Data Sov­er­eignty and the US CLOUD Act

In its fight against terrorism and crime, the USA continues to add measures of pro­tec­tion, including the Patriot Act, Safe Harbor, Privacy Shield; and for over 16 months the US CLOUD Act. All these measures keep the debate on data pro­tec­tion and digital sov­er­eignty alive, par­tic­u­larly for trade nations such as the UK.

The CLOUD Act (an ab­bre­vi­ation of: Clarifying Lawful Overseas Use of Data Act) regulates how US citizens and companies’ data, phys­ic­ally located outside of the US, is handled. According to the law, in these times of “America First,” those who handle the data of US Citizens and companies must do so according to the laws and reg­u­la­tions of the USA, as if the data were on servers in the United States. This means that the CLOUD Act allows US au­thor­it­ies to access all types of data, whether personal or not. This is only dependent on whether a US company owns, processes or controls this data directly or in­dir­ectly through sub­si­di­ar­ies, for example.

Internet providers, IT service providers and cloud providers based in the USA or their European branches are the primary busi­nesses affected. But it doesn’t end there, as the CLOUD Act also applies to European customers of US companies who expose data to control and pro­cessing in a US company.

A full judicial res­ol­u­tion, which le­git­im­ises the release of the data to US au­thor­it­ies, which was pre­vi­ously required to access data: A so-called ‘warrant’ is now enough. This warrant takes the form of a request of an au­thor­ized US executive authority. The CLOUD Act is a clear con­tra­dic­tion to the EU General Data Pro­tec­tion Reg­u­la­tion (GDPR) and the European notions of data pro­tec­tion and data security. Once again, it is clear that Europe and the US are at odds, or at least show vast cultural dif­fer­ences in terms of data pro­tec­tion.

Any European company involved must assist the au­thor­it­ies of where its HQ is based, in the case, for example, of a criminal in­vest­ig­a­tion. The fact that through this, companies will have to disclose personal in­form­a­tion as well as other sensitive corporate data, such as trade secrets, doesn’t seem to have fazed the US law makers of this act.

There is a different attitude to data pro­tec­tion in the US compared to Europe. IONOS has had the effects of the CLOUD Act analysed by legal experts, and has outlined the results in a com­pre­hens­ive white paper:

Experts are unanimous: The UK economy must digitize more and more, and rapidly in order to remain part of the in­ter­na­tion­al com­pet­i­tion. At the same time, di­git­iz­a­tion needs powerful IT platforms on cloud servers, for example. There are cloud solutions for almost every facet of digital de­vel­op­ment. Many providers of these solutions are located abroad, es­pe­cially in the US.

The CLOUD Act, however, allows selected US au­thor­it­ies almost limitless access to corporate data, even to trade secrets. If US au­thor­it­ies require access, US providers must cooperate and also publish business data of a company or its end customer. But this con­tra­dicts the in­creas­ing trend in digital security. Only IT service providers and cloud providers with headquar­ters and data centres in Europe offer maximum security to European and UK companies. It is important that the HQ of a cloud service provider, for example, is located in the EU and that customers using the cloud can spe­cific­ally select European data centres in order to transfer IT workloads to the cloud in the course of di­git­iz­a­tion, without worrying about who can access it.

The US is a con­sti­tu­tion­al state, and legal action against measures derived from this law is possible before courts of law. This would happen in the USA itself. In addition, the law isn’t very precise. Since there are no cases or examples of what a court of law does when faces with a dispute to the CLOUD Act, there is a con­sid­er­able degree of legal un­cer­tainty. The recent exchanges with the Chinese network and IT equipment supplier Huawei showed how quickly legal demands in the US of the EU can be overcome.

What exactly you should consider is looked at here for IONOS by a spe­cial­ist lawyer. The following interview is in German, but is subtitled and relevant to UK citizens:

The US CLOUD Act clearly con­tra­dicts the aims of the GDPR. In any case, it is clear that storing and pro­cessing data in Europe alone is not suf­fi­cient for effective legal pro­tec­tion. The location of the service provider who stores and processes the data is what matters now; and to avoid the effects of the CLOUD Act, European busi­nesses will want European providers.

In a glob­al­ised world, the law is ever more com­plic­ated, and ever more important. But the ad­vant­ages of di­git­isa­tion are something that no company can do without. There are European providers like IONOS who operate their cloud solutions in ac­cord­ance with European data pro­tec­tion reg­u­la­tions. An IT or Cloud service provider from Europe is closer to home – geo­graph­ic­ally and legally. Trusting a business partner, as well as having the pos­sib­il­ity to ef­fect­ively enforce legal disputes ensures digital control and security for your business - even for medium-sized companies that do not have a large legal de­part­ment or the resources to expand for one.