{"id":8314,"date":"2021-10-29T15:54:20","date_gmt":"2021-10-29T15:54:20","guid":{"rendered":"https:\/\/www.securitytoday.de\/2026\/04\/02\/post_id-3015\/"},"modified":"2026-05-11T00:19:03","modified_gmt":"2026-05-11T00:19:03","slug":"alice-in-cloud-land","status":"publish","type":"post","link":"https:\/\/www.securitytoday.de\/en\/2021\/10\/29\/alice-in-cloud-land\/","title":{"rendered":"Alice in the Cloud-Land"},"content":{"rendered":"

The cloud tempts with its simplicity, effortless implementation, and maximum scalability. Providers also tout the opportunity to reduce IT investment costs – freeing up capital to flow into core business value creation. But caution is warranted!<\/strong><\/p>\n

It\u2019s all too easy to violate data subjects\u2019 rights under the GDPR – and find yourself facing the Red Queen herself, literally serving you with legal process. Like Alice in Wonderland, cloud users may find personal data protection just as magical – and at times, equally obscure – as that fantastical tale.<\/p>\n

The Stolen Cakes<\/h2>\n

For data subjects, personal data is often just as valuable as the stolen cakes are to the Red Queen. So how can such data go missing – especially when cloud providers proudly advertise exemplary compliance and strict adherence to the GDPR? The scientific service of the German Bundestag spells out this dilemma with striking clarity in its briefing paper \u201cGDPR and the Use of U.S. Cloud Services<\/a>\u201d<\/p>\n

\"\"

Don\u2019t let anyone steal your cakes – ahem, your personal data. Here\u2019s what you need to know. Source: Adobe Stock \/ Olyina<\/p><\/div>\n

As the title itself hints, the core risk lies in unauthorized disclosure of personal data due to access by U.S. security authorities under the CLOUD Act<\/strong> (Clarifying Lawful Overseas Use of Data Act). Crucially, corporate affiliations mean that even if a cloud provider\u2019s servers are physically located within the European Economic Area (EEA), no guarantee of access security can be assumed. Compounding the problem: in cases of GDPR violations – particularly those arising from CLOUD Act-based access – data subjects have no legal recourse available to them.<\/p>\n

A further complication may arise from intensified efforts to regulate web content<\/a>. Cloud storage systems are already scanned for criminally relevant material – for example, using the fundamentally legitimate goal of protecting children. Yet even today, controllers struggle to assess precisely how far such data access extends – or how their data is processed. Further expansion of online searches conducted by private cloud providers could pose risks beyond personal data protection – especially if business-critical data is affected.<\/p>\n

The Mad Hatter Invites You to Tea<\/h2>\n

Amidst all the requirements and promises, it\u2019s often difficult to keep track – and to judge which measures are truly needed to ensure lawful data processing. Since U.S.-based cloud providers are considered to involve a transfer of data to the United States<\/strong> (an \u201cinsecure third country\u201d), any data processing must comply with Article 44 of the GDPR. But ever since the Court of Justice of the European Union\u2019s (CJEU<\/strong>) Schrems II<\/strong> ruling – which invalidated reliance on the European Commission\u2019s adequacy decisions for data transfers – you may sometimes feel like you\u2019re once again denied the promised cup of tea.<\/p>\n

Legitimate legal bases under the GDPR remain contracts with companies that demonstrate GDPR-compliant processing via BCRs (Approved Binding Corporate Rules)<\/strong><\/a>, or the adoption of the new SCCs (EU Standard Contractual Clauses)<\/strong><\/a>. Even then, however, additional safeguards must be implemented to protect personal data. The objective: ensuring an appropriate level of protection against access by U.S. security authorities<\/strong>.<\/p>\n

