US CLOUD Act raises new data privacy issues

Tech Trends Insights

At the end of March, Donald Trump signed into law a $1.3 trillion spending bill that covered a vast range of policy areas. The 2,232-page bill ensured that the US Government would not shut down – at least until September – but it also provided an excellent opportunity for legislators to add other measures to the ‘omnibus’ bill, which, according to Senator Rand Paul, was passed without anyone having read the whole thing.

One thing that was squeezed onto the bill was the CLOUD (Clarifying Legal Use of Data) Act, which has significant repercussions for any organisation that uses an American-based company for data storage.

The CLOUD Act does two main things. First, it requires any company that is subject to the power of US courts to preserve customer data and disclose it to US law enforcement, if asked. This applies to any US-based company, including Amazon, Microsoft and Google.

Furthermore, the law prohibits those companies from informing their customers that the data has been requested or handed over. They face prosecution if they tell the customer about requests, making this effectively a secret measure.

Second, it allows the President to form “executive agreements” with other governments to exchange data. This would allow a foreign government to request information stored in the US and vice versa.

Companies can challenge requests if the customer in question is not a “US person” or if disclosure would break the laws of the country where the data is stored. However, it seems like this right to appeal applies only when the US has an executive agreement with the other country.

In other instances, it seems that the CLOUD Act could require countries to break local laws in order to comply with a data request. The Electronic Frontier Foundation, a civil liberties lobbying group, said : “Such expansion of US law enforcement power breaks the principle of territoriality, the core component of international law, and will produce a domino effect of information requests that overstep responding countries’ privacy safeguards.”

How the law plays out in practice remains to be seen. US states vary in the standards they require for data requests, with some demanding significantly more steps be carried out before they will support a request. It may fall to the Supreme Court to determine which requests are legal and how the territoriality question will be handled.

In mid-April, the European Commission followed America’s CLOUD Act with its own e-Evidence Initiative, which remains at the proposal stage but would require technology companies to share customer data with law enforcement agencies in any member state, when requested.

This would remove the need for law enforcement officials to request data through the judicial system in the country in question and instead allow them to get information such as the content of emails and messages, metadata and browser history within as little as six hours.

Last month, Vera Jourova, the EU Commissioner for Justice, Consumers and Gender Equality, said she would push for a data sharing deal with the United States. She said: “We have to insist on being the partner as the European Union for the United States for the reciprocal exchange of data.”

Though ministers from many EU nations, including France, Belgium, Italy and Portugal, are in favour of the near real-time sharing of data, others have expressed concern about the new legal questions that such legislation would raise.

For firms that store customer data using firms based in the US – and this could include information contained in emails in Microsoft Office 365 or Google’s G Suite – the CLOUD Act adds a new complication. If you handle data that must not cross certain borders, it is no longer enough to know just where it is stored. You need to understand whether it is stored by a company that might be compelled to hand it to the US government.

And, though the European Commission response remains at the discussion stage, companies will need to monitor it closely to determine whether their data could end up being shared with law enforcement. A reciprocal agreement would mean that even if your data is stored within the EU by a company with no links to the US, it might still be shared, depending on how the legislation plays out.

One upshot of GDPR has been increased customer awareness of data sharing and privacy. Companies will need to tread carefully to ensure that they comply with new legislation while also staying true to their values and those of their customers.

Written by Shane Richmond (Guest)

See Shane Richmond (Guest)'s blog

Shane Richmond is a freelance technology writer and former Technology Editor of The Daily Telegraph. You can follow him at @shanerichmond

Related blogs

Regtech promises a future with agile compliance and smarter regulation

The digital technology era has brought us adtech, fintech, fittech, medtech and many more buzzwords. A new one has grown in popularity over the last year or so: Regtech.

Read more

Explainable AI

SC18 here in Dallas is proving once again to be a fascinating melting pot of HPC insights and observations, and it's intriguing to see the continuing convergence of AI into the supercomputing ecosystem. Along these lines I started to think about the movement towards 'Explainable AI'. Being able to explain and understand how models work when making predictions about the real world is a fundamental tenet of science. Whether solving equations in a dynamic system for precise answers or using statistical analysis to examine a distribution of events, the results sought from these methods are intended to increase our clarity and knowledge of how the world works.

Read more

Deploying Performant Parallel Filesystems - Ansible and BeeGFS

BeeGFS is a parallel file system suitable for High Performance Computing (HPC) with a proven track record in scalable storage solution space. In this blog hosted by Verne Global, we explore how different components of BeeGFS are pieced together and how we have incorporated them into an Ansible role for a seamless storage cluster deployment experience.

Read more

We use cookies to ensure we give you the best experience on our website, to analyse our website traffic, and to understand where our visitors are coming from. By browsing our website, you consent to our use of cookies and other tracking technologies. Read our Privacy Policy for more information.