After several attempts to enact laws that facilitate the appropriation of data from customers of US-based services that is being stored outside the United States, the US Congress passed the “Clarifying Lawful Overseas Use of Data (CLOUD) Act” in March 2018, which provides a legal framework for accessing data from US suppliers held outside their home jurisdiction.
The bill, originally created to amend a 1986 bill, The Stored Communication Act, allows the United States to force US-based service providers to transfer their customers’ data hosted overseas much more rapidly. It currently takes an average of ten months to obtain the data, rendering investigations conducted from within the US highly unproductive. The bill aims to allow US authorities (from sheriffs to the CIA) to access the data hosted by US companies, without the authorization of a judge. Large technology companies, who have supported the bill in the Senate, will be able to oppose a request if:
- The customer or subscriber is not a U.S. citizen or resident (section 3.2.b.h.2.i), and
- The transfer would require the provider to contravene the regulations of the country hosting the data (section 3.2.b.h.2.ii)
Such a request would then be brought before a US court which would be able to quash (or uphold) the request for the data transfer. Its decision will be based, among other things, on the validity of the information provided, the US’s interest in the request, the scope of the violation, and the chances of it being deemed to contravene the law in the foreign country. The public nature of the appeal is not specified, especially regarding the capacity of companies to communicate about contested requests. Today, it seems likely that the major US players are using such appeals to maintain the trust of their customers.
In order to avoid contravening the regulations of the countries concerned, the US can enter into bilateral agreements with them, which, in return for their goodwill, will be able to access data from the United States.
In the US, the CLOUD Act remains contested due to the risks introduced by the potential agreements with foreign countries. The fact that an executive power can put in place mutual agreements worries the American people, who fear that foreign powers are using the CLOUD Act to access their data without any safeguards.
What are the consequences for customers in Europe?
While tech giants (like Facebook, Google, Microsoft, and Apple) have supported the bill (with the US authorities refraining from approaching them for back-door access and providing a clear framework for data transfer), these regulations raise concerns about customer privacy for the targeted businesses. The act could leave customers without a right to consult, or any information about access to their data by US authorities.
However, European customers whose data is processed in Europe are now protected by the General Data Protection Regulation (GDPR). Articles 45 and 48 of the regulation, which is now in force, lay down a clear set of rules for allowing data to be transferred to third-party countries. According to Frank Jennings (a renowned lawyer on cloud matters), the European Data Protection Board, which oversees the implementation of the GDPR, will be responsible for deciding whether data appropriation under the CLOUD Act constitutes a necessary measure for the safeguarding of US national security, or whether a request does not comply with the new regulation. This could force the United States to negotiate with the EU or its Member States on the conditions for such data transmission, thus protecting their citizens against illegitimate transfers. US customers, however, would remain within the scope of the CLOUD Act.
Negotiations are due to begin between the European Commission and the US. EU leaders have already criticized the US bill as being hastily adopted, something that may complicate negotiations. In the meantime, some 100 civil society organizations have urged transparency from the European Council about the negotiations of the CLOUD Act as set out by the “Convention on Cybercrime” (or “Budapest Convention”).
Privacy laws: an asset for companies?
While the GDPR has preoccupied a good number of companies with respect to the changes it involves for their information systems, and that the ePrivacy Directive is in preparation, it is instructive to consider the connections between regulatory developments and the world of business. Data privacy laws could, whether in the near or distant future, be considered as an aid to protecting business’ data and to maintaining customers’ trust.
In a world where data-privacy issues are becoming increasingly important (think of Cambridge Analytica and Google Home Mini ), protection of customer data can be a decisive factor when choosing between competing offers. The position US providers will take on privacy and data protection issues is therefore eagerly awaited.
What can you do today?
To conclude, the new regulations on privacy remain somewhat ambiguous and may even clash in certain areas. The main conclusion remains that, as a result of the GDPR, Europeans should be better protected against the CLOUD Act, provided US suppliers reject inappropriate requests, and the courts with responsibility for arbitrating them play their roles correctly. Meanwhile, non-European customers will not gain greater protection by choosing to host their data in Europe.
While awaiting the implementation of new laws dealing with confidentiality and possible data appropriation, there are steps you can take to protect your personal and business data against it being inappropriately accessed while overseas, and other potential threats:
- Clarify with your provider under what conditions it may be required to give access to your data, without forgetting to consider any mutual legal assistance treaties.
- Define or review your hosting strategy according to the type of data held, your provider’s nationality, and the hosting site’s location.
- Favor data hosting in European data centers, or in countries with well-established data privacy frameworks.
- Choosing a French or European supplier enables you to avoid the risks associated with the CLOUD Act. You must, however, stipulate contractually that it does not use US subcontractors (either directly or indirectly)!