The US Cloud Service Act (US CLOUD ACT), adopted in 2018, allows federal agencies to oblige US-based technology companies to provide data stored on their servers. Companies are required to provide the data, whether the servers are located in the United States or abroad. The law also covers divisions of companies operating abroad, even if their headquarters are outside the United States.
This means, in effect, that all US IT companies are required to provide any data to their government, even foreign customers, without the need to notify the operation in any way.
Such a practice contradicts the requirements of the GDPR, and a European company may find itself in an awkward position between the two laws if it chooses one of the three major cloud providers, also known as hyperscalers.
European cloud providers are subject to European legislation and are required to comply with the requirements of the GDPR. In case they are not legally bound to an American company, they are outside the scope of the Cloud Services Act and their customer data is safe in this regard.
The European Data Protection Supervisor has already expressed concerns about this part of US law. Similar objections were raised by the German Data Protection Commissioner.
As part of the European community, Bulgarian companies must take into account the risks they take by providing access to information to their customers to entities outside or on the border of EU legislation. This is especially true for financial, banking and credit institutions, but also for all other companies operating with customer personal data.
Author: Pavel Nedyalkov
Source: delta.bg
Link:
Ask here