Risks when using SaaS tools from the USA

Companies and other institutions in Europe are increasingly turning to SaaS tools from outside Europe. Common examples are tools from companies such as Google, Microsoft, SalesForce, HubSpot and Calendly.

However, when it comes to processing user data, one could almost speak of "Schrödinger's data processing", because whether the data processing actually takes place lawfully or not - is never guaranteed with sufficient certainty.

Requirements under the GDPR for DPA

Data transfers to unsafe third countries - which at present undoubtedly include the USA - are subject to many legal restrictions.

For example in the case of Google's GSuite and Workspace (e-mails, cloud storage, calendars and more for companies), Google uses so-called "suitable guarantees", standard contractual clauses, certifications and more to establish an appropriate level of data protection.

Legal uncertainties when using SaaS tools from the USA

Data controllers in Europe can conclude corresponding data protection agreements with Google, for example. Companies should also do so, since these data processing operations appear at first glance to be data processing according to Art 28 GDPR.

Unfortunately, the use of these tools is associated with many legal uncertainties. Three points stand out clearly:

1. legal uncertainty regarding access possibilities (by security authorities).
2. legal uncertainty with regard to subcontractors for commissioned data processing
3. legal uncertainty due to existing alternatives in the fulfillment of the contract.

Access capabilities of U.S. authorities

In the U.S., it is possible for security authorities to access data of European users and institutions at any time, provided that this data is stored with a U.S. company. The USA has special means at its disposal here, such as so-called "National Security Letters". These are requests from the government to companies to hand over data without disclosing it. No court order is required to issue such requests, i.e., investigative authorities can issue these requests themselves and companies such as Google, Apple, Microsoft, etc. must comply with them.

Also, the Cloud Act from the US allows extensive access by US authorities to data stored by US companies. Prior to the enactment of the Cloud Act, access to such data was generally only possible in the context of a so-called mutual legal assistance request (here, the authorities of the state in question - in which the data is stored - are asked for "help"). After the enactment of the Cloud Act, from the perspective of the U.S. authorities, a request for mutual legal assistance is no longer necessary and the data must be surrendered. Therefore, from the U.S. perspective, foreign authorities (such as German authorities) no longer need to provide prior consent.

Unmanageable number of subcontractors

Especially large SaaS services such as Google GSuite/Workspace use an enormously high number of subcontractors. A list of the subcontractors used at Google can be accessed at https://workspace.google.com/intl/en/terms/subprocessors.html.

With this enormously high number of subcontractors - distributed all over the world - the first justified doubts arise as to whether all subcontractors and, if applicable, their subcontractors are extensively audited or have merely been contractually obligated to certain procedures in paper form.

At this point, it should under no circumstances be forgotten that the data controller always remains the data controller. This has also been specifically regulated for the case of data processing by Art. 24 GDPR. The purpose of the introduction of this additional regulation is to assign the responsibility and liability for any processing of personal data to the person who carries out these processing operations himself or has them carried out (cf. recital 74 of the GDPR).

Another problem also arises from the design of data processing with such large companies and extensive tools. If large companies such as Microsoft or SalesForce independently determine the purposes and means of processing, this does not constitute data processing pursuant to Art. 28 (10) of the GDPR, but rather joint responsibility. As a result, there may be a lack of data subject consent to transfer data to an additional controller and all processing activities might factually not be allowed.

In practice, it must now be checked whether the contracts with such companies precisely describe which services are provided and how the data is processed. In the absence of such provisions, it can be assumed that, as described above, the decision on the purposes and means of processing no longer lies with the original controller. This leads to numerous problems and violations of the provisions of the GDPR.

Existing alternatives for contract fulfillment

Further, there is a legal uncertainty that cannot be overlooked, as alternatives to many of these Software tools exist within Europe. Also, in most cases, data subjects have not given consent to the transfer of personal data to countries such as the US. In these cases, however, processing is based by data controllers on the purpose of fulfilling a contract.

However, it is obvious that the processing in the U.S. as such - in most cases - is not necessary for the performance of the contract. This is because the processing operations necessary for fulfillment of the contract could also be mapped within a company or at least within Europe.

This inevitably means that the processing of data subjects' data in the U.S. cannot be "simply" based on the purpose of fulfilling the contract and lacks the consent of the data subjects, which in turn poses significant risks for data controllers.

A secure alternative to SaaS solutions are open source tools. Glasskube enables you to install and operate open source software automatically in your data center or cloud, and thus process data securely and in compliance with the GDPR.