With companies moving more and more data into the cloud, the recently passed Cloud Act has had a material impact on technology strategy. The law change in the US will affect every major Cloud service provider and how they manage the privacy of their customers’ data globally. The Cloud Act or “The Clarification of Overseas Usage of Data” was passed into law by the US Senate on 23 March 2018. We asked CCM’s Ewan Aitken, Email Migration Project Manager, to assess:
What is the Cloud Act?
The Cloud Act is essentially an update to the Electronic Communications Privacy act (ECPA) that regulates how US agencies access data in overseas territories. It makes it easier for US law enforcement agencies to access overseas data as part of criminal investigations, regardless of where the data is stored. It also outlines the creation of bilateral data sharing agreements with other countries. Neither the US government nor the Cloud Service Provider are required to inform the client organisation holding the data that they are viewing and using client information.
Why was the law created?
Until recently, the process for requesting overseas data was cumbersome. The US Department of Justice (DoJ) was required to go to court, provide evidence of “probable cause” to get a subpoena and then request data from a foreign government. Data could only be requested from countries with an existing Mutual Legal-Assistance Treaty (MLAT). The US DoJ saw the following issues with this process:
- An average of 10 months to fulfil a data request. Service Providers would further delay the process by challenging the data request in court in the interest of their customers’ Fourth Amendment privacy rights.
- The introduction of Cloud storage meant that data could be stored across multiple locations around the globe, further complicating the process.
What’s changed? How is the CLOUD act different from the ECPA?
- All US companies are now required to comply with data requests regardless of where the data is stored globally.
- Data can be requested for any US citizen or person living in the US.
- Any law enforcement agency can request data.
- A subpoena is no longer required for data requests.
- MLATs will be replaced with bilateral agreements with other countries to facilitate data sharing across borders.
- Bilateral agreements will not require approval from the US Senate.
How does this impact you?
- Most importantly, data could be accessed without your knowledge.
- The parameters of the bilateral agreements have yet to be defined but it implies data sharing in both directions. US partners (i.e. UK and Europe) could request data in the same way.
- Client confidentiality cannot be guaranteed if US government agencies can access any data.
- Data cannot be requested if it violates the laws of a foreign government. If GDPR rules apply for European data requests, data could only be used for the purpose or investigation for which it was requested and should be deleted once it is no longer required.
- Data can only be requested if it’s in the interest of justice. Without the subpoena process the governance of these data requests is unclear.
Responses to the change:
This new clarification of the law has been widely supported by US technology companies, possibly because it removes ambiguity in the law and puts an end to long running court disputes. Human rights and civil liberties organisations have severely criticised this change but the real test will be the response from customers globally. Individuals may take the position that if they’re not breaking the law they have nothing to worry about or may choose to password protect sensitive files. Companies with sensitive data or with client confidentiality requirements may consider: private-key encryption, moving to ‘private cloud’ services or ring-fenced Cloud solutions.
The practical implications of the Cloud Act are yet to play out and many large organisations are watching this space closely. The good news is there are options available to maintain a cloud strategy and avoid the negative implications for organisations from this act.
The Cloud Act – where to find out more
If you would like to know more about the impact of the Cloud Act and what alternative paths are available please contact us at Roc Technologies.