TMT | IP Publications

The US CLOUD Act – impact and implications

What do you store in the cloud? Business re­lat­ed in­for­ma­tion on your com­put­er, cell phone or oth­er de­vice such as emails, con­tact in­for­ma­tion and oth­er doc­u­men­ta­tion, pos­si­bly in­clud­ing trade se­crets? Many cor­po­ra­tions use the cloud though the ex­ten­sion and pur­pose may vary. The cloud is both ef­fi­cient and prac­ti­cal, all you need is an in­ter­net con­nec­tion and you are prac­ti­cal­ly at work. But is it safe?

When the General Data Protection Regulation (“GDPR”) came in­to force last May the per­son­al in­tegri­ty of any­one with­in the bor­ders of the European Union (“EU”) was am­pli­fied. Additionally, the GDPR brought a whole new set of re­spon­si­bil­i­ties to cor­po­ra­tions, to those who process the per­son­al da­ta. Anyone who process per­son­al da­ta has to meet cer­tain cri­te­ria, and the sanc­tions should you fail to meet the cri­te­ria are se­vere. About the same time as the GDPR came in to force, and every­one´s mind was di­rect­ed at find­ing da­ta pro­tec­tion of­fi­cers, per­form­ing risk as­sess­ments and es­tab­lish­ing poli­cies, the CLOUD Act was en­act­ed in the US. The CLOUD Act, short for the Clarifying Lawful Overseas Use of Data Act states that all US cloud ser­vice providers shall, when or­dered, pro­vide the US au­thor­i­ties with da­ta stored on their servers, re­gard­less of where in the world the da­ta is kept. As a re­sult, US au­thor­i­ties may ac­cess and read am­ple amounts of da­ta re­lat­ing to, and be­long­ing to, cit­i­zens and cor­po­ra­tions out­side of the US. The CLOUD Act is a re­sult of the dif­fi­cul­ties US based au­thor­i­ties like the FBI has ex­pe­ri­enced with ob­tain­ing in­for­ma­tion stored on re­mote servers. Furthermore, cor­po­ra­tions and in­di­vid­u­als con­cerned are not en­ti­tled to be no­ti­fied when per­son­al da­ta re­gard­ing them is be­ing re­trieved. Notifying could even re­sult in pros­e­cu­tion in ac­cor­dance with the CLOUD Act. Since the CLOUD Act ap­plies to all US based cloud providers, ma­jor IT com­pa­nies such as Google, Microsoft and Amazon have to abide by the Act. As a re­sult, the scope of the CLOUD Act can be some­what prob­lem­at­ic in re­la­tion to the GDPR.

The Swedish col­lab­o­ra­tion eSam (sw. eSamverkansprogrammet), con­sist­ing of 23 Swedish pub­lic au­thor­i­ties such as the Tax Agency (sw. Skatteverket), the Police (sw. Polismyndigheten) and the National Agency for Education (sw. Skolverket) works to­geth­er to fa­cil­i­tate the dig­i­tal­i­sa­tion of the pub­lic sec­tor. eSam has eval­u­at­ed the use of cloud ser­vices with­in the pub­lic sec­tor and is­sued a state­ment say­ing that it can­not be ex­clud­ed that a cloud ser­vice provider that is sub­ject to a for­eign ju­ris­dic­tion could as­sist in the ex­po­sure of pri­vate and se­cret in­for­ma­tion. They state that in­for­ma­tion stored us­ing for­eign cloud ser­vice providers should be con­sid­ered as dis­closed. However, eSam does not rec­om­mend to re­frain from us­ing US cloud ser­vice providers al­to­geth­er, but when do­ing so the in­for­ma­tion should not be clas­si­fied and if it is, the en­cryp­tion has to be suf­fi­cient. Providing suf­fi­cient en­cryp­tion has though proven dif­fi­cult lead­ing to the state­ment end­ing in some ways am­bigu­ous. Furthermore, the med­ical uni­ver­si­ty Karolinska Institutet in Sweden has tak­en this a step fur­ther and ex­plic­it­ly warns their users as to what in­for­ma­tion may not be stored in the cloud, in this case a US based cloud ser­vice provider. Karolinska Institutet states that any se­cret in­for­ma­tion, or in­for­ma­tion that could be re­lat­ed to pa­tients may not be stored in the cloud since their agree­ments with the provider do not con­tain any pro­tec­tion against oth­er ju­ris­dic­tions, and the provider as a US reg­is­tered com­pa­ny are not at lib­er­ty to waive US leg­is­la­tion.

As stat­ed in the in­tro­duc­tion, many cor­po­ra­tions do use cloud ser­vices to a cer­tain ex­tent. Also, many cor­po­ra­tions process and store a com­pre­hen­sive amount of busi­ness re­lat­ed in­for­ma­tion, per­son­al da­ta and oth­er da­ta that con­tains busi­ness se­crets in the cloud. The ef­fects of the CLOUD Act for a cor­po­ra­tion act­ing as da­ta con­troller for e.g. schools, health care providers, in­sur­ance com­pa­nies, banks or tele­com providers could be dev­as­tat­ing, for in­stance re­gard­ing the com­pli­ance with the GDPR. A cor­po­ra­tion may suf­fer from this, not on­ly when act­ing as da­ta con­troller or proces­sor of per­son­al da­ta, but al­so as re­gards their own busi­ness in­for­ma­tion and se­crets.

