Digital Sovereignty and the US CLOUD Act

In its fight against terrorism and crime, the USA continues to add measures of protection, including the Patriot Act, Safe Harbor, Privacy Shield; and for over 16 months the US CLOUD Act. All these measures keep the debate on data protection and digital sovereignty alive, particularly for trade nations such as the UK.

The CLOUD Act (an abbreviation of: Clarifying Lawful Overseas Use of Data Act) regulates how US citizens and companies’ data, physically located outside of the US, is handled. According to the law, in these times of “America First,” those who handle the data of US Citizens and companies must do so according to the laws and regulations of the USA, as if the data were on servers in the United States. This means that the CLOUD Act allows US authorities to access all types of data, whether personal or not. This is only dependent on whether a US company owns, processes or controls this data directly or indirectly through subsidiaries, for example.

Internet providers, IT service providers and cloud providers based in the USA or their European branches are the primary businesses affected. But it doesn’t end there, as the CLOUD Act also applies to European customers of US companies who expose data to control and processing in a US company.

A full judicial resolution, which legitimises the release of the data to US authorities, which was previously required to access data: A so-called ‘warrant’ is now enough. This warrant takes the form of a request of an authorized US executive authority. The CLOUD Act is a clear contradiction to the EU General Data Protection Regulation (GDPR) and the European notions of data protection and data security. Once again, it is clear that Europe and the US are at odds, or at least show vast cultural differences in terms of data protection.

Any European company involved must assist the authorities of where its HQ is based, in the case, for example, of a criminal investigation. The fact that through this, companies will have to disclose personal information as well as other sensitive corporate data, such as trade secrets, doesn’t seem to have fazed the US law makers of this act.

There is a different attitude to data protection in the US compared to Europe. IONOS has had the effects of the CLOUD Act analysed by legal experts, and has outlined the results in a comprehensive white paper:

Experts are unanimous: The UK economy must digitize more and more, and rapidly in order to remain part of the international competition. At the same time, digitization needs powerful IT platforms on cloud servers, for example. There are cloud solutions for almost every facet of digital development. Many providers of these solutions are located abroad, especially in the US.

The CLOUD Act, however, allows selected US authorities almost limitless access to corporate data, even to trade secrets. If US authorities require access, US providers must cooperate and also publish business data of a company or its end customer. But this contradicts the increasing trend in digital security. Only IT service providers and cloud providers with headquarters and data centres in Europe offer maximum security to European and UK companies. It is important that the HQ of a cloud service provider, for example, is located in the EU and that customers using the cloud can specifically select European data centres in order to transfer IT workloads to the cloud in the course of digitization, without worrying about who can access it.

The US is a constitutional state, and legal action against measures derived from this law is possible before courts of law. This would happen in the USA itself. In addition, the law isn’t very precise. Since there are no cases or examples of what a court of law does when faces with a dispute to the CLOUD Act, there is a considerable degree of legal uncertainty. The recent exchanges with the Chinese network and IT equipment supplier Huawei showed how quickly legal demands in the US of the EU can be overcome.

What exactly you should consider is looked at here for IONOS by a specialist lawyer. The following interview is in German, but is subtitled and relevant to UK citizens:

The US CLOUD Act clearly contradicts the aims of the GDPR. In any case, it is clear that storing and processing data in Europe alone is not sufficient for effective legal protection. The location of the service provider who stores and processes the data is what matters now; and to avoid the effects of the CLOUD Act, European businesses will want European providers.

In a globalised world, the law is ever more complicated, and ever more important. But the advantages of digitisation are something that no company can do without. There are European providers like IONOS who operate their cloud solutions in accordance with European data protection regulations. An IT or Cloud service provider from Europe is closer to home – geographically and legally. Trusting a business partner, as well as having the possibility to effectively enforce legal disputes ensures digital control and security for your business - even for medium-sized companies that do not have a large legal department or the resources to expand for one.