Opinion: US Authorities Have Far-Reaching Access to European Cloud Data

Contents

The debate about Europe's digital sovereignty and the strategic use of US cloud infrastructures in sensitive areas is gaining new momentum. A previously unpublished expert opinion, prepared by legal scholars at the University of Cologne on behalf of the Federal Ministry of the Interior, has now become publicly accessible as part of a Freedom of Information Act (IFG) request. It concludes that US authorities have far-reaching access to data even when it is stored in European data centers.

Access by Intelligence Agencies

The experts were tasked with clarifying whether and to what extent US intelligence agencies and other state bodies have a legal right of access to data in the cloud, even if the infrastructures are operated outside the United States. According to the opinion, the Stored Communications Act (SCA), extended by the Cloud Act, and Section 702 of the Foreign Intelligence Surveillance Act (FISA), in particular, allow US authorities to compel cloud providers to hand over data.

A sensitive point is the finding regarding the scope of US jurisdiction. Companies are therefore required to hand over data even if it is stored outside the USA. The decisive factor is therefore not the physical storage location of the information, but the control over it by the affected company. This implies that even data stored in data centers on European soil and managed through German subsidiaries are subject to access. The prerequisite is that the US parent company exercises ultimate control.

Reach of US Jurisdiction

However, the reach of US laws does not end here. According to the opinion, the jurisdiction of the United States can impact not only European subsidiaries of US companies. It also has the potential to affect purely European companies, provided they maintain relevant business connections in the USA. This extends the risk of indirect or direct data access to a wide range of companies operating in the European internal market.

Although a cloud provider could technically prevent itself from accessing the data, for example, through encryption, this does not necessarily avoid the disclosure obligation. US procedural law requires parties to store procedurally relevant information even before the start of legal proceedings. A cloud service provider that is regularly confronted with disclosure requests could therefore be obliged to retain data. If it excludes itself from access through technical measures, it risks significant fines or criminal consequences.

In Europe, supervisory authorities may prohibit the disclosure of information to authorities in third countries based on the General Data Protection Regulation (GDPR). Data transfers to the USA can currently be based on the shaky adequacy decision of the EU Commission – the EU-US Data Privacy Framework. However, the opinion highlights the legal tensions arising from the global reach of US laws. It points to the need to develop European alternatives to strengthen digital sovereignty.

What does this mean for MS 365 & Co.?

Lawyers Stefan Hessel, Christina Ziegler-Kiefer, and Moritz Schneider conclude in a current analysis that the use of the cloud-based solution Microsoft 365 in compliance with data protection regulations is still fundamentally possible. The abstract risk, stemming from extraterritorial US powers, does not in itself constitute automatic unreliability of the processor, as long as no systematic violations of European law are proven. Those responsible must concentrate on their compliance obligations and conduct a data protection impact assessment if the risk is high. Other experts do not see it that way.

(wpl)