14 October 2019

DSGVO vs. Cloud Act: Data protection when using cloud computing solutions

The topic of data protection and cloud computing is once again a topic of conversation. This time, the reason is the Hessian data protection commissioner's decree from the beginning of July 2019 to ban the use of Microsoft Office 365 in Hessian schools. In his Statement he explains: "The use of Microsoft Office 365 in schools is illegal under data protection law, insofar as schools store personal data in the European cloud". In the meantime, there has been some backpedalling - there is talk of making the use of "to tolerate provisionally under certain conditions and subject to further testing."

Nevertheless, this current example shows that there are still very different views on this and the other side of the Atlantic when it comes to assessing the issue of data protection.

DSGVO vs. Cloud Act: Different assessment of access to user data

In particular, it is a question of which options are granted for accessing the personal data processed with cloud services. For the countries of the European Union, these possibilities are uniformly regulated in the EU General Data Protection Regulation (GDPR), which came into force in May 2018.

Article 48 of the GDPR prohibits companies from handing over data secured in the EU without a mutual legal assistance agreement. In addition, the domestic authorities must be involved in these cases. In the event of a violation, there is the threat of severe fines of up to 20 million euros or four percent of the global annual turnover according to Art. 83 GDPR.

Only a few weeks before the GDPR came into force, on 23 March 2018, US President Donald Trump signed the CLOUD Act (Clarifying Lawful Overseas Use of Data Act). This law allows US authorities to access data stored abroad - provided the servers concerned are under the control of US companies. This means that the Cloud Act also applies to American cloud service providers such as Microsoft, Google, Apple or Salesforce.com. The CLOUD Act thus requires these companies to hand over data without involving local authorities. Not even the affected user himself has to be informed. This results in an obvious dilemma for Microsoft & Co.: no matter which of the two laws they comply with, they automatically violate the other. Legal experts speak of a situation that is unacceptable in the long run. It remains to be seen whether the USA will enter into talks with the EU to resolve the situation. So far, it only wants to talk directly with the governments of individual states.

The solution: Cloud services made in Germany like ZEP

Users who want to avoid this legal grey area should definitely think about the origin of a cloud computing provider when choosing one. With providers such as the company provantis IT-Solutions and its cloud solution ZEP - time recording for projects - they can be sure that only the specifications of the DSGVO apply. The company is based in Germany and operates its cloud service exclusively from German data centres. This rules out the possibility of international regulations and laws such as the Cloud Act being applied.

The importance of the topic "data centre in Germany" for ZEP users is illustrated by the statement of Christian Korn from the KORN CONSULT GROUP: "This requirement is important both to fulfil the specifications of our own ISO 27001 certification and the compliance and data protection specifications of our clients."

Dr Stefan Klose, Managing Director of Next Level Integration, explains: "Data protection and data security play a central role in our projects. For this reason, we subjected the contracts and operating model [of ZEP] to an intensive review in advance. In the end, however, we were able to give the 'green light' for cloud operation without any restrictions."

Harmut Höche, consultant and project manager at Tedesio, adds: "As far as data protection and data integrity are concerned, we were able to convince ourselves that this is also fully guaranteed in cloud computing operations with ZEP. And so the use of ZEP was ultimately also an aspect for a successful certification of Tedesio GmbH according to ISO 9001/27001."

Conclusion: If you are looking for a cloud-based solution for time recording and project controlling that fully complies with all data protection requirements applicable in Germany and the EU, ZEP is the right choice. You can find more information on the topic of ZEP and DSGVO at the ZEP website.