September 4, 2019
The cloud is omnipresent in today’s enterprise, its impact so great that new data regulations like the GDPR in the EU and the CLOUD Act in the U.S. have fundamentally changed how businesses process data. Both are necessary legal changes to reflect the paradigm shift in how we use data in the modern world.
While GDPR talk has been everywhere in the past few years, the CLOUD Act may have flown under the radar of some European organisations – despite also coming into effect in early 2018. But the CLOUD Act is important for Cloud Service Providers in the EU, particularly if you have information that resides in the U.S. As with all widescale changes to data protection laws, there are numerous details and specifics that must be accounted for, and businesses must know the appropriate action to take.
We have parsed through the CLOUD Act with a fine-tooth comb to explain what it means for Microsoft Partners, in layman’s terms, and what you need to be aware of – not only to ensure compliance but to create a competitive advantage.
What is the CLOUD Act?
The CLOUD (Clarifying Lawful Overseas Use of Data) Act was passed in 2018, amending the previous SCA (Stored Communications Act) that has been in place since 1986. The CLOUD Act allows U.S. law enforcement to request the data, via warrant or subpoena, of U.S.-based technology companies – regardless of whether that data is stored in the U.S. or internationally.
The big story that surrounded the passing of the CLOUD Act was a legal dispute between Microsoft and the U.S. Supreme Court.
“… a warrant authority requires U.S.-based service providers to turn over data, regardless of where the information is held. Microsoft argued that, under the SCA, this authority only extended to data located within the territorial boundaries of the United States. If — as was the case in the particular dispute before the Supreme Court — the data is stored in a foreign country (in this case, Microsoft’s data centre in Ireland), the United States could not compel production via a U.S.-issued warrant.”
Source: IAPP (International Agency of Privacy Professionals)
Microsoft won the case, and in doing so urged congress to update the SCA to better respond to the realities of data privacy in the modern age. The result was the CLOUD Act. But now that the CLOUD Act does allows U.S. law enforcement to compel U.S.-based companies to provide requested data regardless of location, where does this leave Microsoft Partners based in the UK and Europe?
What does the CLOUD Act mean for European Microsoft Partners?
Complication and confusion arise when data protection laws from the CLOUD Act overlap laws from the GDPR (General Data Protection Regulation). Article 48 of the GDPR, in particular, seemingly contradicts the crux of the CLOUD Act:
“Any judgment of a court… …or decision of administrative authority… …requiring a controller or processor to transfer or disclose personal data may only be enforceable if based on an international agreement, such as a Mutual Legal Assistance treaty, between the requesting third country and the Union or a Member State.”
This may be cause for concern for European Microsoft Partners and Cloud Service Providers with data in a U.S. office or with U.S. partners. However, it should be noted that U.S. law enforcement can only compel organisations to hand over data, regardless of where it is stored, when all three of the following criteria are met:
- A U.S. court has jurisdiction over the organisation whose data is being sought.
- The organisation is an electronic communication service or remote computing service provider in scope of the U.S. CLOUD Act.
- The organisation has possession, custody or control over the data.
If one of these criteria is not met, an international agreement like an MLA (Mutual License Assistance) must be attained. The CLOUD Act also does not authorise bulk requests by law enforcement. Instead, they may only access digital information from service providers:
- in connection with a criminal case, or
- after obtaining a warrant from a court based on probable cause
The U.S. Department of Justice confirms that, in cases where the CLOUD Act conflicts with laws of other countries, “both the United States and any partner would agree to remove legal restrictions only in circumstances both countries find appropriate.”
In summary, the CLOUD Act does not provide the U.S. government with any new authority to obtain content – of either U.S., EU or other foreign citizens – on the grounds of national security.
Helping Microsoft Partners 365 days a year
Despite what you might read, the CLOUD Act does not pose added risk to Microsoft Partners in Europe. But it does affect U.S. law enforcement’s jurisdiction on any instance of cybercrime in the U.S. – a threat that is growing and will only continue to do so in the coming years.
As with all legal issues, remember that the specifics can vary from company to company. And when the monetary fines for non-compliance with the GDPR and CLOUD Act are enough to bankrupt even the most well-established organisations, it pays to be completely sure.
There is also the possibility that companies in the EU – concerned with what the CLOUD Act means for their operations in the U.S. – may seek out cloud providers in the EU and the UK instead. If you want to be one of those companies, you need to know every important detail around how the CLOUD Act and GDPR work together.
Law 365 provide legal services and counsel that’s easy to understand and clearly priced – and it’s specifically designed for Microsoft Partners. Our Microsoft Partner Network specialists and modern digital tools provide you with well-deserved peace of mind, support and professionalism, without pretence.
Get in touch with one of the Law 365 team today to find out where your organisation stands in this new age of data protection laws.
“Law 365’s service engagement model is very flexible; essentially allowing the business to engage their legal services in a very cost effective manner and as needs dictate.”
– Jason Moody, Owner and COO at Convergent Network Solutions Limited