Updated: Oct 3
Data sharing across borders, for certain government agencies, and companies is nothing new. It has been happening since the very beginning and has picked up rapidly in the digital age, where data sharing is faster and more convenient than ever.
However, it is not straightforward. Data privacy, storage, and sharing have different laws between countries, which can often conflict with each other. That brings us to the CLOUD Act, a new congressional resolution that passed as a federal law in the USA. What exactly is it?
Is the data in my country accessible by the US law enforcement agencies and vice-versa?
Should we be concerned?
Sit back while we clarify this act and what it means to businesses that "house consumer data", and end users like us.
What is the CLOUD Act, and why was it introduced?
Firstly, the "CLOUD" bit, in this case, is an acronym for "Clarifying Lawful Overseas Use of Data". Now that we have got that cleared let's break it down. It is an amendment to an already existent Stored Communications Act (SCA) of 1986, which provided access to allow federal law enforcement agencies to data stored by US registered companies on servers in the U.S. The CLOUD Act has extended the legislation for data access to servers on foreign soil too. Yikes!
The CLOUD Act permits the U.S. Government to have bilateral agreements with trusted foreign partners and obtain direct access to data evidence, irrespective of location, for better law enforcement.
It is always best to "read the text" (or manual for us geeks) to understand clearly the implications. The first sentence of the bill states "To amend title 18, United States Code, to improve law enforcement access to data stored across borders, and for other purposes." US CONGRESS ARCHIVAL The U.S. Justice Department website quotes that "these foreign partners have robust protections for privacy and civil liberties". (READ MORE) So, it is not only meant for the U.S. Government but also for other foreign Governments to have speedy access to this data. But why was it needed?
Back in 2013, the FBI was investigating a drug trafficking case and issued an SCA warrant to Microsoft for emails that a U.S. Citizen had stored. But Microsoft rejected it because the emails had been stored by them in remote server(s) in Ireland. This was outside the jurisdiction of the SCA warrant, and the FBI would have to request a new Mutual Legal Alliance Treaty (MLAT), which would be time consuming. This landmark case (READ HERE) resulted in the CLOUD being introduced after two previous failed attempts with similar referendums.
What are the conditions for accessing my data?
Now the most logical question that comes to mind is about how much and exactly what data can be subpoenaed. The CLOUD Act highlights that all U.S. data, electronic communication, or remote computing service companies OPERATING in the country must provide the stored customer data.
Irrespective of whether the providers are established in the United States or another country. However, it does have conditions, which are stated as: 1) The customer provides explicit consent. 2) A warrant or subpoena is issued by a United States criminal court. Now circling back to the question. Can my data be accessed through this? Theoretically, yes; however, the federal agencies need to either get your consent or convince the court of a reasonable cause to get hold of the records. This can only be done by providing compelling evidence of a crime or other factors. There is a chance for the request to be denied if there is no probable cause. Furthermore, this request can be challenged by the companies and/or courts and rejected on the premise of it violating the privacy laws of the foreign country the data is stored in. So, the CLOUD Act has provisions to safeguard the right of service providers and individuals alike. But we did come up with something interesting, the laws of foreign countries. And this is why we mentioned it not being as straightforward as it sounds. What are the problems associated with this?
Even though big tech companies welcomed this move, there was a lot of backlash from several civil rights groups citing that it violates the Fourth Amendment rights of individuals. But this is not the only issue they face. Just like the United States, every country has its own set of digital laws and regulations, which may be conflicting. One of the most discussed examples of conflicting legislation is the US CLOUD Act and European General Data Protection Regulation (GDPR), which all data processed and stored in the EU must follow. Now hear this out... In certain cases, data processed and stored in Europe by European companies can be requested by the American government based on the CLOUD Act.
The extraterritorial jurisdiction (the legal ability of government beyond borders) of the CLOUD Act has very blurred lines as there are several factors that come into play, including but not limited to the supply chain and the companies associated with it. We will leave the link for further studies on the complexity of this legislation clashing with European GDPR HERE. Finally, companies should consider extraterritorial legal regimes and add more control measures, taking care of the countries they associate themselves with.
The CLOUD Act in its entirety isn't straightforward but wasn't impossible to understand either, right?
With data privacy and centralization becoming a growing concern amongst users (READ SURVEYS HERE), such legislation is being highly contended and scrutinized.
Moreover, with new laws and regulations being brought in by governments and companies around the world, the complexities in cross-border data sharing are bound to increase. But be rest assured, we'll be around simplifying those alterations for you.