The Data Protection Conference (DSK) has published a resolution dated January 31, 2023 , which concerns the data protection assessment of access options for public authorities in third countries to personal data processed within the EU or the EEA On a narrow ridge.
Without addressing the elephant in the room, this decision is particularly relevant in light of the US Cloud Act, which is relevant for providers such as Microsoft, Amazon, and Apple. Companies cannot avoid this data protection issue, especially when it comes to using Microsoft 365 or Amazon Web Services (AWS).
In the shadow of FISA 702 and PP-28 – the CLOUD Act On a narrow ridge
This concerns investigations by US law enforcement authorities, as the US Department of Justice explains the purpose of the CLOUD Act in a white paper . This is also the difference from FISA 702 and PP-28 , which concern the collection of information by US intelligence agencies. The usa business fax list addressees are all providers of internet and cloud services. They are required to retain, secure or disclose the content of electronic communications and all records or other information about a customer or subscriber that is in the possession, custody or control of that provider, regardless of whether this communication, record or information is located inside or outside the United States.
It is therefore clear that all common US providers that process data are subject to this regulation. It is also clear that the location of data processing can also be within the EU. This means that even an EU boundary, such as the one offered by Microsoft, does not protect against the need to hand over data to US authorities under the Cloud Act. Likewise, the Act does not initially stipulate any restrictions regarding the nationality of the individuals affected by data processing.
Decision of the DSK regarding the CLOUD Act
This is where, after a lengthy preamble, the resolution of the Data Protection Conference comes into play. This resolution assumes that a subsidiary bas in the EU/EEA and a parent company bas in an unsafe third country will be requir to disclose data, website taxonomy-best practices for maximum seo impact thereby violating the GDPR.
If this subsidiary acts as a processor, these subsidiaries may lack the required reliability under Art. 28 GDPR. Testing the reliability of cloud providers according to the DSK’s presentation
In its resolution, the DSK presents a catalogue of checks that the client can use to determine the reliability of the processor. This can be clearly demonstrat using the example of service providers such as Microsoft or AWS and the CLOUD Act:
- Examination of the extraterritorial applicability of third-country law and further practical extraterritorial application
The third country here is the USA, a country outside the albania business directory EU/EEA. The CLOUD Act can also be applied to companies in the EU/EEA. This leads to the next point. Exhausting all legal remedies seems quite realistic.