US CLOUD Act raises new data privacy issues

Tech Trends Insights


At the end of March, Donald Trump signed into law a $1.3 trillion spending bill that covered a vast range of policy areas. The 2,232-page bill ensured that the US Government would not shut down – at least until September – but it also provided an excellent opportunity for legislators to add other measures to the ‘omnibus’ bill, which, according to Senator Rand Paul, was passed without anyone having read the whole thing.


One thing that was squeezed onto the bill was the CLOUD (Clarifying Legal Use of Data) Act, which has significant repercussions for any organisation that uses an American-based company for data storage.

The CLOUD Act does two main things. First, it requires any company that is subject to the power of US courts to preserve customer data and disclose it to US law enforcement, if asked. This applies to any US-based company, including Amazon, Microsoft and Google.

Furthermore, the law prohibits those companies from informing their customers that the data has been requested or handed over. They face prosecution if they tell the customer about requests, making this effectively a secret measure.

Second, it allows the President to form “executive agreements” with other governments to exchange data. This would allow a foreign government to request information stored in the US and vice versa.

Companies can challenge requests if the customer in question is not a “US person” or if disclosure would break the laws of the country where the data is stored. However, it seems like this right to appeal applies only when the US has an executive agreement with the other country.

In other instances, it seems that the CLOUD Act could require countries to break local laws in order to comply with a data request. The Electronic Frontier Foundation, a civil liberties lobbying group, said : “Such expansion of US law enforcement power breaks the principle of territoriality, the core component of international law, and will produce a domino effect of information requests that overstep responding countries’ privacy safeguards.”

How the law plays out in practice remains to be seen. US states vary in the standards they require for data requests, with some demanding significantly more steps be carried out before they will support a request. It may fall to the Supreme Court to determine which requests are legal and how the territoriality question will be handled.

In mid-April, the European Commission followed America’s CLOUD Act with its own e-Evidence Initiative, which remains at the proposal stage but would require technology companies to share customer data with law enforcement agencies in any member state, when requested.

This would remove the need for law enforcement officials to request data through the judicial system in the country in question and instead allow them to get information such as the content of emails and messages, metadata and browser history within as little as six hours.

Last month, Vera Jourova, the EU Commissioner for Justice, Consumers and Gender Equality, said she would push for a data sharing deal with the United States. She said: “We have to insist on being the partner as the European Union for the United States for the reciprocal exchange of data.”

Though ministers from many EU nations, including France, Belgium, Italy and Portugal, are in favour of the near real-time sharing of data, others have expressed concern about the new legal questions that such legislation would raise.

For firms that store customer data using firms based in the US – and this could include information contained in emails in Microsoft Office 365 or Google’s G Suite – the CLOUD Act adds a new complication. If you handle data that must not cross certain borders, it is no longer enough to know just where it is stored. You need to understand whether it is stored by a company that might be compelled to hand it to the US government.

And, though the European Commission response remains at the discussion stage, companies will need to monitor it closely to determine whether their data could end up being shared with law enforcement. A reciprocal agreement would mean that even if your data is stored within the EU by a company with no links to the US, it might still be shared, depending on how the legislation plays out.

One upshot of GDPR has been increased customer awareness of data sharing and privacy. Companies will need to tread carefully to ensure that they comply with new legislation while also staying true to their values and those of their customers.


Written by Shane Richmond (Guest)

See Shane Richmond (Guest)'s blog

Shane Richmond is a freelance technology writer and former Technology Editor of The Daily Telegraph. You can follow him at @shanerichmond

Related blogs

G-Cloud 10 makes accessing high performance computing easier then ever...

As the Director of Research at Verne Global I spend a lot of my time working with our colleagues and partners within the UK’s publicly funded universities and research and science community. I’m privileged to get to see some of the truly innovative and inspiring research that is taking place, using high performance computing (HPC) and further encouraged with how Verne Global is helping them do this. This is why I was delighted to see Verne Global’s participation in the G-Cloud 10 (G10) framework confirmed last week and indeed strengthened for 2018/19 – enabling more public sector bodies to enjoy the benefits of our on-demand true hpcDIRECT platform.S

Read more


Next generation energy storage solutions: An emerging option for enhancing data center reliability

For years, data centers have been haunted by the threat of power outages and the associated costs of such events. This situation is getting worse, with the most recent numbers from a 2016 report by the Ponemon Institute indicating that the average costs of a data center outage rose from $505,500 in 2010 to over $740,000 in 2015, while the maximum cost increased from $1.0 million to $2.4 million. How can next generation energy storage solutions help?

Read more


Like social media, ‘social currency’ isn’t going away

The conversation about blockchain is presently dominated by cryptocurrencies, with a certain amount of attention spilling into Initial Coin Offerings (ICOs). There is no shortage of scepticism about the technology in these circumstances; cryptocurrencies look more like investment opportunities – and very risky ones at that – than actual currencies, and it’s no exaggeration to say that the majority of ICOs are scams. A recent study found that almost 80 percent are scams and just eight percent reach the trading stage.

Read more

We use cookies to ensure we give you the best experience on our website, to analyse our website traffic, and to understand where our visitors are coming from. By browsing our website, you consent to our use of cookies and other tracking technologies. Read our Privacy Policy for more information.