We’re living in turbulent times: On one hand, data protection regulations and individuals’ rights are being strengthened, while on the other, they’re being reduced to a minimum. As the blog title already suggests, one of these sides is represented by the United States – and given recent events, it’s probably not hard to guess which one.
Data protection, designed for the people
Across the European Union, we’re witnessing a shift in data protection toward truly safeguarding individuals and the population as a whole. In Germany, strict regulations for handling personal data have been in place for quite some time thanks to the Federal Data Protection Act. However, in many other EU countries, this hasn’t always been the case. That’s changing at the end of May 2018 with the much-debated General Data Protection Regulation (GDPR), which harmonizes data protection standards across the EU and raises them to a unified level.
Of course, the GDPR brings plenty of work for businesses, since nearly all companies are affected by the changes and will now need to actively contribute to data protection efforts. But these measures ensure that individuals gain important rights – including the right to have their data deleted and to export it – giving people more control than ever before.
Laws, made for the government
In stark contrast to the GDPR stands the U.S. CLOUD Act, which governs how U.S. authorities can access data stored abroad. In essence, the law requires service providers based in the United States to disclose and hand over customer data – regardless of where that data is physically stored. While providers do have the option to challenge such a request, this is only possible if the affected customer is neither a U.S. citizen, resident, nor a company registered in the United States.
However, this raises practical questions. For example, in a freemium model where no payment information is collected, how can a provider reliably prove a user’s status? And even if they file an objection, U.S. courts must consider a wide range of factors, making it rare for a disclosure order to be overturned. What’s more, no court order is required for the data to be handed over in the first place – meaning that a provider’s legal objection is effectively the only form of resistance. It’s still unclear how providers will handle this situation and, more importantly, the significant effort involved. Affected individuals, on the other hand, have no right to challenge the intrusion in court – nor do they even need to be informed about it.
A prominent case in this area involved Microsoft, which successfully resisted handing over data stored in Ireland after a legal battle that lasted nearly four and a half years. (Link to Heise.de, article available in German)
Why choosing Stackfield was the right decision
From the very beginning, Stackfield has relied on providers and partners based in Europe. The introduction of the CLOUD Act has only reinforced this decision – even though agreements like the Privacy Shield and similar frameworks technically allow the use of U.S. service providers. By working exclusively with European partners, we can ensure that none of our subcontractors are forced to violate data protection regulations due to the application of U.S. national law.
This point has become even more significant under the GDPR, as it places clear responsibilities on data controllers to ensure proper data protection. If we already know from the outset that using a U.S. subcontractor carries the very real risk of government data requests, it’s simply not possible for us to guarantee compliance. That’s why we chose a different path – one that puts your data protection first.
Almost finished...Please click the link in the email and confirm your email adress to complete the subscription process.
Never miss a post. Get awesome insights in your inbox.