GDPR AND THE CLOUD ACT: WHO IS SPYING ON MY VIDEO MEETINGS?

399
Photo by Saksham Choudhary from Pexels

The future workplace will become an activity-based virtual workspace. It will neither depend on time, device, nor space. By 2025, 135 million people will work remotely in Western Europe. Additionally, 45% of all Europeans will work independently, and another 35% of the workforce will be millennials. Since we know that only cloud-based solutions will be competitive in the workforce of 2025, data privacy and security are becoming ever so important. So with the increase in legislations trying to protect our privacy, such as GDPR, one would assume that our video meetings are stored safely. But is that true?

80% of corporations have opted for video meetings to support remote work and freelancing

Video conferencing is redefining the very notions of the modern workforce by addressing companies’ concerns regarding virtual workspaces. 80% of corporations opt for video meetings to support remote work and freelancing. Having stated that, video meets the growing demand for more productivity in the virtual workspace—it is the “new normal” for business communications purposes. This change promotes a new perspective on business conversations. The main focus is intuitive usage, mobile access, and interactions with internal and external individuals. Remote work is the dominant trend.

The new digital workspace demands a more instantaneous use of video

What do video meetings need to have to satisfy the workforce of the future? They need to be readily accessible, easy to use, and without complex installations. Furthermore, the future points to cloud-based video meetings. It is more cost-efficient, scalable, secure, and requires far less maintenance. But cloud-based solutions are facing one big challenge: contradicting laws regarding data security.

GDPR and the CLOUD Act

Recently, two legal mandates with relevant consequences for cloud-based solutions were implemented. On March 23rd, 2018, the CLOUD (Clarifying Lawful Use Of Overseas Data) Act was passed by U.S. lawmakers to amend and extend the ECPA (Electronic Communications Privacy Act) and the SCA (Stored Communications Act). A few months later, on May 25th, the General Data Protection Regulations (GDPR) came into effect. The combination of these legislations, along with the older U.S. FISA act, is posing a significant threat to cloud-based solutions providers. Why? They overwhelmingly rely on cloud infrastructure that, in turn, is operated by U.S. providers. Consequently, if your data is stored in a U.S. owned cloud provider, your information is available to U.S. authorities.

The US does not have a universal fundamental right to privacy

So government authorities can obtain information without court approval. The U.S. does not have a universal fundamental right to privacy, as defined and enacted under EU GDPR. While this strongly affects the relations between U.S. authorities and U.S. citizens, it also poses severe threats to non-US citizens. U.S. authorities can use ECPA to access information in violation of GDPR. Access requires an enterprise to be in possession, custody, or control of that information. It is unclear how many requests have been made since the CLOUD Act modified the ECPA. Google states that subpoenas and warrants under the ECPA have been “by far the most common” types of requests. Consequently, Google criticizes the ECPA for providing a level of privacy lower than users should reasonably expect.

The FISA Act allows for access to information in violation of GDPR

The FISA Act does not require a court ruling for secret access to information. Between January and June 2018, Google received requests for access to data of almost 100.000 users or accounts. In the six months between January and June of 2018, under the FISA Act alone, Google received requests for access to data of almost 100.000 users or accounts. So what are the consequences for the above mentioned digital transformation of the workspace? With more cloud-based solutions on the market, the question focuses on personal data stored, used, and exchanged. The GDPR should protect data of every person within EU jurisdiction. However, since U.S. entities or their European subsidiaries operate the cloud infrastructure, U.S. officials have full access.

The Gaia-X initiative and eyeson’s partnership with Exoscale

Partly due to this contradiction and the lack of European solutions available, the European Commission’s cloud strategy has been amended and updated last May. The Gaia-X initiative promises to get a European cloud infrastructure ready by the end of next year (2020). At the moment, however, there are very few European cloud providers with significant capacity to provide a cloud infrastructure for SaaS companies. We at eyeson found a compatible partner with Exoscale, an entirely European cloud service provider. We are working on a GDPR compatible cloud-based video conferencing solution. Thereby satisfying EU laws and respecting the data privacy of people and companies. Not only governmental agencies but also banks, insurances, and health institutes, among others, will benefit from this critical improvement in secure communications.

eyeson’s solution

Unlike most of our peers’ answers, we have developed the technical core for video solutions with an independent cloud approach. We offer business customers to choose their cloud for storing of data, recordings, and video meetings. Moreover, we suggest genuinely secure cloud-based services. Users can select the cloud location of the stored data: either in a private cloud, the cloud provider of trust, or merely the cloud account of the company itself. U.S. companies are, by nature, not able to guarantee EU GDPR compliance, even if they are based within Europe. Regardless where they are located, U.S. companies fall under the CLOUD act. European video conferencing providers can’t be compliant if they use U.S. cloud providers to handle their services.  Our approach at eyeson is to let users choose their cloud and thereby offer a fully GDPR compatible solution. For more information, make sure to get in touch with us. We’re happy to work on a fully secure and fully GDPR compliant solution with you.