TMT | IP Publikationer

The US CLOUD Act – impact and implications

What do you sto­re in the cloud? Business re­la­ted in­for­ma­tion on your com­pu­ter, cell pho­ne or ot­her de­vice such as emails, con­tact in­for­ma­tion and ot­her docu­men­ta­tion, pos­sib­ly in­clu­ding tra­de secrets? Many cor­po­ra­tions use the cloud though the ex­ten­sion and pur­po­se may va­ry. The cloud is both ef­fi­ci­ent and practi­cal, all you need is an in­ter­net con­nec­tion and you are practi­cal­ly at work. But is it sa­fe?

When the General Data Protection Regulation (“GDPR”) ca­me in­to for­ce last May the per­so­nal in­tegri­ty of anyo­ne wit­hin the bor­ders of the European Union (“EU”) was amp­li­fi­ed. Additionally, the GDPR brought a who­le new set of re­spon­si­bi­li­ti­es to cor­po­ra­tions, to tho­se who pro­cess the per­so­nal da­ta. Anyone who pro­cess per­so­nal da­ta has to me­et cer­tain cri­te­ria, and the san­c­tions should you fail to me­et the cri­te­ria are se­ve­re. About the sa­me ti­me as the GDPR ca­me in to for­ce, and eve­ry­o­ne´s mind was direc­ted at fin­ding da­ta pro­tec­tion of­fi­cers, per­for­ming risk as­sess­ments and establishing po­li­ci­es, the CLOUD Act was enac­ted in the US. The CLOUD Act, short for the Clarifying Lawful Overseas Use of Data Act sta­tes that all US cloud ser­vice pro­vi­ders shall, when or­de­red, pro­vi­de the US aut­ho­ri­ti­es with da­ta sto­red on their ser­vers, re­gard­less of whe­re in the world the da­ta is kept. As a re­sult, US aut­ho­ri­ti­es may ac­cess and re­ad amp­le amounts of da­ta re­la­ting to, and be­lon­ging to, ci­ti­zens and cor­po­ra­tions out­si­de of the US. The CLOUD Act is a re­sult of the dif­ficul­ti­es US ba­sed aut­ho­ri­ti­es li­ke the FBI has ex­pe­ri­enced with ob­tai­ning in­for­ma­tion sto­red on re­mo­te ser­vers. Furthermore, cor­po­ra­tions and in­di­vi­du­als con­cer­ned are not en­tit­led to be no­ti­fi­ed when per­so­nal da­ta re­gar­ding them is be­ing retri­e­ved. Notifying could even re­sult in pro­secu­tion in ac­cor­dan­ce with the CLOUD Act. Since the CLOUD Act ap­pli­es to all US ba­sed cloud pro­vi­ders, ma­jor IT com­pa­ni­es such as Google, Microsoft and Amazon ha­ve to ab­i­de by the Act. As a re­sult, the sco­pe of the CLOUD Act can be so­mewhat pro­ble­ma­tic in re­la­tion to the GDPR.

The Swedish col­la­bo­ra­tion eSam (sw. eSamverkansprogrammet), con­si­s­ting of 23 Swedish pub­lic aut­ho­ri­ti­es such as the Tax Agency (sw. Skatteverket), the Police (sw. Polismyndigheten) and the National Agency for Education (sw. Skolverket) works to­get­her to fa­ci­li­ta­te the di­gi­ta­li­sa­tion of the pub­lic sector. eSam has eva­lu­a­ted the use of cloud ser­vices wit­hin the pub­lic sector and is­su­ed a sta­te­ment say­ing that it can­not be ex­clu­ded that a cloud ser­vice pro­vi­der that is sub­ject to a fo­rei­gn ju­ris­dic­tion could as­sist in the ex­po­su­re of pri­va­te and sec­ret in­for­ma­tion. They sta­te that in­for­ma­tion sto­red using fo­rei­gn cloud ser­vice pro­vi­ders should be con­si­de­red as di­sclo­sed. However, eSam do­es not re­com­mend to re­frain from using US cloud ser­vice pro­vi­ders al­to­get­her, but when do­ing so the in­for­ma­tion should not be clas­si­fi­ed and if it is, the encryp­tion has to be suf­fi­ci­ent. Providing suf­fi­ci­ent encryp­tion has though pro­ven dif­ficult le­a­ding to the sta­te­ment en­ding in so­me ways am­bi­gu­ous. Furthermore, the me­di­cal uni­ver­si­ty Karolinska Institutet in Sweden has ta­ken this a step furt­her and ex­pli­cit­ly warns their users as to what in­for­ma­tion may not be sto­red in the cloud, in this ca­se a US ba­sed cloud ser­vice pro­vi­der. Karolinska Institutet sta­tes that any sec­ret in­for­ma­tion, or in­for­ma­tion that could be re­la­ted to pa­ti­ents may not be sto­red in the cloud sin­ce their agre­e­ments with the pro­vi­der do not con­tain any pro­tec­tion against ot­her ju­ris­dic­tions, and the pro­vi­der as a US re­gis­te­red com­pa­ny are not at li­ber­ty to wa­i­ve US le­gis­la­tion.

As sta­ted in the in­tro­duc­tion, ma­ny cor­po­ra­tions do use cloud ser­vices to a cer­tain ex­tent. Also, ma­ny cor­po­ra­tions pro­cess and sto­re a com­pre­hen­si­ve amount of bu­si­ness re­la­ted in­for­ma­tion, per­so­nal da­ta and ot­her da­ta that con­tains bu­si­ness secrets in the cloud. The ef­fects of the CLOUD Act for a cor­po­ra­tion ac­ting as da­ta con­trol­ler for e.g. schools, he­alth ca­re pro­vi­ders, in­su­ran­ce com­pa­ni­es, banks or te­le­com pro­vi­ders could be de­vas­ta­ting, for in­stan­ce re­gar­ding the com­pli­an­ce with the GDPR. A cor­po­ra­tion may suf­fer from this, not on­ly when ac­ting as da­ta con­trol­ler or pro­ces­sor of per­so­nal da­ta, but al­so as re­gards their own bu­si­ness in­for­ma­tion and secrets.

