ISC2 Certified Cloud Security Professional (CCSP) Practice Question

A multinational retailer must host EU customers' personally identifiable information (PII) in a public cloud. The preferred provider is headquartered in the United States and therefore subject to the U.S. CLOUD Act, which could compel disclosure of stored content. To minimize exposure created by this potential conflict with the GDPR's cross-border transfer restrictions, which contractual or technical requirement should the cloud security architect insist on?

Relocate the EU customer data to a U.S. region so that the CLOUD Act fully governs it.
Accept the provider's SOC 2 Type II attestation as evidence the conflict is sufficiently controlled.
Mandate EU-only storage combined with customer-managed encryption keys that prevent the provider from accessing the plaintext data.
Rely on the provider's former EU-U.S. Privacy Shield certification to legitimise any compelled disclosure.

Report Issue

Answer Description

Because the CLOUD Act can obligate a U.S.-based provider to turn over data it can access, forcing the provider to design the service so that it never possesses the decryption keys for EU PII removes its practical ability to comply with such orders. Storing the data only in EU locations while the customer retains sole control of the encryption keys satisfies GDPR localisation expectations and avoids an impermissible "transfer" under Schrems II.

Privacy Shield is no longer a valid transfer mechanism, so relying on it does not resolve the conflict.
A SOC 2 Type II report addresses internal controls but says nothing about cross-border legal demands.
Moving the data to a U.S. region would clearly constitute a restricted transfer and increase-not reduce-GDPR risk.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.