Europe and does not correspond to the level of agreements that European member states have made in the European Convention for the Protection of Human Rights (ECHR). Moreover, the lower legal protection in the US only applies to Americans themselves; the position of non-Americans is even weaker. This legal protection is present if American security services have to carry out requests under Dutch law, because the cloud provider has no activities in the US. With the remark “Dutch users of cloud services enjoy the same fundamental rights protection as North Koreans from an American legal perspective,” the researchers cynically summarize the weak legal protection.
Mitigating the risks, a cloud checklist!
The risks to privacy and information security will be significantly smaller if communication and data are stored with Dutch or European parties that have no ties to the US. With a large part of the (popular) portugal phone data cloud providers 'active' in the US, this is still a difficult task, but certainly not impossible. An important step that precedes the choice of a cloud provider is a risk inventory, which allows for a well-considered decision. Therefore, ask yourself a number of relevant questions in advance;
Does the cloud provider or parts of its services (e.g. backups) fall under US jurisdiction?
How is the deletion of data in the cloud organised? And what happens to the data processed in the cloud in the event of bankruptcy or takeover of the cloud provider or termination of the agreement?
Is it possible to include a specific contractual restriction in the event that the cloud provider is acquired?
Ask the cloud provider to help you make a proper risk analysis and categorize the different types of data that could be requested by the security services (transparency!).
Design decentralized and fragmented storage so that data cannot be easily retrieved in its entirety, and consider encryption for particularly confidential communications and data.
Any suggestions?
Answering the above questions also ensures that a 'lock-in' with your cloud provider is prevented and an exit always remains a realistic option. Perhaps more measures are possible and necessary, additions are always welcome and I would like to read them in the comments below.