A major concern for many compliance and security officers is the US CLOUD act.
The US runs several surveillance programs and regulations that can be a concern for companies outside the US. The US CLOUD act is the most well known as it is often referred to in data protection discussions, but there are others.
Regulation | Description |
|---|---|
US CLOUD act | CLOUD is an acronym standing for Clarifying Lawful Overseas Use of Data The US CLOUD act authorizes the US justice system to request handover of data managed overseas (e.g. in Ireland) by US providers. This means, choosing a data resindency in Europe (e.g. Ireland) on Microsoft Azure, Google Cloud or AWS will change where the data is stored, but if the provider (e.g. Microsoft) is a US company, it does not only need to adhere to Irish and European Union law, but also US law. Thanks to the US CLOUD act, the US justice system may request data directly from Microsoft without needing to go through Irish diplomatic and law enforcement channels. |
PRISM (Section 702) | PRISM is a program operated under Section 702 of the Foreign Intelligence Surveillance Act (FISA). It is a program where the National Security Agency (NSA) collects internet communications from major US service providers (Google, Facebook, Apple, etc.). It is designed to target non-US persons located outside of the United States for foreign intelligence purposes. This program was exposed by Edward Snowden in 2013. |
Upstream | Upstream is a program operated under Section 702 of the Foreign Intelligence Surveillance Act (FISA). It taps directly into the "backbone" of the internet (undersea fiber optic cables) to scan data as it flows. |
This list is not complete, XKeyscore or EO 12333 are other examples.
While all these programs root in law enforcement and national security, they cross into the national sovereignty of other countries and their regulations. The US CLOUD act pushes US companies like Amazon or Microsoft in a “legal trap” where they either have to break US or European law if they accept or reject a request to hand over data.
With the Phonemos cloud solution, no US data centers are storing any customer data. Instead of US hyperscalers, we use independent Swiss data center providers. Data residency is in neutral Switzerland, a country with strict privacy rules.
If you consider the Phonemos cloud solution not to be localised enough, you may use the on premise hosting option to operate the system with your preferred data residency and your preferred managed service provider.