In October 2019, the US and the UK signed the world’s first bilateral agreement under the US CLOUD Act – an agreement that may grant the US government access to your data, regardless of where it’s stored.
The US CLOUD Act, an update to the Stored Communications Act, is designed to allow law enforcement to compel US-based tech companies – so most major cloud providers – to hand over requested data, even when the data isn’t stored on US soil.
Under the new act, the US can enter into bilateral agreements with other countries, allowing law enforcement authorities in the US to request data located in those foreign states. The UK recently entered into such an agreement with the US.
Well, it puts the CLOUD Act at direct odds with the EU’s GDPR. Let’s say a cloud provider responds to a US order to provide data that relates to EU citizens (remember, the UK will continue to comply with GDPR after Brexit). That provider is then in breach of GDPR, and also very likely in breach of the contract between provider and customer. Yet, according to the CLOUD Act, they have to comply. Confused? It gets worse; under GDPR, the contract between cloud provider and customer must stipulate that personal data can only be disclosed in response to a request from an EU member state.
With stiff sanctions for breaching GDPR (€20 million or 4% of the company’s annual worldwide turnover), will cloud providers take the commercial decision to ignore requests from the US? They might. Such decisions would render the CLOUD Act basically toothless.
If your cloud provider hosts your data in the US, then all this makes no difference to your data – it was always, and still is, subject to US rules. It’s when your data is hosted outside of the US that things get interesting. It’s not clear whether cloud providers who store data in the EU or UK will choose to comply.
Interestingly, the new legislation doesn’t force providers to unencrypt data or provide ‘backdoors’ into their software. So a good step is to ensure your data – and that of your customers – is encrypted at rest.
Ultimately, unless the agreement is abused by US or UK intelligence agencies, most of us have little to fear from the new rules. What it does highlight, however, is just how contradictory information governance can be! If you need a hand navigating the complex labyrinth that is compliance, talk to The RANt Group.