Out of the Labyrinth<\/h2>\n

 <\/p>\n

Just as the Cheshire Cat shows Alice the way, Article 32(1)(a) of the GDPR recommends pseudonymisation<\/strong> and encryption<\/strong> as suitable technical measures to meet these requirements. In its \u201cGuidelines 07\/2020 on the concepts of controller and processor in the GDPR Version 2.0<\/a>\u201d, the European Data Protection Board (EDPB) specifies that personal data must be encrypted before<\/em> transmission<\/strong>, and that the encryption key must not<\/em> be known to the cloud provider.<\/p>\n

TeleTrusT\u2019s Cloud Security Guide<\/strong><\/a> offers a concise, practical overview of security measures for safe cloud application use. Under the heading \u201cIntegrated Encryption\u201d, it explains and compares common terminology.<\/p>\n

\"\"

There are various approaches to data encryption – each with its own advantages and drawbacks. Source: Adobe Stock \/ Dario Lo Presti<\/p><\/div>\n

Many providers have implemented BYOK<\/strong> (Bring Your Own Key) solutions, where the encryption key is transferred into the cloud provider\u2019s infrastructure – making it \u201ctechnically\u201d known to them. This enables automated key management (Service-Managed Keys<\/strong>), controlled entirely by the cloud provider.
\nWhile this delivers strong cybersecurity protection, it fails<\/em> to satisfy GDPR\u2019s legal requirements for data protection!<\/p>\n

Instead, ensure your cloud solution supports HYOK<\/strong> (Hold Your Own Key) – a model requiring two<\/em> keys: one held exclusively by the customer, without which data cannot be decrypted; and a second key embedded in the cloud provider\u2019s infrastructure to enable key management within<\/em> the cloud. This approach preserves essential IT security functions – like automated key rotation – that would otherwise break down (or incur significantly higher administrative overhead) under a pure HYOK setup.<\/p>\n

These recommended solutions apply equally to smaller-scale deployments. Even using Google Drive, OneDrive, or Dropbox without<\/em> additional safeguards constitutes a GDPR compliance issue. Tools like Cryptomator<\/strong><\/a> enable GDPR-compliant data storage – even for private users. The principle is simple: create an encrypted folder on Dropbox using Cryptomator, then securely store files inside it. This preserves cloud applications\u2019 native sync capabilities while fully meeting data protection requirements.<\/p>\n

With solutions like these, you\u2019ll ensure no one steals your precious cakes – i.e., your personal data. We\u2019d be delighted to advise you on your individual cloud configuration to guarantee both flawless data protection and high IT security.<\/p>\n

Feel free to reach out!<\/a><\/h5>\n

Many questions<\/span>, <\/span>but no answers? Our experts at <\/span>msecure<\/span> are ready to help with all your questions about <\/span>data protection<\/span> and <\/span>IT<\/span> security, tailored to your specific cloud setup.<\/span> Learn more here<\/a>!<\/span><\/p>\n

Key Facts<\/h2>\n

GDPR implementation:<\/strong> Only 28 percent of German companies consider themselves fully GDPR-compliant.<\/p>\n

Highest single fine:<\/strong> \u20ac1.2 billion against Meta (2023) – the largest GDPR penalty to date.<\/p>\n

Frequently Asked Questions<\/h2>\n

What penalties apply for GDPR violations?<\/h3>\n

Fines of up to \u20ac20 million – or 4 percent of global annual turnover – whichever is higher. In addition, affected individuals may file claims for damages.<\/p>\n

What is a Data Protection Impact Assessment (DPIA)?<\/h3>\n

A DPIA is a systematic evaluation of the risks a data processing operation poses to the rights and freedoms of data subjects. It is mandatory whenever processing is likely to result in a high risk – for instance, in cases involving profiling, video surveillance, or processing of special categories of personal data.<\/p>\n

Does the GDPR apply to small businesses?<\/h3>\n

Yes – the GDPR applies universally to any<\/em> organisation processing personal data of EU residents, regardless of size. Small businesses benefit from limited exemptions (e.g., no obligation to maintain a record of processing activities if fewer than 250 employees and processing is low-risk), but must still uphold all core GDPR principles.<\/p>\n

Related Articles<\/h2>\n