The Cloud Act poses a real legal problem for European companies. Unfortunately, they pay too little attention to it. In this article, we present the solution we have developed so that the surveys we carry out are both GDPR-compliant and protected from the abuses of the American Cloud Act.
Cloud Act: a text that directly impacts the GDPR
The Cloud Act and the GDPR are two pieces of legislation that do not mix.
Countries like France have imagined a parade through the Cloud standard and the development of a European trusted cloud. A study commissioned by the Dutch government from the law firm Green Tauris, however, qualifies the possibility of creating a true sovereign cloud free from any interference with the Cloud Act.
Surveys and Cloud Act: where is the problem?
Two problems relating to the Cloud Act arise for market research institutes when it comes to polls. We distinguish surveys carried out from panels from those carried out via a specific customer database. In both cases, the risk for the sponsors of the studies is real. It is coupled with a reputational (and legal) risk for the firm that carried out the survey.
Panel surveys
Proprietary panel surveys (especially applied in the context of B2C market research) do not represent a major problem with regard to the Cloud Act. Respondent data remains the property of the panel and is not communicated to the sponsor. The risk therefore remains confined to the market research institute.
The same is not true of surveys carried out on your sponsor’s end customers.
Surveys via a customer database
Surveys conducted using a customer database are arguably the most risky. This is an important step that requires a ghost writing. In order to obtain total satisfaction, we advise you to take the time to define your needs. The customer database has indeed a high business value. We must at all costs prevent it from ending up in foreign hands through the Cloud Act.
Market research institutes are confronted with this risk as soon as they carry out a quantitative survey of their sponsor’s customers:
- satisfaction survey
- investigation of a future product or service
- customer experience evaluation
Each time data must be recorded which will necessarily contain personal data. Saving them on the servers of an American company (AWS, Google, and Microsoft) means exposing yourself to the danger that this data belonging to your sponsor may be seized by American authorities under the Cloud Act.
Our solution to avoid problems with the Cloud Act
When it comes to Cloud Act and GDPR there is no perfect solution. The legal matter is quite “moving” and different interpretations can be issued here and there.
There is an imperative rule to respect: do not store your customers’ data on AWS, Google or Microsoft servers.
Cloud Act: avoid AWS, Google and Microsoft
There is nevertheless an imperative rule to respect: do not store your customers’ data on AWS, Google or Microsoft servers. If you want to avoid trouble with the Cloud Act, choose a European host.
Storing the data where you choose requires you to take control of the software solution that collects the data. In terms of surveys, it’s quite complicated because almost all the solutions are in the Cloud and therefore hosted by AWS, Google or Microsoft.
Choose a local host
The first step to take to reduce 99% of the risks posed by the Cloud Act is to put your data with a national host. We are not talking here of a server on the national territory, but of a company under European law with its servers in your country.
In view of the legal advice provided by Green Tauris for the Dutch government, in a perfect world, a national company with no connection to the United States would have to be chosen. This means that this host must not have a subsidiary in the United States and must not do business there.
Let’s be honest, it’s almost impossible. But if you want to reduce the risk to 100%, you will have to go through it. Let us add to finish that these legal constraints are added to the technical constraints. It is indeed necessary to find a host that is sufficiently reliable.
All survey responses are saved on a server outside the Agfa ecosystem and unrelated to the United States.
Survey solution installed on your own servers
Here is the solution we have put in place to ensure that our memoir ghostwriters are best in while avoiding the risks of the Cloud Act. We first installed survey software on our own servers in France.
They are hosted by a French company certified Cloud. All survey responses are therefore recorded on a server outside the Agfa ecosystem and unrelated to the United States. So much for the Cloud Act part.
To comply with the GDPR, we had already described our recipe here. It still works and it is very simple. As soon as your survey relies on the database of your sponsor, it is he who sends the invitations to take the survey. In this way the customer database is never transmitted to you.
There is therefore no transfer of data without consent to third parties. The invitation to respond must identify the company carrying out the survey and make it clear to the respondent that by participating in it he is giving his consent to the processing of his data.
