Increasingly, my students and clients are seeking guidance on the security of their research data, particularly confidential information, not only on data management within MaxQda (the software for which I provide training) but also on broader concerns about the research process and the tools we employ, such as cloud storage services. I’ll try to answer here.

These inquiries are becoming more frequent for several reasons:

• Firstly, the rapid pace of technological change makes it challenging to stay informed. AI has introduced new issues and questions almost weekly.
• Secondly, ethics committees at universities and funding organisations are imposing stricter data management requirements. While this is to be expected and welcomed, it does increase the workload and raises questions for researchers.
• Lastly, recent developments in research practices in the United States have led many researchers to realise that long-standing solutions and tools from the US may no longer be acceptable. This shift is not entirely new, but there is less tolerance. It is likely that ethics committees will soon reach similar conclusions, necessitating a reevaluation of the use of certain research tools.

This discussion will cover:

• The implications of using US-based cloud services for data storage, highlighting the associated risks.
• The European regulatory landscape, focusing on the robust General Data Protection Regulation (GDPR or RGPD) and the promising European alternatives, with necessary precautions.
• A quick word on MaxQda’s approach to managing sensitive data.

Please note that data management is not my primary area of expertise. My role is to assist researchers and research teams with their projects, methodologies, and analytical tools. Therefore, the information provided here aims only to guide researchers in selecting reliable tools for their work.

🇺🇸 Concerns with US-Based Services

1. US Surveillance Legislation

This issue is longstanding, though not fully acknowledged. US-based companies are subject to laws such as the Cloud Act (2018) and, to a lesser extent, the Patriot Act, which mandate that these companies provide access to data stored on their servers to US intelligence agencies (like the FBI and NSA). This applies even if the data is hosted outside the United States and without judicial involvement.

For researchers or organisations utilising services from US-based companies to manage and store their data, this means that their data could be accessed by US authorities without their knowledge or consent. The legal framework obligates these companies to comply with US laws, potentially compromising data confidentiality.

2. Breach of Confidentiality Standards

For non-US researchers, this situation may violate confidentiality standards mandated by regulations such as the European General Data Protection Regulation (GDPR or RGPD). These laws impose strict data protection requirements that are incompatible with the obligations US companies face under US law.

3. Challenges in Obtaining Ethical Approval

Ethics committees at universities and funding organisations are increasingly scrutinising data handling and security practices. Researchers are required to demonstrate that risks to participants are minimised, storage and analysis methods are reliable, and anonymity is preserved. If there is a risk of unauthorised access or misuse of data, these ethical commitments are compromised.

Consequently, if data is stored on servers owned by US companies, obtaining ethical approval for research could be difficult. While this is not yet commonplace, it is a trend that may accelerate, particularly for research involving sensitive data in the humanities and social sciences.

4. Risks to Participants

Ethically, this situation poses risks to research participants. They may decline to participate if there is a possibility that their data could be accessed by foreign authorities, compromising their anonymity. Moreover, in certain cases, this could endanger participants, especially those from vulnerable groups, if their confidential data is exposed.

This concern is amplified by the current political climate in the US, where certain rights and protections are being challenged. There are legitimate fears that such data could be used for political purposes, potentially targeting specific groups.

In summary, researchers bear the responsibility of safeguarding their data and ensuring the confidentiality of participants. This is not just a legal obligation but a moral imperative to protect individuals who entrust their information to research studies.

Recommendations

In light of these concerns, the following steps are advisable (I’ll expand on that):

• Avoid US-based services for handling and storing research data. This includes most cloud services and many data analysis software platforms that offer cloud storage. Even if servers are located outside the US, if the company is US-based, the data is subject to US laws.
• Opt for providers that are subject to European regulations (GDPR) and are located within Europe, or consider Canadian providers that operate independently of US jurisdiction.
• Utilise open-source tools where possible. Open-source software allows for transparency, enabling users to verify how data is processed and ensuring compliance with ethical standards.
• Incorporate these practices into ethical protocols. Clearly specify data storage locations and access permissions in ethical approval submissions. This not only facilitates the approval process but also reassures participants about the security of their data.

What’s Happening in Europe 🇪🇺

Let us turn our attention briefly to the European legal framework governing data protection: the RGPD. It is, at present, the strongest, most protective and arguably the most transparent regulation in place.

The General Data Protection Regulation (RGPD) has become something of a global standard. It is widely recognised as one of the strictest and most comprehensive legal frameworks for the protection of personal data.

The RGPD stipulates that:

• Personal data must not be transferred to countries that do not offer a comparable level of protection, which is the case for the United States.
• Any processing or transfer of personal data must have a clearly established legal basis (for instance, explicit consent, or a contractual obligation).
• Individuals must be informed and given the opportunity to object to certain uses of their data.

So, one might assume that by simply opting for services claiming compliance with the RGPD, one is adequately protected. Unfortunately, the reality is more complex.

💥 Incompatibility between the RGPD and American laws

Some American Services Claim RGPD Compliance, but this is a total contradiction. There is an ongoing legal tension that is far from resolved.

There is a fundamental incompatibility between the obligations imposed by the European RGPD and those embedded within American legislation on data access and surveillance.

Under US law:

• Companies headquartered in the United States are legally required to grant access to data to American authorities, even if that data is physically stored outside the US, including in Europe.
• Neither the users nor the organisations involved are necessarily informed that such access has occurred.
• These laws also prioritise what are defined as the “national security interests” of the United States, potentially overriding the data protection laws of other countries.

