How Does the New CLOUD Act in the Senate Affect Foreign Data Storage?

As we’ve mentioned before on the blog, the location of your cloud data matters. Latency, accessibility, and security are all top of mind, but legal concerns should also be considered. Case in point: a new law working its way through the Senate could have major implications for your data storage.

The CLOUD Act (Clarifying Lawful Overseas Use of Data) has recently garnered the support of major tech companies like Apple, Microsoft, and Google, among others. Its stated goal is to clarify a web of different laws relating to data disclosure and privacy so enforcement officers and government officials have well-defined guidelines when it comes to accessing remotely stored data, including information that resides overseas, which is otherwise governed by the host country’s own laws.
 

How might the CLOUD Act affect cloud storage?

As we detailed in that post from last February, there have been a couple of high profile court cases in which data was sought by a US court despite being hosted in another country.

Microsoft and the Department of Justice are the best example, in which Microsoft refused to hand over email stored in Ireland. The Department of Justice’s argument is that the US-issued warrant should apply because that email is accessible from the United states. Microsoft is arguing that warrant has no jurisdiction overseas.

The CLOUD Act amends the Stored Communications Act – which already compels digital data storage providers to share data stored within the United States – with a new section which explicitly states that providers must share information even if the “communication, record, or other information is located within or outside of the United States.”

Even though the Microsoft case is set to go before the Supreme Court this month, Microsoft has spoken out in favor the CLOUD Act, saying it is an important step towards reducing international legal conflict and modernizing laws to account for cloud computing.

Although the large tech firms have by and large claimed that the act will improve privacy, it seems to do anything but that. So why the apparent hypocrisy? The act also includes exclusions, such as when the the customer is not a US citizen or a US-based company, or if the disclosure of the data would violate the laws of a foreign government.

Data Sharing Goes Both Ways

The CLOUD Act also seeks to help facilitate the formation of bilateral agreements with foreign countries to lay out formal guidelines for sharing of data in the case of illegal activity. It removes or amends pieces of the Electronics Communications Privacy Act (ECPA) to allow service providers to share stored information with foreign governments as long as these agreements have been established.

Limits on these agreements within the act include that the other country must have its own strict human rights and privacy standards. The act also attempts to limit the amount of data that can be handed over to foreign governments in the case of US citizens. The crime in question must be serious and under the review or oversight of a judge, magistrate, or other independent authority. The human rights requirements include that the data seizure may not be used to infringe upon freedom of speech as well.

The bill has not yet been passed so much remains up in the air. Many are already claiming it is a strong first step towards modernizing the approach towards digital criminal evidence. However, it is vital that the bilateral agreements between countries be far reaching, with all major countries represented, as many have already begun to mandate local data storage – at least if you are coming from the perspective of a US-based provider who does international business.