Companies that use IT services from the cloud will find answers to the most important questions about the CLOUD Act here.
1. What is the CLOUD Act?
The CLOUD Act (“Clarifying Lawful Overseas Use of Data Act”) was passed in the USA in March 2018. It obliges US-based cloud providers such as Microsoft, Google and AWS to allow US law enforcement agencies – such as the FBI – access to users’ data, even if it is stored on servers in Europe.
The CLOUD Act also requires the U.S. to enter into bilateral government agreements with foreign states that allow foreign investigative authorities access to data stored by U.S. companies. In return, US investigators will also have access to data stored in the country in question. This inevitably leads to conflicts with existing national data protection regulations.
2. What is the current status of the CLOUD Act?
For the time being, the CLOUD Act is a unilateral initiative of the USA, and the European Union is very interested in a regulation for the entire Union that is not softened by bilateral agreements with member states. Nevertheless, this action by the USA is already threatening to undermine European efforts to improve data protection. The result for enterprises is uncertainty, above all, if one fulfills Compliance requirements at present – and that would like to receive also in the future.
3. What are the potential problems of the CLOUD Act for European companies?
In particular, the CLOUD Act can undermine efforts to ensure strong data protection. It collides with the European GDPR (“General Data Pretection Regulation”), which has been binding since 25 May 2018. Strictly speaking, US cloud services are no longer data protection-compliant for European companies.
Data processed in the EU is subject to European Union law and thus to the GDPR. It stipulates that the transfer of personal data to a third country on the basis of a court ruling or an administrative decision must be governed by an international agreement such as a mutual legal assistance agreement between the requesting third country and the EU or a member state. However, such an agreement does not exist for the CLOUD Act between the EU and the USA – neither do agreements concluded by individual EU member states with the USA on their own.
Due to this legal situation, the disclosure of data stored and processed in the EU is a violation of the GDPR, which is punished with fines. For US providers who are active in data processing in Europe, this means that they ultimately have to decide which law they want to violate: the European GDPR or the US Cloud Act.
4. How can European companies prevent these problems?
For companies that are concerned about the confidentiality of sensitive business information as well as their customer data and legal compliance when using clouds, one question in particular is becoming increasingly important: Where are the headquarters and data centers of the provider whose solutions and cloud resources we use?
The safest way under data protection law is to host the data and applications at a European cloud provider in a data center with a European location.