This applies to all companies based in the United States, including Microsoft (OneDrive), Amazon (AWS), and Google (Google Drive), even when these companies promote their services in Europe as ‘RGPD-compliant’. This is an important point to bear in mind.

This situation is incompatible with the RGPD, which prohibits the access of European data by foreign governments in the absence of judicial safeguards equivalent to those of the European Union. Those conditions are simply not met under US law.

This is a Legal Incompatibility, but which is frequently overlooked in practice. Despite this, many American companies (such as AWS, Google, and Microsoft) claim RGPD compliance, often citing:

• Standard contractual clauses,
• Client-side encryption measures,
• European-based data centres,
• And other procedural assurances.

However, in practice, these measures do not override the legal obligations imposed on US-based companies. The potential for access by US authorities remains intact, meaning these assurances are, in essence, superficial.

⚠️ This is the critical point. Even if these services claim RGPD compliance, even if they are widely adopted by researchers and institutions, the use of American-owned services presents a risk where sensitive or research data is concerned.
Even if certain universities or public sector bodies continue to rely on them, whether out of habit or due to limited alternatives, this does not negate the ethical or legal implications involved.

✅ So, What Is the Practical Response?

From a practical standpoint, the only way to ensure full alignment with the RGPD is to use services that are:

• Based in Europe,
• Subject to European jurisdiction,
• Or, in certain cases, are open-source and independently verifiable.

To give a few concrete (albeit non-exhaustive) examples:

• For data storage, there are several robust European alternatives, such as Infomaniak and Proton (both based in Switzerland). There are others worth exploring—for instance, OVHcloud is another frequently cited option.
• In terms of qualitative and mixed-methods analysis software, MaxQda is a highly secure choice. It is a fully European product—developed in Germany—including its cloud functionality for collaborative work and AI tools.

🔎 About Maxqda

A few words about MaxQda and how these issues are addressed.

1. 🇩🇪 An European software

MaxQDA is designed and maintained by VERBI Software, a German company. Its geographical location means it is subject to both the RGPD and German legislation, which is recognised as one of the strictest in Europe.

However, the cloud storage on which the AI Assist and TeamCloud functions of MaxQDA are based is located in Europe, but it relies on third-party services such as Google and Amazon (full details can be found here)

What are the implications of this?

2. 🔒 With MaxQda, data remains under local control.

MaxQda is desktop software, which means analysis is conducted locally on the researcher’s computer, unless you opt to use the cloud for collaboration and AI features, which I will address later.

• Files stay on your computer unless you choose to host them elsewhere (for example, in a cloud of your choosing).
• No automatic data transfer to servers is required to use the software.
• Additionally, when it comes to archiving projects at their conclusion, MaxQda allows you to export results and data in open formats (Excel, Word, PDF, etc.) for secure storage and sharing.

In short, you retain full control over the location and security of your data, a critical factor for ethical compliance and related considerations we have discussed.

2. ☁️ About the cloud for teamwork and AI Assist

Naturally, in this scenario, your data must leave your computer.

The cloud, which underpins MaxQda’s TeamCloud feature, is European-based and complies with the relevant regulations we have outlined, but relies on third-parties services like Google and Amazon. While the risk is fairly low, given that data is not stored for long (a few days to a month) and is not used for learning purposes, it does exist.

It means that you should always anonymise your data before sending it to AI Assist or in the transcription tool.

And what about Canada? 🇨🇦

I do not discuss Canada and Quebec extensively here, as most questions I receive from students and clients relate to analysis software (such as MaxQda or NVivo), and to my knowledge, there are no Canadian equivalents. MaxQda, for which I am a certified trainer, is European.

Regarding cloud hosting in Canada, based on my understanding (though I remind you I am not an expert), Canada offers better data protection than the US but does not yet reach European standards. Quebec appears to be somewhat more advanced, though still short of European levels. There are plans underway for Canada to move towards regulations akin to those in Europe to meet these standards, but this remains a work in progress.

Canadian clouds may avoid the Cloud Act and other American legal constraints provided they are independent. This means they must:

• Not be owned, directly or indirectly, by American companies,
• Avoid using any service, infrastructure, or suppliers subject to US jurisdiction, maintaining no legal connection to the US.

This applies to some internal services within independent Canadian organisations and also to clouds offered by independent Canadian providers. I encourage you to research and verify these options.

🧭 In conclusion, what should researchers take away from all this?

• The RGPD and US legislation (such as the Cloud Act) are incompatible with regard to data sovereignty. Consequently, the ‘RGPD compliance’ claimed by certain American companies is limited at best, and often contested. It is prudent to avoid them, particularly for sensitive data.
• In practical terms, the only way to guarantee full compliance with the highest standards (the RGPD) and avoid the risk of data exposure is to use European services based in Europe (or some open-source alternatives), not relying on US based third-parties services. For Canada, choose 100% independent clouds and services.
• And, more important than ever, you should always anonymise your data before sending it to a cloud or AI service. It applies both to US cloud storage services and AI tools (such as OneDrive, Google Drive, Microsoft’s AI tools, etc.). Keep in mind that the anonymisation grid (which traces the links between the original identities and the anonymised information), if there is one, should never be shared or stored via these problematic channels.

Ultimately, these guidelines will facilitate obtaining ethical approval for your research, including meeting the increasingly strict requirements imposed by funding bodies, and also encourage participants to engage with your surveys and consent to involvement in your research.