I am glad to present the study I carried out with prof. Eugenio Prosperetti* about the so-called “legal reachability” of data in the cloud environment. This is something which may be useful to understand the concrete issues surrounding the debate about digital sovereignty. When this debate arises in connection with cloud, a specific attention shall be paid to extraterritorial legislation and particularly to the application of the Cloud Act in Europe.
The legal notion of “reachability” was recently introduced to indicate the possibility for a subject to access and dispose, in a legitimate manner, of data stored in a cloud system. However, it is a notion that can be declined at various levels: on the one hand, there is “reachability” for the original data owner user, as well as for those who may acquire certain rights in the context of the cloud service; on the other hand, there is a further form of “reachability” of data by entities – typically government institutions or public authorities – who, in the exercise of their functions, may have an interest in accessing data located in a cloud.
In fact, data, once outsourced, become “reachable” by virtue of a complex patchwork of legal rules from different sources (international, European and national) and contractual provisions, whose overall weight and articulation are not indifferent for the cloud strategy of any organization, be it cloud provider or customer.
The issue of “legal reachability” is thus aimed at assessing, in practice, the accessibility and availability of data in a globalized economy, in order to assess the risk arising from the possibility that foreign government authorities, including non-European ones, may access or prohibit access to data placed in the cloud by virtue of authoritative powers, or even order their destruction, for instance following an embargo or for reasons of national security.
The Study takes particular account of the role of US operators in the European cloud sector, both because of their preponderant market share held by them in Europe**, and due to the recent implications arising from the annulment of the Privacy Shield regime by the European Court of Justice.
The Study can be freely downloaded from here:
When data placed in the cloud are of particular importance, e.g. personal data or business data or data of economic importance, the choice of the cloud provider must be carefully considered. It is not simply a matter of evaluating the economic and technological offer proposed by the operator, but also of considering the fate that data entrusted in the cloud may have in the face of coercive measures by governmental or judicial authorities, which could sanction access, prohibition or even destruction. This is the issue of data reachability in the cloud, which is the subject of this Study.
In making this assessment, one must take into account the legal system that governs the overall processing and accessibility of the data covered by the cloud contract. In a purely European context, i.e. with cloud providers and servers within the EU, the data of a European citizen or company appear to be substantially safe due to the robust safeguards provided by EU legislation, primarily the GDPR.
However, it is also necessary to consider the nationality of the cloud provider, since this may imply the jurisdiction of third and non-European countries that may consider themselves authorized to intervene on their own companies, also with reference to data of European citizens stored in servers located in Europe; therefore, the physical location of the servers does not mitigate the requirements deriving from the nationality of the cloud provider. The most common case, i.e. that of the US cloud provider, requires assessing the applicability of US legislation, and in particular the Cloud Act, which may vary depending on the agreements made with the various European States. With other nationalities and with countries whose legislation appears to be very distant from the European one, for instance China and other Asian countries, the case appears even more complex and delicate, so that the reachability of data entrusted in the cloud must be carefully assessed.
The prior assessment of the applicable legislation and jurisdiction is therefore a necessary and indispensable step, alongside economic and technological considerations. The uncertainties and risks resulting from this assessment can however be compensated by the preparation of contractual models and policies that regulate in advance and in detail the behavior that the cloud provider must adopt in the case of measures of authorities of third countries, with reference to the accessibility and storage of data.
*I also thank Giulio Pascali and Davide Tuzzolino for the research, ands DHH for sponsoring our efforts.
** Among the most recent data, see Synergy Research Group, First quarter 2020 http://www.globenewswire.com/NewsRoom/AttachmentNg/5d1edd1e-dc3c-4847-9fc0-23a5e0eb20d5/en