Note on the GDPR and US-based cloud servers
9 Pages Posted: 10 Jul 2023
Date Written: November 1, 2021
Abstract
Serious concerns have been raised about the use of US-based clouds and the risk of US intelligence agencies having undue access to data transferred to any US cloud from the EU (or directly accessed – hacked into – by US agencies, even while still in the EU/EEA or while in transit: such direct access is regarded by the EDPB as also constituting, or involving, a data transfer). These concerns also extend to the use of servers in the EU that are managed by subsidiaries of US companies.
The note discusses a number of cases in France, the Netherlands and Germany in which these issues have been addressed, concluding that "the legality of the use of US cloud servers and -solutions remains problematic, at least if the personal data on those servers or processed in the context of the use of those solutions must be available there 'in the clear'”.
Keywords: data protection, EU, GDPR, surveillance, cloud servers
JEL Classification: K19, K29
Suggested Citation: Suggested Citation