We all have many reasons to work in the cloud (and no COVID-19 isn't one of them!):
- It's cheaper than maintaining in-house servers
- It's easier to have all of your work in one place
- It facilitates teamwork because everyone has access to all the material
And the list goes on. That is why the European Court of Justice's ruling on Schrems II came as a setback to many companies who'd begun migrating to the cloud. Now we can hear the wheels turning: what on earth is Schrems II? What does that have to do with the American CLOUD Act? Sit tight, relax and let us explain it to you step-by-step!
What is Schrems II?
Schrems II is a landmark privacy verdict handed down in the summer of 2020, invalidating the Privacy Shield trade agreement between the EU and the US. This means that it is now essentially illegal to transfer privacy-sensitive data to the US, unless it complies with a data protection level equivalent to GDPR.
So how did Schrems come to be? Well, like all things digital and privacy-related... It started with Facebook. Austrian lawyer Maximilian Schrems was unhappy with Facebook's collection of personal data, filed a complaint, then took it higher up the chain. The EU-US Privacy Shield was created as a result of “Schrems I” and as we now know, that got nuked into orbit with "Schrems II".
What is the Cloud Act?
So what does the CLOUD Act have to do with all of this? Well, mister Schrems was especially concerned with Facebook's policies because of its alleged involvement into the controversial PRISM surveillance program. Subsequently, the CLOUD Act is a law that gives US authorities the right to request data from US-based companies and organizations. The CLOUD Act is in direct conflict with the GDPR. This in turn has sparked the debate on US cloud providers in general.
The CLOUD Act applies to all US companies as well as their foreign clients who may store their data with them. If you use a cloud provider like Microsoft, Google or Amazon, they must comply with the CLOUD Act, even if their servers exist in Europe. Crazy right? However, don't go grabbing your pitch forks yet: it doesn't automatically make US cloud providers unsafe. It all depends on HOW you store your data. Stay tuned for the explanation!
How do Schrems II and the CLOUD Act affect those in the EU?
Well, for one it just makes it much more difficult to send privacy-sensitive information across the pond. Which begs the question: is it possible to be GDPR-compliant in the cloud? You can't exactly opt out of the GDRP and that means you cannot transfer data to a country outside the EU without a great level of protection.
Well then, that puts us in a bit of a bind, doesn't it? We can't ignore the CLOUD Act, want to make use of the cloud (it's easier! it's cheaper!) and also want to comply with GDPR.
How? Well, that all depends on your encryption and your management of encryption keys. Read on to find out more!
We just so happen to have a great webinar available on the cloud and GDPR! Listen to GDPR and data protection expert Alexander Hanff here.
1. Encrypted data protection - your best friend in secure communication
Say hello to your new best friend: Encryption! You're going to need it when you want to send your emails safely and most importantly: securely. Encryption ensures that your information cannot be accessed by a third party, like those sneaky US authorities. Bye, bye CLOUD Act!
But before you go off and celebrate your new friendship, please know that not all encryption is made equally secure. If you want to protect your information from the CLOUD Act, it must be encrypted when stored, also known as ‘encrypted at rest’. However, there are still risks involved when you only encrypt data when it is stored.
Say you send sensitive data via email and an unauthorized party breaks into your messages, what happens then? Well, if they're not encrypted while in transit, they can be read by anyone. But SmartLockr, didn't you just say that encryption would be my new best friend? Why isn't encryption enough?
In order for encryption to be effective in protecting your information, it must be used throughout the whole process. We call that end-to-end-encryption and that's what we use at SmartLockr too.
You can read more about how encryption works and the benefits between the different types of encryption here: https://www.smartlockr.eu/en/encryption
2. Storage of encryption keys
Now that we've talked to you about end-to-end encryption, it's time to talk about your encryption keys. This is the key that ‘unlocks’ the encrypted message. Encryption requires two types of encryption keys - an encryption key that makes the information unreadable and a decryption key that allows you to decode the message. To protect your data from the CLOUD Act, you need to keep track of where your encryption keys are stored.
So how do you keep your information safely out of the hands of US authorities? Simple, store your keys separately from your cloud provider. This is called zero knowledge and is what use over at SmartLockr. Even if your information is disclosed to US authorities, for the crime of being hosted on a US-based company cloud, they can't do anything with it. Because only the sender and recipient have access to the encryption keys, the information remains unreadable to any outside parties.
Lock your digital front door with zero-knowledge encryption. Read more about it here.
This is why you need encrypted data protection for email
Look, we can't make it any clearer: email is one of the most common ways to communicate professionally today. A great number of 306.4 billion emails are sent every day! That means yours are included and you better be sure that they're safe and secure for your own peace of mind. Additionally, the law requires you to: GDPR demands you to use encryption.
So by encrypting your information you not only follow the law, but your information is also protected from the CLOUD Act. Win-win, if you ask us. Good news: SmartLockr uses end-to-end encryption with zero knowledge, offering you the full range of protection for your privacy-sensitive emails. That means we got your back from start to finish: encrypted emails all the way through with encryption keys that are only available to the sender (you) and recipient of your email.
Want to learn more about the cloud, the CLOUD Act and encryption? Read our ebook "Is it safe to store data in a US-based Cloud provider?" here.