In 2018, the European General Data Protection Regulation (GDPR) was introduced to give citizens more control over their data and to increase the transparency and accountability of companies that process data. It also aims to foster trust between citizens and companies.
Since then, the cloud market has more than tripled in size, with no end of growth in sight. But how can cloud technologies and the GDPR be reconciled? As a software engineer, you can sometimes feel torn between modern cloud technologies and corporate compliance, data protection, or legal departments. On the one hand, you’re inundated with new capabilities that help you meet ever-crazier timelines, but on the other hand, some need to make sure everything is legally compliant.
Large cloud providers like Microsoft Azure have recognized the need for legal and data security and offer a broad set of measures to meet that need. But is this just advertising, or do these measures really make a difference?
The GDPR is a law designed to protect individuals’ privacy and personal data in the European Union (EU). Its principles include:
If you violate one of the principles of GDPR, you may face fines and other sanctions. The severity of the fine will depend on the specific violation, the level of negligence, and the size of your organization.
The maximum fine for a GDPR violation is up to 4% of a company’s global annual revenue or €20 million, whichever is higher. This means that even small businesses can face significant penalties for non-compliance. Less severe violations may result in fines of up to 2% of annual revenue or €10 million, whichever is higher. However, in some cases, regulators may choose to issue warnings, reprimands, or other corrective measures instead of fines.
It’s important to note that fines are not the only consequence of GDPR violations. Companies that violate GDPR may also face damage to their reputation, loss of customer trust, and legal action from affected individuals.
US data protection laws differ significantly from those in the EU, which can create challenges for companies operating across borders. For example, US law enforcement and national security agencies have broad access to personal data, and private companies have fewer restrictions on collecting, using, and sharing personal data in the US.
The Safe Harbor and EU-US Privacy Shield frameworks were created to bridge this gap by providing a mechanism for US companies to demonstrate that they offer adequate protection for personal data transferred from the EU to the US. By complying with the principles of these frameworks, US companies could receive personal data from the EU without violating EU data protection laws.
However, the European Court of Justice ruled that the Safe Harbor and EU-US Privacy Shield frameworks did not adequately protect personal data transferred to the US, which led to their invalidation.
The fact that there is no GDPR-compliant regulation between the EU and the US puts much more risk on the companies who want to use US Hyperscalers like Azure, GCP, or AWS.
Be aware that the following only applies to Microsoft Azure, and there might be other problems and solutions to products like Office365, Power Platform, etc.
Let’s assume you are developing an e-commerce solution and want to run it in Microsoft Azure because it saves you a lot of time and your customer many operations hustles. The most important thing to consider is the location of your services and your data. When your customer’s data touches US soil, you technically can’t guarantee GDPR compliance.
You probably know that you can deploy compute resources like Functions, App Services, VMs, or databases to certain regions. Plenty of Azure regions are located in Europe, and even building a data center in Austria. The question remains if Microsoft guarantees that your customer’s data doesn’t leave that region.
Microsoft is committed to complying with European law. They recently announced the rollout of the EU Data Boundary and met the second level of compliance with the EU Cloud Code of Conduct. So what’s the fuzz about?
While Microsoft ensures that your compute resources remain within your designated region, it is important to consider the usage of SaaS or PaaS products such as “Azure Active Directory (AAD)” and “Cosmos DB.”
With Azure’s globally distributed Cosmos DB, you can manually select the database replication locations. Conversely, AAD is a critical and central component for numerous applications. Thus, it is crucial to comprehend its impact on GDPR compliance.
Some AAD functionalities are permanently excluded from the EU Data Residency and Boundary, and some are only temporary. That means if you use these features of the AAD, your customer’s data might leave the EU, and the solution you built is not GDPR-compliant anymore. These AAD features include Multi-Factor Authentication, Directory Connect, Self-Service Group Management, Enterprise App Management, and the Sign-In and Account page.
You can find a list of services that might send data across EU borders at Microsoft Azure’s “Customer data storage and processing for European customers in Azure Active Directory page.”
As an engineer, this can be easily considered by following one of the following three options:
As an engineer, I think that’s fairly easy to consider and still leaves a lot of space for improved development speed and decreased operation costs using Azure.
There might be other, smaller, limitations to other SaaS or PaaS products, which can be read about in the compliance section of the respective Microsoft documentation.
Your employees need a Microsoft Active Directory account if they want to use the Azure Cloud or other Microsoft products. You’ll need to ensure they are okay with the consequences of their account data leaving the EU. You can do that in a privacy agreement.
On top of all of that, be aware that other regulatory requirements might apply. As an example, the Austrian Finanzmark Aufsicht (FMA, banking regulation) published a paper, “Leitlinien zum Outsourcing an Cloud-Anbieter” (“Guidelines for outsourcing to cloud providers”). The FMA allows you to use cloud providers if you follow some rules like having an exit strategy, doing due diligence, and proper risk management. If you don’t follow their guidelines, you might be compliant with GDPR but still get warnings and eventually lose your banking license. Such regulations likely extend beyond the banking sector.
The Clarifying Lawful Overseas Use of Data (CLOUD) Act is a US law that was signed in 2018. It requires that US-based service providers disclose data that is in their “possession, custody, or control” regardless of where the data is located. However, previous legal and privacy protections still apply and prevent companies from sharing any data with law enforcement. According to Microsoft, your data won’t be shared with anyone without a search warrant or court order against you. You can read detailed FAQs on Microsoft’s Data Law page, including numbers and statistics.
However, critics say that this law allows the US government to bypass US courts, and affected users would not have to be notified when such warrants were issued (see: cnn.com, theverge.com, boxcryptor.com).