For most of 2018 whilst the main compliance focus was on the EU’s GDPR deadline of 25 May, the passing of another important privacy and security legislation with big implications for EU businesses using US cloud services went largely unnoticed.
On 23 March 2018, President Trump signed into law the US CLOUD Act (Clarifying Lawful Overseas Use of Data Act), as part of a 2,232 page, €1.3 trillion government spending bill. The Act expands US and foreign law enforcement’s ability to target and access individual’s data across international borders.
The US v Microsoft Corp Email Case
The US CLOUD Act was initially born out of a longstanding conflict between Microsoft and the US government over handing out user data.
In 2013, FBI agents obtained a search warrant requiring Microsoft to disclose emails and information related to a customers account as part of a US drug trafficking investigation. In response, Microsoft handed over data stored on American servers, but did not give the US government the actual content of the individual’s emails, because they were stored at a Microsoft data centre in Dublin.
Microsoft sought to have the domestic warrant quashed, claiming that it did not have international reach to the search and seizure of data stored in Ireland. The court held Microsoft in civil contempt for refusing to hand over the emails, but this decision was reversed by the higher courts.
The case was subsequently appealed, however following the enactment of the US CLOUD Act, which amended the Stored Communications Act (SCA) and provided that such information must be disclosed regardless of where it is stored, the pending case was declared “moot” by the US Supreme Court and was thrown out.
Implications of the US CLOUD Act
The CLOUD Act means that US law enforcement can demand data and emails to be handed over if stored by a US company, regardless of where in the world the data is stored. This has serious implications for EU organisations using public cloud services.
In contrast the EU’s GDPR situates itself at the opposite end of the spectrum, putting individual privacy rights ahead of law enforcements needs, in order to protect the personal data of EU citizens.
In many ways, the US CLOUD Act is like a mirror image of GDPR. They are essentially focused on the same thing – data privacy and security, but reversed. The CLOUD Act is about getting access to data that may be hidden around the world in the cloud, taking advantage of different jurisdictions and laws, whereas the GDPR is about data protection, and forcing companies who process data of EU citizens to be much more careful with that data.
The US CLOUD Act has the potential to create conflicting obligations for companies that must comply with the EU’s GDPR, and it remains to be seen how regulators will enforce these laws where there is a conflict.
Ultimately US companies that store data outside of their own IT systems or do business with the EU must understand their obligations under each regulation, in order to meet their compliance requirements.