At the end of March, Donald Trump signed into law a $1.3 trillion spending bill that covered a vast range of policy areas. The 2,232-page bill ensured that the US Government would not shut down – at least until September – but it also provided an excellent opportunity for legislators to add other measures to the ‘omnibus’ bill, which, according to Senator Rand Paul, was passed without anyone having read the whole thing.
One thing that was squeezed onto the bill was the CLOUD (Clarifying Legal Use of Data) Act, which has significant repercussions for any organisation that uses an American-based company for data storage.
The CLOUD Act does two main things. First, it requires any company that is subject to the power of US courts to preserve customer data and disclose it to US law enforcement, if asked. This applies to any US-based company, including Amazon, Microsoft and Google.
Furthermore, the law prohibits those companies from informing their customers that the data has been requested or handed over. They face prosecution if they tell the customer about requests, making this effectively a secret measure.
Second, it allows the President to form “executive agreements” with other governments to exchange data. This would allow a foreign government to request information stored in the US and vice versa.
Companies can challenge requests if the customer in question is not a “US person” or if disclosure would break the laws of the country where the data is stored. However, it seems like this right to appeal applies only when the US has an executive agreement with the other country.
In other instances, it seems that the CLOUD Act could require countries to break local laws in order to comply with a data request. The Electronic Frontier Foundation, a civil liberties lobbying group, said : “Such expansion of US law enforcement power breaks the principle of territoriality, the core component of international law, and will produce a domino effect of information requests that overstep responding countries’ privacy safeguards.”
How the law plays out in practice remains to be seen. US states vary in the standards they require for data requests, with some demanding significantly more steps be carried out before they will support a request. It may fall to the Supreme Court to determine which requests are legal and how the territoriality question will be handled.
In mid-April, the European Commission followed America’s CLOUD Act with its own e-Evidence Initiative, which remains at the proposal stage but would require technology companies to share customer data with law enforcement agencies in any member state, when requested.
This would remove the need for law enforcement officials to request data through the judicial system in the country in question and instead allow them to get information such as the content of emails and messages, metadata and browser history within as little as six hours.
Last month, Vera Jourova, the EU Commissioner for Justice, Consumers and Gender Equality, said she would push for a data sharing deal with the United States. She said: “We have to insist on being the partner as the European Union for the United States for the reciprocal exchange of data.”
Though ministers from many EU nations, including France, Belgium, Italy and Portugal, are in favour of the near real-time sharing of data, others have expressed concern about the new legal questions that such legislation would raise.
For firms that store customer data using firms based in the US – and this could include information contained in emails in Microsoft Office 365 or Google’s G Suite – the CLOUD Act adds a new complication. If you handle data that must not cross certain borders, it is no longer enough to know just where it is stored. You need to understand whether it is stored by a company that might be compelled to hand it to the US government.
And, though the European Commission response remains at the discussion stage, companies will need to monitor it closely to determine whether their data could end up being shared with law enforcement. A reciprocal agreement would mean that even if your data is stored within the EU by a company with no links to the US, it might still be shared, depending on how the legislation plays out.
One upshot of GDPR has been increased customer awareness of data sharing and privacy. Companies will need to tread carefully to ensure that they comply with new legislation while also staying true to their values and those of their customers.