Will the Supreme Court force US cloud service providers to breach the GDPR?
In the coming weeks, the U. S. Supreme Court will decide whether or not U. S. cloud providers will have to disclose data to U. S. authorities even if they are stored outside the United States. If the court so judges, the compliance of US cloud providers with the EU-GDPR is fundamentally undermined.
The procedure has been dragging on for quite some time: Five years ago, a New York District Court ordered Microsoft to release a customer's data. Microsoft handed over the data that was on US servers, but refused to release the part that was stored on servers in Ireland.
Meanwhile, the dispute has landed in the highest court of the USA and it doesn't look good for Microsoft (and other US cloud providers). If the Supreme Court rules in favor of the US government, the providers will be obliged to break the law of the respective host country or of the EU (see: GDPR).
It is still hard to predict what the consequences would be. Would US cloud service providers withdraw from the EU? Or would they tacitly comply with the regulation of the US authorities (which is probably the case already today as they are obliged to do so by US law)? Would they risk the draconian penalties imposed by the GDPR?
Whatever the outcome, it is advisable for cloud customers to follow up on this litigation to the end. Because cling together, swing together: Not only cloud service providers (as data processors), but also their customers (as controllers) can be fined up to €20 Million or 4% of the worldwide annual turnover for breaching GDPR requirements.