To con­sid­er that US au­thor­i­ties may law­ful­ly ac­cess in­for­ma­tion stored in a cloud, with­out pri­or no­ti­fi­ca­tion, is to say the least both prob­lem­at­ic and se­ri­ous. In the sit­u­a­tion that a US au­thor­i­ty has ini­ti­at­ed a le­gal process the cloud ser­vice provider has to pro­vide the au­thor­i­ty with da­ta, but are not at lib­er­ty to no­ti­fy the cor­po­ra­tion (by some called the “gag­ging or­der”). Providing US au­thor­i­ties with in­for­ma­tion could for any cor­po­ra­tion con­sti­tute e.g. a breach of the GDPR, an un­law­ful trans­fer of per­son­al da­ta to a third coun­try (a coun­try out­side the bor­ders of the EU or the European Economic Area) as well as breach­es of trade se­cret un­der­tak­ings to name a few.

Some providers like Tumblr, Reddit and Adobe has used what is known as a “war­rant ca­nary”, a method to sub­tly or silent­ly let your users know that they have been sub­ject to a sub­poe­na for in­for­ma­tion, with­out break­ing the “gag or­der”. In re­al­i­ty, the providers have a gener­ic in­for­ma­tion on their web­site stat­ing that they have not been is­sued to pro­vide in­for­ma­tion as to a cer­tain date. As long as the text is there all is well, but when the text has been tak­en down or not been up­dat­ed you as a user can un­der­stand that to be a sort of pas­sive no­ti­fi­ca­tion. Applying the method of a “war­rant ca­nary” in the light of the GDPR could im­ply the use of an in­for­ma­tive text in e.g. the pri­va­cy pol­i­cy stat­ing that per­son­al da­ta may be dis­trib­uted to US au­thor­i­ties should the CLOUD Act be­come ap­plic­a­ble. The prac­ti­cal ques­tion is whether that would be con­sid­ered suf­fi­cient to com­ply with da­ta pro­tec­tion leg­is­la­tion. If per­son­al da­ta is to be trans­ferred to a third coun­try, the cor­po­ra­tion needs to safe­guard ad­e­quate lev­els of se­cu­ri­ty. Having these ac­tions on a sort of stand­by just in case a cloud ser­vice provider pro­vides the US au­thor­i­ties with in­for­ma­tion, with­out the cor­po­ra­tion’s knowl­edge, seems far­fetched con­sid­er­ing that the pro­cess­ing of per­son­al da­ta in or­der to be law­ful has to be trans­par­ent. Transparency ac­cord­ing to the GDPR means that it has to be easy to un­der­stand whether, by whom and for what pur­pose per­son­al da­ta is be­ing col­lect­ed – re­quire­ments that fun­da­men­tal­ly clash with cloud ser­vice providers pro­vid­ing US au­thor­i­ties with in­for­ma­tion with­out no­ti­fy­ing ei­ther the da­ta con­troller or the da­ta sub­jects. As for trade se­crets and oth­er busi­ness re­lat­ed in­for­ma­tion that might be sub­ject to a sub­poe­na in light of the CLOUD Act, the ap­plic­a­ble pre­ven­tive mea­sures for cor­po­ra­tions are hard­er to over­look. Some in­for­ma­tion is not meant to be shared, and what pre­ven­tive mea­sures can heal the pos­si­ble pro­vi­sion of trade se­crets to US au­thor­i­ties?

The use of cloud ser­vices is how­ev­er pos­i­tive, and the de­vel­op­ments point firm­ly in the di­rec­tion of more sub­stan­tial use of cloud so­lu­tions in or­der to store or process da­ta. Lately the use of a sort of “hy­brid cloud” so­lu­tion has ap­peared as a means to se­cure in­for­ma­tion stored in the cloud. A hy­brid cloud is a cloud en­vi­ron­ment that com­bines the use of both pri­vate and pub­lic clouds, and where the in­for­ma­tion is man­aged be­tween the dif­fer­ent clouds giv­ing the in­for­ma­tion a sort of free­dom of move­ment and gives the user a wider range of flex­i­bil­i­ty. Whatever method you de­cide to use, all cor­po­ra­tions should start with a thor­ough eval­u­a­tion of the in­for­ma­tion that you have and need, and clas­si­fy it. Following you need to as­sess where and how to store the in­for­ma­tion.

Further de­vel­op­ments are nec­es­sary to en­sure in­tegri­ty and pri­va­cy of in­for­ma­tion stored us­ing cloud ser­vices, and there are no doubt more re­ac­tions to the CLOUD Act await­ing. In the mean time we can all ask our­selves “what do we still want to keep in the cloud”?

The au­thors are Thomas Nygren and Alexandra Sackemark.