The Controversial CLOUD Act
Total Page:16
File Type:pdf, Size:1020Kb
www.ionos.co.uk/epc White Paper The controversial CLOUD Act Effect on data protection and data security in the European Union. Executive Summary The Cloud Act requires US companies to disclose data stored or processed outside the United States to authorised US authorities. Companies located in Europe are also subject to the Cloud Act if they are a part of a US company or exchange data with US organisations. The Cloud Act requires companies to not only disclose their own data, but also all data in their possession, custody or control, including customer data held by a cloud service provider. It includes both personal and company data – from commercial information to trade secrets to intellectual property. The US Cloud Act contradicts the EU General Data Protection Regulation (GDPR). Companies in Europe run the risk of violating either the US Cloud Act or the GDPR. Every European company should take a very critical look at the impact of the US CLOUD Act. Cloud providers with headquarters AND data centres in the EU offer maximum protection from the CLOUD Act and are GDPR-compliant. White Paper The controversial CLOUD Act Page 2 Contents 1. Introduction 4 2. The CLOUD Act 5 2.1 Contents of the CLOUD Act 5 2.2 The Microsoft case 6 2.3 A far-reaching data concept 6 3. Legal discrepancy with the GDPR 7 3.1 Data protection in the EU vs. the US 7 3.2 What does the GDPR say? 8 3.3 Incompatibility of the two laws 9 3.4 „Workarounds“ without effect 9 3.5 Checklist: Is your data safe from the CLOUD Act? 11 4. Scenarios & recommended courses of action 12 Checklist: How to find the right cloud service provider 15 5. Summary & outlook 16 Publisher 16 Legal notice 16 White Paper The controversial CLOUD Act Page 3 1. Introduction As memories of the Patriot Act, Safe Harbor Agreement, and the Privacy Shield fade away after causing a storm in Europe, dark clouds are once again forming after the signing of the US CLOUD Act – short for Clarifying Lawful Overseas Use of Data Act. US law now regulates the handling of company data that is physically located outside the US, but for which a US company is responsible. According to the CLOUD Act, this data is treated as if it were stored on servers in the United States. Thus, the CLOUD Act not only represents a clear contradiction to the EU General Data Protection Regulation (GDPR), but also targets all data in addition to personal data. Companies in Europe are now faced with the choice of either violating the CLOUD Act on one hand, or the GDPR or national law on the other. Despite this dilemma, many firms in Europe have yet to see the CLOUD Act as the challenge it actually represents. Once it comes into action, the CLOUD Act can become an immense threat for businesses in Europe. Entrepreneurs should ask themselves: ● Is my company affected by the CLOUD Act? ● Would I end up violating the General Data Protection Regulation (GDPR)? ● And if so, how do I protect my company’s data or the data of my customers from access by US authorities? In this white paper, you’ll find all the answers to these questions and thoughts on what impact the CLOUD Act could have in Europe, and what precautions European companies should take. White Paper The controversial CLOUD Act Page 4 2. The CLOUD Act The CLOUD Act is a federal law enacted by the US legislature in March 2018 that governs the handling of any data held outside the United States. So what’s actually included? 2.1. Contents of the CLOUD Act Under the CLOUD Act, US companies processing data abroad are subject to US law, and are therefore obliged to disclose any data under their control, ownership, or custody, to the US authorities. The term CLOUD Act mistakenly suggests that this is only relevant for cloud services. In fact, the aim of the ‘Cla- rifying Lawful Overseas Use of Data Act’ – the full title – is to remove all bounda- ries so that it is irrelevant where the data is processed or stored: in the cloud, in a data centre outside the cloud, in the US or abroad. All that matters is that it belongs to a US company that has to support the US authorities when it comes to any aspect of their jobs, including criminal investigations. Since the 1980s, US authorities have been granted access to data from US com- panies by court order – but only if the data was stored domestically. The PAT- RIOT Act of 2001, and the lesser-known Stored Communications Act (SCA) of 1986 form the basis of this. The CLOUD Act, however, now extends this access to foreign servers as well. An elaborate and lengthy legal assistance agreement with the respective country is no longer needed. The idea behind the CLOUD Act is that bilateral agreements should also authorise foreign authorities to appeal directly to the US companies concerned for access to data stored in the US, such as data on EU citizens who have committed crimes. What the contracts will actually look like and contain remains to be seen. The US is also very hesitant to conclude a corresponding bilateral agreement with the EU – preferring to reach agreements with each individual EU member state. Those directly affected by the CLOUD Act include internet providers, IT service providers, and cloud providers based in the US, as well as their customers, i.e. European companies whose data is processed via an Ame- rican service provider, possibly via the cloud. While companies could pre- viously argue that a court order for the release of data is only effective in the United States, they must now inevitably also transfer data stored abroad to the requesting US authorities. In addition, there is a danger that US authori- ties will not limit their data search to companies based in the US, such as Microsoft, Google, and Amazon (among others), but will also extend their request for information to all companies as soon as they have found a connection to the US. 2.2. The Microsoft case The initiative was triggered by a dispute between the US authorities and White Paper The controversial CLOUD Act Page 5 technology giant Microsoft in 2013 over the release of email data from a suspec- ted drug dealer in New York, in the course of a criminal prosecution. Microsoft provided the US authorities with the data stored in the US, but no access was granted to the suspect’s email account in Ireland. There was a search warrant issued by a New York court, which was invalidated by an appeal. Fearing a threat to its European cloud business, Microsoft argued that the data protection laws of the respective country applied and that the Irish authorities and courts were therefore also responsible. In the context of a mutual legal assistance agree- ment, they could support the prosecution of the US authorities, but were not obliged to. The CLOUD Act has removed this obstacle by granting US authorities the right by law to access data stored abroad. This is also retroactively valid and thus ended the legal dispute in the Microsoft case in April 2018 in favour of the US authorities. Microsoft took a positive view of the CLOUD Act as it frees internet companies from a dilemma: “The CLOUD Act creates a modern legal framework for law enforcement authorities to access data across borders. It also covers the needs of foreign governments to investigate crimes in their own country. At the same time, it ensures adequate protection for privacy and human rights.” 2.3. A far-reaching data concept The history of the CLOUD Act suggests that the data in question is exclusively only personal data – which in itself is worrying enough given the particular importance of data protection in Europe. But the CLOUD Act allows US authori- ties access not only to data of US citizens stored in the EU, but also all other data that a US company processes or has processed abroad. This means that the personal data of EU citizens worth protecting is just as insecure as opera- tional data or company data – from business details to trade secrets and intellectual property. The CLOUD Act thus collides with laws in Germany, such as the Unfair Competition Act, and with the European Union, above all the General Data Protection Regulation (GDPR). 1 https://www.heise.de/newsticker/meldung/CLOUD-Act-US-Gesetz-fuer-internationalen-Datenzugriff-und- schutz-verabschiedet-4003330.html White Paper The controversial CLOUD Act Page 6 3. Legal discrepancy with the GDPR The fact that the US does not have the same ideas about data protection as Germany and the European Union should not come as a surprise. There is a reason why the United States of America is regarded by the EU as an “insecure third country”. The latest developments confirm this once again: the CLOUD Act creates an immense contradiction to the GDPR that applies within Europe. 3.1. Data protection in the EU vs. the USA The following table shows how the United States of America and the European Union are positioned in regards to data protection and the reasons why. EU USA Data protection is anchored as part of Where does the idea of data Data protection is based on the fundamental the consumer protection and thus part protection come from? right to informational self-determination. of commercial law. Is there a universal legal Yes, the Basic Data Protection Regulation No , but there are industry-specific basis? (GDPR).