It's time to talk about the Cloud Act
While we were preparing for the GDPR (General Data Protection Regulation), the US Government implemented a new law – the Cloud Act (Clarifying Lawful Overseas Use of Data), which came into effect March 23, 2018, and has implications for companies handling sensitive data in Europe.
The reason behind the Cloud Act was the well-known Microsoft Ireland case. Five years ago, Microsoft refused to release data which was stored in Ireland to US authorities. The correct procedure was for the US to use the traditional mechanism through the MLAT (Mutual Legal Assistance Treaty) to seek access to Microsoft’s stored data. However, MLAT is considered slow. On average, this process takes 10 -12 months to complete. More importantly, the US Government argued that Microsoft is a company subject to the US jurisdiction, and it was unnecessary to apply the MLAT mechanism.
This long-running legal battle has finally led to the amendment of the existing law in the name of the Cloud Act.
GDPR vs Cloud Act
Two new regulatory frameworks have significant implications for security and privacy around the globe. Both the GDPR and the Cloud Act have the purpose to update the existing privacy and enforcement laws that are now obsolete. However, they are quite different in substance.
A major impact of the GDPR is to impose strict data protection guidelines on non-EU companies which process the data of EU citizens. Meanwhile, one of the Cloud Act’s focus areas is to help make it easier for law enforcement agencies to get access to data stored online (“the Cloud”) as part of warrants and subpoenas.
The Cloud Act establishes a framework to enter into “executive agreements” with other nations to permit those “qualifying foreign governments” to obtain data from US providers directly, including by means of wiretaps, without the necessity of first making an MLAT request to the US Department of Justice. There is currently no such agreement in place with the EU - however, the UK has already negotiated a draft agreement to that effect.
Let’s say the US signed an executive agreement with the EU. The US enforcement forces, with appropriate warrants, could go directly to Microsoft Ireland to request and collect the messages of an American citizen who is suspected of bank fraud.
Predictably, the content of such communication may reveal data related to EU citizens, too, and this may result in the EU citizen becoming implicated in the crime. Sounds intriguing?
The European Commission has proposed a new regulation in order to govern “access to E-evidence” across the Union to make it easier and faster for EU law enforcement to knock on someone’s door to obtain the electronic evidence. Under the new proposals, the service provider must respond within 10 days — or 6 hours in cases of an emergency.
The importance of storing data in EU
We live in a rapidly changing world where development in technology is enabling communication to take place across countries and continents and between peoples and cultures. This modern world requires new regulations and laws such as the GDPR and the Cloud Act. There have been other laws before and there will be new ones in the future that will increase uncertainty and contradiction.
Understanding new regulations, and more importantly, being able to apply them to the business is of utmost importance.
Beyond doubt, EU customers have an exclusive advantage by storing information in data centers located and supported by EU cloud providers such as Tieto Compliance Cloud.
We guarantee that data will be located in data centers in Sweden that have passed the PCI DSS (Payment Card Industry Data Security Standard) audit. Compliance with data security standards and other laws and regulations can bring major benefits to businesses.
In my next blog post I’ll go further and find out more about the legal impact of the Cloud Act by interviewing Tieto Compliance Consultant and Attorney to State of New York Cagla Salmensuu.