Behind the simple term “Cloud Act” hides the possibility for US authorities to access personal data throughout Europe. In this article, you can find out exactly what is behind it and how the law came into being.
What is the CLOUD Act?
The CLOUD Act is a law originating in the USA. “CLOUD” is the abbreviation for “Clarifying Lawful Overseas Use of Data Act“. Translated it means “Law to clarify the lawful handling of data abroad”.
In essence, the CLOUD Act ensures that US authorities can access data stored outside the USA for prosecution purposes. This is because it obliges Internet companies and online service providers to grant US companies access to data as soon as it is stored in the United States.
Another controversial issue is the drafting of bilateral or bilateral agreements that would allow authorities abroad to submit requests for data directly to large companies without a court of law intervening. The CLOUD Act would allow foreign companies to access sensitive data stored by US companies in other countries.
This is how the CLOUD Act came into being
You may not have heard of the CLOUD Act? Don’t worry, that’s the way it goes for many people and companies. Because the law came out at the same time as the much discussed GDPR. It was signed on March 23, 2018 and therefore fell by the wayside in many places. However, the law has far-reaching consequences, as it even contradicts the GDPR in parts.
The origin of the “USA Patriot Act” dates back to the terrorist attack of September 11, 2011. The USA needed the Patriot Act so that the FBI and other US authorities could take measures to prevent terrorism and prosecute other criminal offenses. For example, US companies were obliged to disclose data on customers based in countries outside the USA.
In the context of a so-called “National Security Letter“, US authorities can even order the recipients of the data to remain silent. As a result, those affected are no longer even entitled to be informed about what is happening to their data. In Germany this process is unthinkable with regard to the current GDPR and contradicts any data protection.
The Patriot Act was disputed for a very long time, especially how the issue is dealt with outside the USA. For this reason, the US Congress in 2018 created more precise facts and the “Act” to adapt the provisions to our current cloud technologies.
The trigger was a dispute with Microsoft
The reason for the CLOUD Act in 2018 was Microsoft’s refusal to disclose information about customers residing on servers in Ireland. Microsoft was asked to release this information to US authorities for prosecution. A court in New York issued a verdict on the issue. However, Microsoft refused to release only the data that was stored in the US.
Cross-border Criminal Prosecution – CLOUD ACT vs. GDPR
U.S. authorities see a strong need to use the U.S. law to fight crime across national borders and to provide far-reaching security. While it is possible for companies to object and refuse to share sensitive information, in reality this is not always possible.
According to the GDPR, sensitive data may only be disclosed internationally if corresponding mutual legal assistance agreements exist in criminal regulations or other agreements exist between third countries and the EU. This is based on Article 48 of the GDPR. In addition, Article 5 stipulates that justifications for the transfer of stored data to third countries must exist in order for personal data to be disclosed.
Consequences for European companies
The CLOUD Act from the USA can stand in the way of companies if they pursue intensive data protection. As soon as they come into contact with US cloud computing, their services no longer conform to data protection regulations. European companies can be punished here.
Fundamentally, stored data processed in Europe is subject to the law of the European Union and therefore to the GDPR. There is no legal assistance agreement between the EU and the USA with regard to the CLOUD Act. Thus, the GDPR is automatically violated if companies simply pass on data that is stored in the EU. For service providers from the United States who process data throughout Europe, this means a dilemma. They have to decide whether they want to process data in violation of the GDPR or the Cloud Act.
Consequences for European companies
The CLOUD Act from the USA can stand in the way of companies if they pursue intensive data protection. As soon as they come into contact with US cloud computing, their services no longer conform to data protection regulations. European companies can be punished here.
Fundamentally, stored data processed in Europe is subject to the law of the European Union and therefore to the GDPR. There is no legal assistance agreement between the EU and the USA with regard to the CLOUD Act. Thus, the GDPR is automatically violated if companies simply pass on data that is stored in the EU. For service providers from the United States who process data throughout Europe, this is a dilemma. They have to decide whether they want to process data in violation of the GDPR or the Cloud Act.
It will also be problematic with regard to responsibility towards their own customers. This is because companies that continue to use cloud providers from US companies are no longer secure and data protection-compliant. This not only has legal consequences, but also reduces the trust of their own customers.
Solution approaches for companies – Attention to US cloud services!
Companies that are concerned about their own IT security and attach great importance to the protection of sensitive customer data and business information should carefully consider which cloud providers they use.
First, companies from the EU should ask themselves where their headquarters, including the data centers whose cloud services they use, are located. In terms of data protection, companies in Europe are on the safe side if they only use applications that are hosted by a European cloud provider with a data center in Europe. American cloud providers are therefore strongly discouraged as long as the respective company attaches great importance to data protection.
In order to continue to comply with data protection regulations and avoid access by US authorities, affected companies, such as Microsoft, are taking third party routes that are not located in the USA. Microsoft, for example, operates office software from a separate service provider. This means that the American company Microsoft no longer has access to the data generated with Office. This is because the data is only stored and processed in Germany. However, it is questionable what this solution could look like in future disputes within US courts.
Companies are on the safe side if they only use cloud services that are located in the EU. If they are nevertheless requested to surrender data by US authorities, it is advisable to submit complaints to the relevant state authorities in the USA. Companies can argue that the data does not concern citizens living in the USA and that the data protection of the respective EU country applies.
It is also very useful to use encrypted cloud services. This is because the request to surrender only concerns the transmission of the data, but there is no obligation to decrypt it beforehand.
TeamDrive stays away from the CLOUD Act
Our highly secure cloud provider TeamDrive keeps very strictly away from the American “CLOUD Act”. Because it is very important to us to protect personal data.
As a German company, we only use servers located in the EU or under European control. In addition, TeamDrive does not have any social involvement of a US company and has no branch in the USA itself. Furthermore, all data of TeamDrive customers is highly encrypted before it is uploaded into the cloud and the keys remain under the exclusive control of the customer.
In this way we can ensure data protection in accordance with the current GDPR and, on top of that, meet all the data protection requirements of professional secrets and meet the highest protection requirements for confidential documents of all kinds.