CLOUD Act: what is it, and how does it affect cybersecurity?

The conflict between privacy rights and state access to information has become a focal point of legal and ethical arguments in an era when data is important.

The Clarifying Lawful Overseas Use of Data, or CLOUD Act, a law with far-reaching repercussions for persons and organizations, is a crucial factor in this ongoing debate. 

This law changes the game for how data is handled across borders, impacting our privacy and cybersecurity.

In this blog post, let's explore what the CLOUD Act is, what it allows or restricts, and why it clashes with another big player, the GDPR. We'll also look into the details to see how this affects everyone, especially those in the EU who use US-based tools. 

What is the CLOUD Act?

The CLOUD Act revises the Electronic Communications Privacy Act (ECPA), which governs how law enforcement agencies in the United States may request information kept by certain technological businesses, including cloud service providers.

The CLOUD Act, enacted in 2018, was introduced in response to the difficulties law enforcement experienced in accessing data kept abroad, particularly in the context of modern cloud computing. The Act authorizes any U.S. law enforcement order filed under the Stored Communications Act (SCA) to access specified data located in other countries.

At a time when existing law enforcement tools and privacy laws are clearly limited in responding to requests for evidence in the age of cloud computing, the CLOUD Act establishes a set of processes and procedures. It aims to provide tools for US law enforcement to work with different nations when it comes to sharing electronic information-based evidence.

Therefore, the CLOUD Act allows the US government to access personal data located in data centers all over the world. However, there is a caveat: the law only applies to companies established in the United States. It must be followed by all web giants, including their European branches. 

Owing to its characters, this act has raised concerns about the extraterritorial reach of US law and its potential conflicts with the data protection laws of other countries.

What is and isn’t permitted under the US CLOUD Act

Let's assess the reach of the CLOUD Act:

What is permitted:

• Only for criminal investigations: The act restricts the use of collected data to criminal investigations, stressing its usage in law enforcement scenarios.
• Warrants: Any data request must be supported by a comprehensive warrant that describes the information sought. An impartial court must approve the warrant, assuring a comprehensive review of probable cause relating to a specific offense.
• Preservation of provider rights: Providers have the ability to dispute orders under common law through "comity challenges" if the request violates the laws of another country.
• Prosecutor advice: The Act instructs prosecutors to obtain data directly from company customers wherever possible and without jeopardizing investigations.
• Bilateral agreements: Under the CLOUD Act, certain foreign countries may enter into bilateral agreements with the United States. This condition allows these governments to make direct law enforcement requests to the United States, eliminating the necessity for a mutual legal aid treaty. 

What's not permitted:

• No new legal authority: The act does not offer new legal authority to US law enforcement to acquire data; instead, it emphasizes the preservation of existing legal frameworks.
• Limitations on jurisdiction: It does not enhance US courts' jurisdiction over corporations or change the need for the US to have personal jurisdiction over a firm in order to request data.
• Preservation of fundamental requirements: The CLOUD Act preserves the core constitutional and statutory conditions that US law enforcement must follow.
• Warrant scope restriction: The Act does not alter or expand the historical scope of warrants issued under US law. It expressly forbids indiscriminate or mass data collecting.
• National security considerations: Government access to data is allowed only when necessary to advance legitimate national security objectives. Such access must not disproportionately impact the protection of individual privacy and civil liberties.

What’s all the fuss about CLOUD vs. GDPR

The conflict between the US CLOUD Act and the European General Data Protection Regulation (GDPR) has caused considerable controversy, particularly among US-based firms working in the European Union. 

The basis of the issue is the conflicting demands placed on the handling of client data by these two regulations.

• The CLOUD Act places US-based firms operating in the EU in a bind. The law requires them to submit consumer data to US authorities if requested, even if it means breaking the GDPR, which exists to defend individuals' privacy and control over their data. 

On the other hand, GDPR puts stringent restrictions on enterprises in terms of personal data processing, storage, and transfer. The clash intensifies as the CLOUD Act, driven by US interests, places these interests above foreign laws, including the robust safeguards outlined in the GDPR.

• As stated in Article 6 of the GDPR, each data transfer must have a legitimate reason in accordance with GDPR principles.

In contrast, the CLOUD Act departs from this requirement by allowing the transmission of personal data without the need for a Mutual Legal Assistance Treaty (MLAT), which is deemed essential under the GDPR.

The primary contention raised by the disagreement between the CLOUD Act and the GDPR is those related to data storage and accountability.

With the CLOUD Act allowing US authorities to access data kept globally by US-based service providers, EU residents' data may be vulnerable to monitoring without their explicit agreement, violating GDPR principles. 

This disagreement has serious consequences for businesses that rely on cloud services for data storage, communication, and collaboration. 

Who does the CLOUD Act affect in Europe?

The impact of the CLOUD Act is not limited to a specific industry or sector. Instead, it affects every organization using US-based communication tools for internal or customer communication. As these tools often rely on cloud infrastructure, the potential for cross-border data access under the CLOUD Act introduces uncertainties and risks.

Compliance with the GDPR is not just a legal requirement but a responsibility toward customers. Companies persisting in the use of cloud services from US providers find it challenging to ensure GDPR compliance, raising both legal and trust-related concerns. 

This dilemma may prompt organizations to reconsider their data management practices, seeking alternatives that prioritize data protection, sovereignty, and compliance with European regulations.

However, one thing is clear: businesses must adopt solutions that not only meet communication needs but also align with the robust data protection standards outlined by the GDPR. 

As the digital landscape evolves, a strategic shift towards European software becomes paramount for organizations intent on safeguarding customer trust and navigating the complexities of global data governance.

Staying compliant with GDPR

In light of the challenges posed by the CLOUD Act and its clash with GDPR, organizations must take proactive measures to safeguard data privacy and maintain compliance.

Rocket.Chat, an open-source team communication platform, offers a solution for organizations seeking GDPR-compliant communication tools. By self-hosting Rocket.Chat, organizations gain greater control over their data and can ensure that it adheres to the principles of GDPR. This strategy enables enterprises to manage their communication infrastructure in accordance with EU data protection rules.

Self-hosting allows enterprises to create and implement their own security protocols, ensuring that data remains within GDPR guidelines. While this solution necessitates a larger initial investment in infrastructure and upkeep, it provides a level of control and assurance that may exceed the risks involved with depending on third-party cloud services.