US Cloud Act and EU-DSGVO
Put simply, the Cloud Act allows the US government unrestricted access to all global cloud data stored by US providers.
This also renders the legal dispute that Microsoft was seeking in the USA obsolete: Microsoft saw no legal need to hand over data stored outside the USA to US government authorities.
The current Cloud Act fundamentally changes this situation. US companies are obliged to hand over all data from the cloud to the relevant authorities, regardless of its physical storage location.
Data protection experts expected such a regulation, but always in accordance with European laws and in particular the EU GDPR.
What has complicated the situation for cloud users and therefore also for existing SAP customers is the fact that the US government has now passed the Cloud Act without consulting the EU.
This unilateral regulation of "data protection" has not only caught EU officials in Brussels off guard, but now also poses completely new challenges for cloud computing.
US Cloud Act in combination with EU GDPR could thus force existing SAP customers to avoid or perhaps even leave US cloud providers such as AWS, Microsoft and Google - there are European alternatives.
"The clarification of the US authorities through the US Cloud Act is not unexpected"
Jean-Claude Flury, DSAG Board Member for Business Networks Integration, also confirmed this to E-3 Magazine.
And Bertram Dorn, AWS Specialist Solutions Architect EMEA for Security, confirms the new situation in an exclusive interview with E-3:
"We help to support the risk analysis with information and data. But you can't do it without risk, so you have to come to a realistic assessment.
With the EU GDPR and the US Cloud Act, there is of course a further task in terms of risk analysis. And of course, discussions are now arising here that existing SAP customers - especially SMEs - are not yet used to."
The new Chief Information Security Officer risk discussion is therefore not a technical discussion, but a legal one. The positive aspect is provisional legal certainty because there is a US law and EU GDPR.
"Even Microsoft, which has a pending case on this before the US Supreme Court, welcomes them"
explains DSAG board member Jean-Claude Flury and adds:
"In these times of leaks and hacking, every company needs to think carefully about what data is stored in more or less private clouds.
This applies in particular to data centers outside Europe and even more so if the operator is not from the EU or Switzerland."
SAP itself has not yet responded and has not commented on its partnerships with AWS, Microsoft and Google or its own global data centers. Jean-Claude Flury emphasizes this once again:
"What is new is that third countries could gain easier access to data from companies in their own country via a bilateral agreement with the USA. European companies would do well to tighten up their hopefully already strict guidelines on data storage outside the company's own data center."
AWS expert Bertram Dorn takes a similar view of the development:
"The customer must be aware of the risks posed by the EU GDPR and the US Cloud Act and also evaluate and adequately assess these for themselves."
With the US Cloud Act and GDPR, the Chief Information Security Officer has a lot of work to do. Bertram Dorn knows this from his daily work with AWS customers:
"Even after discussion and evaluation with our lawyers, the risk assessment naturally remains the responsibility of the client."
There are several ways out of this challenge - perhaps back to your own data center? The vast majority of existing SAP customers have a lot of knowledge about setting up and operating their own data centers.
In the pre-cloud era, the SAP community consolidated, automated and virtualized a lot. The results were lean and high-performance data centers that, as on-premise SAP installations, were also able to keep up with many outsourcers and hosters from a business perspective.
So how big is the risk? How relevant is a cloud exit strategy? Meik Brand, SAP Business Development Manager at SAP partner QSC, explains:
"First of all, it should be noted: Anyone who does not yet use cloud products from US companies and does not store data on US servers can sit back and relax and wait for the EU's next regulatory steps. At the moment, this is a purely unilateral move by the US government."
US Cloud Act therefore directly affects existing SAP customers who are involved with AWS, Microsoft Azure and the Google Cloud Platform. The reaction and response from AWS specialist Bertram Dorn is therefore entirely logical:
"We help our customers with reviews of their security architecture, because all our precautions and security services only help if the customer implements and configures these AWS offerings correctly."
Meik Brand from QSC recommends:
"Anyone who is currently in the process of selecting a cloud service should stop it for the time being. Companies that are already using cloud products affected by the Cloud Act, on the other hand, should wait and see. The next two to three months will show what the US Cloud Act actually means - and how the EU will position itself in this regard.
SAP customers should also hold their US cloud provider accountable and clarify in a binding manner how it can now guarantee data protection in accordance with the EU GDPR - despite the Cloud Act."
While Microsoft and Google refused to comment to E-3 Magazine on their responsibility and security reviews regarding data protection, Bertram Dorn from AWS took a clear stance:
"We consider these reviews to be very important, so we offer this service to our customers free of charge. The background is easy to explain: we want our customers to be successful and that includes data security. Ultimately, it's about the correct configuration of AWS services in line with customer requirements."
As an existing SAP customer, you can therefore store your data securely at AWS and make a risk assessment, but it is difficult to assess how the US Cloud Act is compatible with the EU GDPR in practice and how both regulations are applied operationally by the respective authorities.
This is the final recommendation from Meik Brand, SAP Business Development Manager at QSC:
"Anyone who knows their data is stored with an EU cloud provider in an EU data center is relying on a provider that is subject to the EU GDPR and is therefore on the safe side in terms of data protection law. SAP customers in Europe should therefore critically examine the use of US cloud providers and only allow them to be used now in exceptional cases.
Due to the EU General Data Protection Regulation, which comes into force on May 25, there are potentially high penalties for data protection violations."
The US Cloud Act and EU GDPR are thus scratching at the clouds of cloud computing. The SAP community will have to find answers in the coming months or go back to on-premise.
DE
EN
ES
