In the shadow of GDPR, US authorities have introduced CLOUD Act, a US federal law that has met quite a lot of criticism. CLOUD Act, among other things, enables U.S. authorities get access to data of US cloud providers – including data stored abroad. Many have expressed concern about what the law may entail in practice.
What is CLOUD Act?
CLOUD Act stands for The Clarifying Lawful Overseas Use of Data Act, and is an American law that was enacted on the 23 of March 2018. The purpose is to modernize surveillance and privacy laws to reflect the increased use of cloud services. Territorial boundaries don’t exist to the same extent on the internet, and the US have wanted a law that reflects this.
What does CLOUD Act entail?
CLOUD Act means that all American cloud service providers should, when ordered, provide American authorities with data that is stored on their servers, regardless of where the data is stored. In turn, this means that American authorities may be able to access and read large amounts of data belonging to European citizens.
What kind of information will companies have to provide? In the act it says:
“[a] provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.”
CLOUD Act is quite a controversial law because it circumvents other countries’ laws regarding privacy and information protection. The logic they follow is that US companies should comply with US laws, regardless of where they have their servers, what other countries they operate in, and the country in which the person of interest resides. It is however important to note that the request for access to information occurs when there is a suspicion of crime and the US authorities will provide a warrant.
There are other details in the act that are problematic. For example, in some cases the individuals concerned do not have to be notified that information about them is being collected. The law also allows the United States to enter into agreements with countries where the countries can access information stored on US servers without a warrant, completely circumventing the US legal system. These examples have raised concern from human rights organizations.
CLOUD Act and GDPR
In Europe, companies have worked hard to comply with the new data protection regulation GDPR. GDPR as a regulation is all about protecting and strengthening the integrity of the individual, giving people more power over their personal data. CLOUD Act and GDPR are very different in terms of scope, and they quite clearly demonstrate the differences between Europe and the United States when it comes to the view on integrity and handling of personal data. The GDPR also includes requirements relating to data transfer to third countries. Article 48 states that decisions from third country authorities or courts requiring the transfer of personal data can only be implemented if it is part of an international agreement, such as a mutual legal assistance agreement. There thus exists a potential conflict between the CLOUD Act and GDPR.
What should companies outside the United States do?
Many organizations and experts have expressed concern about CLOUD Act and the potential negative impact it can have on the integrity of EU citizens. European businesses using US suppliers should evaluate the risks of using a US supplier. Do the benefits really outweigh the risks? Many of the giants in cloud services and IT, such as Google, Microsoft and Amazon, all have to follow CLOUD Act.
It may be beneficial for companies to choose a local cloud or hosting provider that you know follow the laws of the local country when it comes to privacy and data protection. This is especially true for organizations who handle extremely sensitive data, such as authorities, municipalities, banks and health care and insurance companies.