To con­si­der that US aut­ho­ri­ti­es may law­ful­ly ac­cess in­for­ma­tion sto­red in a cloud, wit­hout pri­or no­ti­fi­ca­tion, is to say the le­ast both pro­ble­ma­tic and se­ri­ous. In the si­tu­a­tion that a US aut­ho­ri­ty has ini­ti­a­ted a le­gal pro­cess the cloud ser­vice pro­vi­der has to pro­vi­de the aut­ho­ri­ty with da­ta, but are not at li­ber­ty to no­ti­fy the cor­po­ra­tion (by so­me cal­led the “gag­ging or­der”). Providing US aut­ho­ri­ti­es with in­for­ma­tion could for any cor­po­ra­tion con­sti­tu­te e.g. a bre­ach of the GDPR, an un­law­ful trans­fer of per­so­nal da­ta to a third country (a country out­si­de the bor­ders of the EU or the European Economic Area) as well as bre­aches of tra­de sec­ret un­der­ta­kings to na­me a few.

Some pro­vi­ders li­ke Tumblr, Reddit and Adobe has used what is known as a “war­rant ca­na­ry”, a met­hod to sub­t­ly or si­lent­ly let your users know that they ha­ve be­en sub­ject to a sub­po­e­na for in­for­ma­tion, wit­hout bre­a­king the “gag or­der”. In re­a­li­ty, the pro­vi­ders ha­ve a ge­ne­ric in­for­ma­tion on their web­si­te sta­ting that they ha­ve not be­en is­su­ed to pro­vi­de in­for­ma­tion as to a cer­tain da­te. As long as the text is the­re all is well, but when the text has be­en ta­ken down or not be­en up­da­ted you as a user can un­derstand that to be a sort of pas­si­ve no­ti­fi­ca­tion. Applying the met­hod of a “war­rant ca­na­ry” in the light of the GDPR could im­ply the use of an in­for­ma­ti­ve text in e.g. the pri­va­cy po­li­cy sta­ting that per­so­nal da­ta may be dis­tri­bu­ted to US aut­ho­ri­ti­es should the CLOUD Act be­come ap­pli­cab­le. The practi­cal ques­tion is whet­her that would be con­si­de­red suf­fi­ci­ent to com­ply with da­ta pro­tec­tion le­gis­la­tion. If per­so­nal da­ta is to be trans­fer­red to a third country, the cor­po­ra­tion needs to sa­fe­gu­ard adequa­te le­vels of secu­ri­ty. Having the­se ac­tions on a sort of stand­by just in ca­se a cloud ser­vice pro­vi­der pro­vi­des the US aut­ho­ri­ti­es with in­for­ma­tion, wit­hout the cor­po­ra­tion’s know­led­ge, se­ems far­fet­ched con­si­de­ring that the pro­ces­sing of per­so­nal da­ta in or­der to be law­ful has to be trans­pa­rent. Transparency ac­cor­ding to the GDPR me­ans that it has to be ea­sy to un­derstand whet­her, by whom and for what pur­po­se per­so­nal da­ta is be­ing col­lec­ted – requi­re­ments that fun­da­men­tal­ly clash with cloud ser­vice pro­vi­ders pro­vi­ding US aut­ho­ri­ti­es with in­for­ma­tion wit­hout no­ti­fy­ing eit­her the da­ta con­trol­ler or the da­ta sub­jects. As for tra­de secrets and ot­her bu­si­ness re­la­ted in­for­ma­tion that might be sub­ject to a sub­po­e­na in light of the CLOUD Act, the ap­pli­cab­le pre­ven­ti­ve me­a­su­res for cor­po­ra­tions are har­der to over­look. Some in­for­ma­tion is not me­ant to be sha­red, and what pre­ven­ti­ve me­a­su­res can he­al the pos­sib­le pro­vi­sion of tra­de secrets to US aut­ho­ri­ti­es?

The use of cloud ser­vices is ho­wever po­si­ti­ve, and the de­ve­lop­ments point firm­ly in the direc­tion of mo­re sub­stan­ti­al use of cloud so­lu­tions in or­der to sto­re or pro­cess da­ta. Lately the use of a sort of “hy­brid cloud” so­lu­tion has ap­pe­a­red as a me­ans to secu­re in­for­ma­tion sto­red in the cloud. A hy­brid cloud is a cloud en­vi­ron­ment that com­bi­nes the use of both pri­va­te and pub­lic clouds, and whe­re the in­for­ma­tion is ma­na­ged between the dif­fe­rent clouds giving the in­for­ma­tion a sort of free­dom of mo­ve­ment and gi­ves the user a wi­der range of flex­i­bi­li­ty. Whatever met­hod you de­ci­de to use, all cor­po­ra­tions should start with a tho­rough eva­lu­a­tion of the in­for­ma­tion that you ha­ve and need, and clas­si­fy it. Following you need to as­sess whe­re and how to sto­re the in­for­ma­tion.

Further de­ve­lop­ments are ne­ces­sa­ry to en­su­re in­tegri­ty and pri­va­cy of in­for­ma­tion sto­red using cloud ser­vices, and the­re are no doubt mo­re re­ac­tions to the CLOUD Act awai­ting. In the me­an ti­me we can all ask our­sel­ves “what do we still want to keep in the cloud”?

Författare Thomas Nygren och Alexandra Sackemark.