EU Data Protection Board probes public sector use of cloud The European Data Protection Board (EDPB) has kicked off its first coordinated enforcement action, taking a long, hard look at the use of cloud-based services by the public sector. It's going to be a big one, involving the launch of investigations by 22 national authorities across the European Economic Area (EEA) and encompass …
How can amazon claim compliance when they have the cloud act in the US? Amazon must hand over all data stored local or abroad when some three letter agency demands the data. How can that be "in compliance with EU data protection rules"? The same goes for apple, google, microsoft and many more.
Well MS have long claimed that the data centres in Ireland are run by a different business and that MS (the Seattle based corp) is physically unable to access the data.
But then, the day the CLOUD act was passed, they handed over data held on a server in Ireland over to US authorities. Hmm ... And not to mention that access to services routes via whatever the US corporation decides the US controlled DNS should send it to, so of course plenty of scope for (e.g.) intercepting logins, capturing the password before forwarding the login, and then using the captured information to access the data.
It can be done properly, but it does mean having proper legal separation such that if (e.g.) a US authority asks for information stored in the EU - the business which actually runs the data centre can tell them to take a hike without fear of any repercussions.
It can be done properly,...
And that is the point. There is an established legal procedure to exchange data between the USA and the EU (and member countries) through the courts. But this procedure cannot easily be used for fishing expeditions and espionage. Therefore, the three letter agencies wanted more access. Of course under the blabla umbrella of "we fight terrorism" or "we fight pedophiles" (fill in your favorite straw man).
The cloud act is specifically tailored to force US companies with foreign presence to comply with US requests, regardless the target country's laws, or suffer repercussions back in the US.
Exactly, and this is why Privacy Shield failed and why any replacement will fail, so long as the TLAs carry on with their paranoia and can push the agenda in Washington.
For any solution to work, EU data has to be exempt from the Patriot Act, the CLOUD Act, FISA Courts and National Security Letters... Fat chance of that happening any time soon.
The US Government* seems to be doing its level best to ostracise US big business from the international stage.
* And I'm not pointing a finger at Biden or Trump here, but at US politics in all its facets since the turn of the Century.
The Cloud act does not automatically allow the US to force US companies to hand over their data of foreign companies/governments located outside of the US.
The Cloud act requires two countries (the US and foreign governments) to create an executive agreement that then allows the Cloud Act to work. Effectively, the Cloud Act then speeds up the request for data rather than having to go through long length legal battles. but as I say, it only affects counties that have an executive agreement with the US to allow this to happen, which today is not many but looks like the UK may sign up.
There is some widely misunderstood, banded about the idea that because tech companies are US (Amazon, Msft, Google) that the Cloud Act will allow the US to request data from France, Germany etc and these companies have to comply. This is not the case. The US has no jurisdiction in these Germany/France/other countries, and it would be illegal to demand that Microsoft France/Germany hand over the data due to GDPR.
The Cloud Act is relatively easy to read and understand - it's worth taking 5 mins to read if you are in doubt about what it can and cant do. https://www.justice.gov/dag/page/file/1152896/download
The cloud act is specifically tailored to force US companies with foreign presence to comply with US requests, regardless the target country's laws, or suffer repercussions back in the US. ....b0llchit
Tailor that cloud act to help leading US companies with foreign presence with the product resultant from US requests, regardless the target country's laws, to suffer zero repercussions anywhere is worth more always searching for .... and always worth searching more for .... to deliver the best of the best in AI from wherever IT is found available and properly prepared for Live Operational Virtual Environment Engagement and Quantum Communications Entanglement with the AI Networks Internetworking Novel JOINT Applications Programs.
JOINT ..... JOINT Operations Internetworking Novel Technology with/for NEUKlearer HyperRadioProACTive IT
ProgramMING ..... Mined IntelAIgent Network Games/Mind Infiltration Networking Games
And just in case you be not yet fully aware, it is what all companies are confronting and competing against if not wholeheartedly supporting. How well do you think that is going and how well do you think it will end at their end at the end of ProgramMING? Will they survive and prosper with everyone and everything or plough umpteen self-destructive paths to accompany them in their dismal dark descent into certain demise and popular ruin?
Well MS have long claimed that the data centres in Ireland are run by a different business and that MS (the Seattle based corp) is physically unable to access the data.
And the US courts called bullshit on that. Microsoft Ireland, a 100% Irish company, but fully owned by Microsoft Corp (USA) is therefore a 100% US company under US law and is covered by the CLOUD Act and Patriot Act.
Edit: I re-read your comment after posting, I see you covered that, if not with the explicit detail.
Only the German datacentre managed to get away with it, because it was run by a Deutsche Telekom subsidiary and Microsoft employees had no physical access and no administration access to the servers or data stored there... Unfortunately, they ended their co-operation on that in 2020 and opened up a self-run datacentre instead.
Not really. Presuming that AWS is a nice company, and doesn't want to do a deal to sell access to US gov... there are NSLs and Executive Orders that can compel on the quasi-legal side, plus all the leverage that a gov has on the not-quite-so-legal side.
Lastly, it is irrelevant whether or not MS (US) has access to MS (IRL) servers, data etc. It matters whether MS (US) can be ordered by US gov to order MS (IRL) to pass dat to US gov. And they can. That's the whole point of the Schrems rulings.
This review is long overdue, but if EDPB reviewed the use of Public Cloud for Law Enforcement processing they’d find more serious and important breaches immediately, since adequacy is both harder to get and less common.
AWS/Microsoft/GCP all ignore LED requirements in their terms of service and in UK terms the DPA 2018 Pt3.
Since Brexit use of any IT service located or supported from outside of UK for Law Enforcement purpose has been illegal on these services inder their terms of service.
Doesn’t stop UK Police and Courts using services ON these platforms however - mainly because ICO has done no enforcement.
Maybe this will change now - even if only because EDPS will inevitably start to look at UK practices and broaden scope from GDPR to LED I am sure.
That UK adequacy is looking shakier by the day…
Yes, good point, but those providers are in my experience not so easy to use for newbies as signing up for AWS/Azure/etc, glueing together some iffy services with the latest buzzword soup, and claiming hey we now have a cloud solution to XYZ. I've done some due dilligence on shiny but in the end shaky offerings where the folk were dazzled by the apparently magic capabilities of Azure. No, hire the engieers, security specialists and run your own admin to make the magic work, oh, and to be able to keep control of your costs.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
