EU GDPR and US CLOUD Act

EU GDPR and Swiss companies

It’s been already 2 months since the EU General Data Protection Regulation (GDPR) became enforceable on May 25th 2018 to protect data and privacy for all individuals living in the European Union and the new Swiss Data Protection Act is currently in the making.
But even if GDPR concerns EU and not Swiss law, it doesn’t mean that it’s not affecting Swiss companies. Swiss companies have to comply with GDPR if they are processing personal data of people located in the EU and the purpose of the processing lies in either offering goods or services to people or tracking user behavior, which is true for many Swiss companies.
Swiss companies affected by the new EU regulation have to inform and obtain the consent of the person whose data is processed, guarantee ‘Privacy by Design’ and ‘Privacy by Default’, report violations of data protection to the supervisory authority and much more.
You can learn more about GDPR for Swiss companies on kmu.admin.ch.

US Cloud Act

In stark contrast, the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) which was signed by the Trump administration in March 2018 and goes back to the Microsoft vs. United States case, allows federal law enforcement to compel U.S.-based companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data is stored in the U.S. or on foreign soil.
That means that even if you choose an EU or Swiss server location but the service or cloud provider is an US company, they can be forced to hand over your customer data to the authorities.
But that would probably mean that you violate the GDPR regulation at the same time. So to sum up, this is quite an unsatisfactory situation for everyone and the US and EU should work on finding a solution to this issue.
Apple, Google and Facebook welcome the CLOUD Act while several civil rights groups including the Electronic Frontier Foundation (EFF) critize the bill. 

What does that mean for your company?

The long-term effects of these colliding regulations still have to be seen and the new Swiss Data Protection Act won’t come into effect until 2019. But that shouldn’t hold you back from thinking about your strategy.
In the end it depends on your specific business requirements and where you need to store your data. The issue demonstrates that it is a topic worth thinking about, both in a detailed and also a long-term perspective.
Our friend Mathias Brenner, CTO of Sherpany, wrote an excellent article about the CLOUD Act which goes into more detail and also talks about the recent acquisition of German Cloud Provider Brainloop by a US company and the resulting implications for their customers. 

How can VSHN help you?

We at VSHN – the DevOps company – believe in openness and transparency and therefore let you decide, where you want to store your data (we call that Multi-Cloud-Strategy). Either on-premises in your own data centers or at a Cloud Provider location of your choice. Head over to our services and find out more about what we do and how we can support you.
VSHN AG (pronounced ˈvɪʒn like “vision”) is Switzerland’s leading DevOps, Docker, Kubernetes, Openshift and 24/7 cloud operations partner. Since 2014 we support >300 customers & partners operating >900 servers in 20+ different clouds and on-premises with >62000 combined monitored services. We are ISO 27001 certified and work in accordance with the strict FINMA guidelines to ensure the security and confidentiality of customer data at all times.