The Cloud Act poses a real legal problem for European companies. Unfortunately, they pay too little attention to it. In this article, we present the solution we have developed so that the surveys we realize are both GDPR compliant and protected from the abuses of the American Cloud Act.
If you only have 30 seconds
- The Cloud Act represents a potential danger for all European companies that store their data with AWS, Google, or Microsoft
- Particular attention is needed from market research institutes that are likely to collect personal data on behalf of their customers (satisfaction research, B2C or B2B market research…)
- Solutions exist that are based on survey software installed on owner servers in Europe
- To minimize the risks, it is necessary to choose a data host that is a company under European law
Cloud Act: a text that collides head-on with the GDPR
The Cloud Act and the GDPR are two pieces of legislation that do not mix well.
Countries like France have developed a solution through the SecNumCloud standard and the development of a European trusted cloud. However, research commissioned by the Dutch government to the law firm Green Traurig nuances the possibility of creating a real sovereign cloud free of any interference with the Cloud Act.
Surveys and the Cloud Act: what’s the problem?
There are two issues related to the Cloud Act that market research institutes face regarding surveys. We distinguish between surveys realized from panels and those realized via a specific customer database. In both cases, the risk for research sponsors is real. It is coupled with a reputational (and legal) risk for the firm that realized the survey.
Surveys using proprietary panels (mainly used for B2C market research) are not a major problem concerning the Cloud Act. The respondents’ data remains the property of the panel and is not communicated to the sponsor. The risk is therefore limited to the market research institute.
The same does not apply to surveys realized on your client’s end customers.
Surveys using a customer database
Surveys realized using a customer database are probably the riskiest. The customer database has a high business value. It must be prevented at all costs from ending up in foreign hands through the Cloud Act.
Market research institutes are confronted with this risk as soon as they realize quantitative research on the customers of their clients:
Each time, data must be recorded, which will inevitably contain personal data. If you save them on the servers of an American company (AWS, Google, Microsoft), you run the risk that the American authorities could seize the data belonging to your client under the Cloud Act.
Our solution to avoid problems with the Cloud Act
When it comes to the Cloud Act and the GDPR, there is no perfect solution. The legal matter is quite ” evolving,” and different interpretations can be issued here and there.
One hard and fast rule is not to store your customers’ data on AWS, Google, or Microsoft servers.
Cloud Act: avoid AWS, Google, and Microsoft
However, one hard and fast rule to follow is not to store your customers’ data on AWS, Google, or Microsoft servers. Choose a European hosting company if you want to avoid trouble with the Cloud Act.
Storing the data where you choose requires taking control of the software solution that collects the data. For surveys, this is quite complicated as almost all solutions are in the cloud and therefore hosted at AWS, Google or Microsoft.
Choose a local hosting provider
The first step to reducing 99% of the risks posed by the Cloud Act is to store your data with a national hosting company. We are not talking about a server on the national territory but a company under European law with its servers in your country.
Given the legal opinion given by Green Traurig for the Dutch government, in a perfect world, you would have to choose a national company with no ties to the US. This means that this host should not have a subsidiary in the US and should not do business there. This is almost impossible. But you’ll have to go through this if you want to reduce the risks 100%. Finally, let’s add that these legal constraints are added to the technical ones. Indeed, you have to find a host that is reliable enough.
All survey responses are stored on a server outside the Gafam ecosystem and without ties to the US.
Survey solution installed on your servers
Here’s the solution we put in place to make our online surveys GDPR compliant while avoiding the risks of the Cloud Act. First, we installed survey software on our servers in France. A SecNumCloud-certified French company hosts them. Therefore, all survey responses are recorded on a server outside the Gafam ecosystem without any link to the United States. So much for the Cloud Act.
To comply with the GDPR, we have already described our recipe here. It still works, and it is very simple. As soon as your survey is based on your sponsor’s database, it is your sponsor who sends out the invitations to complete the survey. This way, the customer database is never passed on to you. There is no transfer of data to third parties without consent. The invitation to respond must identify the company that is realizing the survey and make it clear to the respondent that they are giving consent to processing their data by participating.
Posted in Strategy.