America's CLOUD Act

Most of the IT engineers that have dealt with American technology have heard of the CLOUD Act. A law that is present in the U.S.A. That law gives American companies the compelling duty to hand over data if the need arises according to the American Government. The actual word CLOUD referred to in this law’s name is an acronym rather than derived from the word Cloud or Cloud computing. The acronym stands for Clarifying Lawful Overseas Use of Data. Which in itself means that it is far more than just a law that controls Cloud providers like Microsoft, Amazon, or Google.

What companies does it apply to?

The law targets so-called ECS (Electronic Communication Service) and RCS (Remote Communication Service) providers. So what kind of companies are considered an ECS or RCS company?

Cornell Law School provides us with a very simple and brief description of what Electornic Communication Service companies are. In short, companies that allow their users to communicate electronically.

Cornell also provides us with a definition of Remote Communication Service companies. Point (2) of this link states that Remote Communication Service means to provide storage or processing services by means of an Electronic Communication Service.

In short:

• Google is both an ECS and RCS company since it provides email services with Gmail and storage services with Google Drive. Not to mention their storage capabilities of Google Cloud Platform.
• Microsoft is both an ECS and RCS company since they have Microsoft Teams and Office 365’s Exchange Online as part of Electronic Communication Services. Again, not to mention the storage they provide with Azure storage capabilities and Microsoft OneDrive.

These are only a couple of examples to be given for ECS and RCS companies. Most of the USA’s big-tech and smaller tech companies are affected by the CLOUD Act.

What does it compel the companies to do?

The ECS and RCS companies that must abide by the USA federal law are compelled to comply with existing requirements of preserving and backing up data. So much is absolutely fine. But, they are also required to disclose information of the contents of electronic communication pertaining to a customer or subscriber, where there is no difference if the data is stored within or outside the United States.

Which means that if the United States has enough reason to have data disclosed to them—be that from a European customer that has its data in the US or even in the EU itself—an ECS or RCS company like Microsoft or Google has to disclose it to the United States federal government.

What did the United States Congress take into consideration?

The United States Congress had several points of attention:

1. Having access to specific data in a timely manner helps combat terrorism.
2. It’s a risk if that data is stored outside the United States. So they need to be able to access that data as well.
3. Foreign countries apparently want to do the same the CLOUD Act enables. Namely, accessing data of domestic companies in foreign data centers.
4. Foreign law might prohibit a US company from disclosing data from their customers to the United States.
5. Foreign law might be conflicting with the CLOUD Act.
6. International treaties might be brought into place so that the CLOUD Act can be more effective and less conflicting.

So, the US needs to look into data from every RCS and ECS company when the need arises. These needs are mostly based on arguments of terrorism. They acknowledge that it conflicts with foreign law, and that it might even be a full legal contradiction. But bringing in treaties to resolve these conflicts might be a way to let the CLOUD Act actually work.

So what would the US’s process be to obtain the data they want?

Any entity that in a legal way needs to access the data provided by means of using the CLOUD Act must allow the party that needs to disclose the data to object. They can do that based on the fact of conflicting foreign law. That’s based on two points:

1. The customer or subscriber isn’t a US person, or US entity, and:
2. The disclosure would be harmful in a material sense for the ECS or RCS company.

Based on these two, a judge must decide to modify or quash the legal entity’s request for data based on the CLOUD Act.

It’s sometimes not even permitted for the ECS or RCS to combat the request for data. Since there might be a need for immediate disclosure. Any safety-related topic might expedite the request for data.

Other than that, the ECS or RCS company is obliged to comply and hand over the data requested based on the CLOUD Act.

So how does this affect me? A European customer of American Big Tech?

It’s clear that a European customer of American Big Tech is affected by the CLOUD Act most of the time. If the United States thinks that a municipality in any European country houses a potential terrorist, then the United States can ask any ECS or RCS like Google, Amazon, Oracle, IBM, Apple, Microsoft, etc., to hand over data from that municipality. The US is allowed to look into fundamental records of governmental organizations. And the worst of all this, it’s easy since most of them have all made minor or major steps towards Public Cloud Computing.

Examples of CLOUD Act in recent history:

• Microsoft has been affected by the CLOUD Act in the Microsoft Corp vs. United States case of 2018.
• The UK has been actively working with the US to comply with the CLOUD Act.

And I must say, other than that, it’s really hard to find cases where the CLOUD Act really came into play. Which might be all the more reason to be wary of this very scary US law.

See also

• Sovereign Public Cloud