Cloud Act

The Cloud Act, short for “Clarifying Lawful Overseas Use of Data Act”, is a US law that was passed in March 2018. It regulates the access of US authorities to data stored by electronic communication services, even if this data is stored on servers outside of the USA.

The Cloud Act allows US law enforcement agencies to use court orders or subpoenas to demand data from companies, regardless of where in the world this data is stored. The law is intended to simplify the process for authorities to access data that is necessary for investigations, even if it is located in another jurisdiction.

What exactly does the Cloud Act say?

The Cloud Act allows US law enforcement authorities to demand that US-based technology companies hand over data, regardless of whether the data is stored in the US or abroad.

US authorities can use enforcement orders such as subpoenas, search warrants, or other court orders to compel access to data. Companies are required to provide the authorities with the requested data unless there is a fundamental conflict of law with the data protection laws of the country of storage.

If companies are unable to hand over data due to a significant conflict with foreign data protection laws, they can assert this in a US court. The court will then review the conflict and decide whether data release is required or whether the request should be denied or restricted.

The Cloud Act creates the legal basis for the USA to enter into bilateral agreements with other countries. These agreements enable the authorities of the countries involved to make direct requests for the release of data to companies in the other country without having to go through the usual process of legal administrative assistance.

Such bilateral agreements require that the countries involved comply with appropriate safeguards for data protection and civil rights. The agreements are intended to ensure the protection of privacy and, at the same time, facilitate international access to data for law enforcement purposes.

The Cloud Act requires the US government to report regularly to Congress on the use of the Act and existing bilateral agreements to ensure a degree of transparency in the process.

The Cloud Act was developed in response to technological and legal challenges posed by the globalization of data storage and the growth of cloud services. Nevertheless, it remains controversial in data protection circles, particularly due to concerns about privacy and the autonomy of international data protection standards.

Who is affected by it?

The Cloud Act affects a large number of groups and organizations that are directly or indirectly involved in the storage and processing of electronic data. These include in particular:

• Technology and cloud providers: Both large and small companies that offer cloud storage and email services are directly affected by this law. US authorities can require them to provide data, regardless of where it is stored.
• International companies: Companies operating in multiple countries, especially those headquartered in the US, face the challenge of organizing their global data processing and storage to comply with the requirements of the Cloud Act. This often conflicts with local data protection laws.
• Governments and legal authorities: The Cloud Act also defines the legal framework for international governments and law enforcement agencies to access data across national borders.
• Consumers and the public: Finally, the Cloud Act may also have implications for the privacy and security of the personal information of ordinary users of cloud services, especially if their data is stored internationally.

Criticism of the Cloud Act

The Cloud Act has been criticized for several issues, primarily relating to data protection and international jurisdiction. Critics argue that the Act jeopardizes privacy by giving US authorities extensive access to data stored worldwide without always having a clear legal basis or sufficient safeguards. In particular, there are concerns that the Cloud Act undermines the data protection rights of non-US citizens, as it allows their data to be collected and used without their knowledge or consent.

There is also criticism that the Cloud Act could disregard international data protection laws, such as the GDPR in the EU. This could lead to legal conflicts if companies are forced to choose between complying with the Cloud Act and complying with local data protection laws. This poses not only a legal challenge but also an ethical one for globally operating companies.

Another point of criticism is the lack of transparency and parliamentary oversight in the implementation of the law. The decision-making processes that take place behind the scenes when data requests are made and processed often remain unclear, which calls into question the accountability of the authorities involved. Privacy activists and civil rights organizations are therefore calling for stricter controls and more transparent procedures to ensure that the Cloud Act does not lead to excessive surveillance and misuse of data.

Cloud Act vs. GDPR

Although both the Cloud Act and the GDPR regulate the handling of data, they have different focuses and objectives, which often leads to tensions and challenges for internationally active companies.

Objective and focus

The Cloud Act was primarily introduced to allow US law enforcement agencies to access data stored abroad in order to combat crime and terrorism more effectively. The focus is on facilitating cross-border law enforcement and ensuring that geographic borders are not an obstacle to the enforcement of US law.

In contrast, the GDPR was developed with the aim of strengthening data privacy and the protection of personal data within the European Union. It sets out strict requirements for data collection, processing, and storage that grant citizens comprehensive rights regarding their data, including the right to access, rectify, and erase their personal information.

Legal conflicts

Conflicts between the Cloud Act and the GDPR arise primarily from the different approaches to data protection. While the Cloud Act allows US authorities to request access to data stored by US companies outside the US, the GDPR severely restricts such access and requires it to comply with European data protection standards. This poses a particular challenge for companies operating in both jurisdictions, as they often have to choose between complying with US law and safeguarding the data protection rights of their European users.

Legal mechanisms and safeguards

The Cloud Act allows companies to raise legal objections if compliance with a US data request would cause a “serious conflict” with foreign law. However, it remains unclear how often such objections are successful and to what extent they actually offer protection against the requirements of the US authorities.

The GDPR, on the other hand, imposes heavy penalties on companies that violate its provisions, which increases the pressure on these companies to strictly comply with EU data protection standards. In addition, the GDPR promotes the idea of data economy and minimization, which is fundamentally opposed to the Cloud Act’s far-reaching access requirements.

Overall, the coexistence of the Cloud Act and the GDPR requires careful navigation for and often necessitates complex legal trade-offs to ensure that they act in accordance with both legislations.

Share this post