US CLOUD Act raises new data privacy issues

Tech Trends Insights


At the end of March, Donald Trump signed into law a $1.3 trillion spending bill that covered a vast range of policy areas. The 2,232-page bill ensured that the US Government would not shut down – at least until September – but it also provided an excellent opportunity for legislators to add other measures to the ‘omnibus’ bill, which, according to Senator Rand Paul, was passed without anyone having read the whole thing.


One thing that was squeezed onto the bill was the CLOUD (Clarifying Legal Use of Data) Act, which has significant repercussions for any organisation that uses an American-based company for data storage.

The CLOUD Act does two main things. First, it requires any company that is subject to the power of US courts to preserve customer data and disclose it to US law enforcement, if asked. This applies to any US-based company, including Amazon, Microsoft and Google.

Furthermore, the law prohibits those companies from informing their customers that the data has been requested or handed over. They face prosecution if they tell the customer about requests, making this effectively a secret measure.

Second, it allows the President to form “executive agreements” with other governments to exchange data. This would allow a foreign government to request information stored in the US and vice versa.

Companies can challenge requests if the customer in question is not a “US person” or if disclosure would break the laws of the country where the data is stored. However, it seems like this right to appeal applies only when the US has an executive agreement with the other country.

In other instances, it seems that the CLOUD Act could require countries to break local laws in order to comply with a data request. The Electronic Frontier Foundation, a civil liberties lobbying group, said : “Such expansion of US law enforcement power breaks the principle of territoriality, the core component of international law, and will produce a domino effect of information requests that overstep responding countries’ privacy safeguards.”

How the law plays out in practice remains to be seen. US states vary in the standards they require for data requests, with some demanding significantly more steps be carried out before they will support a request. It may fall to the Supreme Court to determine which requests are legal and how the territoriality question will be handled.

In mid-April, the European Commission followed America’s CLOUD Act with its own e-Evidence Initiative, which remains at the proposal stage but would require technology companies to share customer data with law enforcement agencies in any member state, when requested.

This would remove the need for law enforcement officials to request data through the judicial system in the country in question and instead allow them to get information such as the content of emails and messages, metadata and browser history within as little as six hours.

Last month, Vera Jourova, the EU Commissioner for Justice, Consumers and Gender Equality, said she would push for a data sharing deal with the United States. She said: “We have to insist on being the partner as the European Union for the United States for the reciprocal exchange of data.”

Though ministers from many EU nations, including France, Belgium, Italy and Portugal, are in favour of the near real-time sharing of data, others have expressed concern about the new legal questions that such legislation would raise.

For firms that store customer data using firms based in the US – and this could include information contained in emails in Microsoft Office 365 or Google’s G Suite – the CLOUD Act adds a new complication. If you handle data that must not cross certain borders, it is no longer enough to know just where it is stored. You need to understand whether it is stored by a company that might be compelled to hand it to the US government.

And, though the European Commission response remains at the discussion stage, companies will need to monitor it closely to determine whether their data could end up being shared with law enforcement. A reciprocal agreement would mean that even if your data is stored within the EU by a company with no links to the US, it might still be shared, depending on how the legislation plays out.

One upshot of GDPR has been increased customer awareness of data sharing and privacy. Companies will need to tread carefully to ensure that they comply with new legislation while also staying true to their values and those of their customers.


Written by Shane Richmond (Guest)

See Shane Richmond (Guest)'s blog

Shane Richmond is a freelance technology writer and former Technology Editor of The Daily Telegraph. You can follow him at @shanerichmond

Related blogs

G-Cloud 10 makes accessing high performance computing easier then ever...

As the Director of Research at Verne Global I spend a lot of my time working with our colleagues and partners within the UK’s publicly funded universities and research and science community. I’m privileged to get to see some of the truly innovative and inspiring research that is taking place, using high performance computing (HPC) and further encouraged with how Verne Global is helping them do this. This is why I was delighted to see Verne Global’s participation in the G-Cloud 10 (G10) framework confirmed last week and indeed strengthened for 2018/19 – enabling more public sector bodies to enjoy the benefits of our on-demand true hpcDIRECT platform.S

Read more


Big tech is leading on data privacy – other firms must follow

Business historians might one day see 2018 as a pivotal year. We are in the midst of an AI revolution, with more and more data being processed by algorithms that will help us to make better decisions or simply make the decisions for us. But the collection and exploitation of this data is not without costs and historians might view this year as the year when society began to realise that.

Read more


Death, taxes and rack power density

While not as certain as death and taxes, there are signs that high-density racks will finally become more commonplace thanks to AI and other compute intensive workloads.

Read more

We use cookies to ensure we give you the best experience on our website, to analyse our website traffic, and to understand where our visitors are coming from. By browsing our website, you consent to our use of cookies and other tracking technologies. Read our Privacy Policy for more information.