ISC2 Certified Cloud Security Professional (CCSP) Practice Question

Your US-based company is the data controller for customer PII stored in a SaaS provider that replicates data in Germany and Singapore. You receive a valid U.S. subpoena demanding that the provider hand over an EU resident's records within 48 hours. The provider is headquartered in the US but operates the German data center through an EU subsidiary. Which statement best captures the primary legal risk if the provider complies immediately without involving the customer?

No significant risk exists because the U.S. CLOUD Act overrides any conflicting foreign privacy legislation when responding to a valid subpoena.
Under the former EU Data Protection Directive, only the data controller is liable, so the SaaS processor faces no legal exposure for complying.
The disclosure could breach GDPR restrictions on cross-border transfers and notification, exposing the provider to substantial administrative fines.
The long-standing EU-US Safe Harbor framework permits unrestricted transfer of EU personal data to U.S. entities, so compliance is lawful.

Report Issue

Answer Description

Because the data belongs to an EU resident and is processed in the EU, it is subject to the General Data Protection Regulation (GDPR). Under GDPR, exporting personal data to a country that lacks an adequacy decision, or disclosing it to third parties (including foreign authorities) without a valid transfer mechanism and data-subject notification, can constitute an unlawful international transfer. Immediate compliance with the U.S. subpoena therefore risks significant GDPR penalties (up to 4 % of global annual turnover). The U.S. CLOUD Act allows service providers to receive and respond to U.S. legal demands but it does not override conflicting foreign privacy laws; providers may have to challenge or negotiate the order. The EU-US Safe Harbor was invalidated in 2015 and cannot be relied upon, and processors share GDPR liability with controllers, so responsibility does not rest solely on the controller. Hence, the most significant risk is breaching GDPR cross-border transfer and notice requirements.

Ask Bash

Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.