The Cloud Act: what are the issues, debates and confusion?

Cybersecurity is becoming an increasingly important issue for companies and individuals. The Cloud Act has given rise to various debates and confusion regarding the access of American authorities to data located abroad, by American service providers for example. Let’s clear this up together.

What is the Cloud Act?

On March 23, 2018, thirty years after the Stored Communications Act (SCA) which defines the conditions under which electronic communications can be viewed and / or seized by American regulatory or judicial authorities, the United States Congress adopted the Cloud Act ( Clarifying Lawful Overseas Use of Data Act – law clarifying the legal use of data hosted abroad ). It establishes a legal framework for requests for access to data stored on the servers of electronic service providers located in the United States.

According to village justice article by Jean-Pierre Mistral, specialist in Global Data Privacy, the Cloud Act has three major contributions :

  • the injunctions of the US authorities issued under the Act Cloud can now reach the data in foreign countries ;
  • the United States and other states may enter into bilateral agreements to present Cloud Act-based injunctions directly to service providers in each of the countries;
  • electronic service providers can now follow a formal process to challenge injunctions based on the Cloud Act.

It is therefore a federal law allowing the United States government to recover data stored on American servers , including foreign data, without the users being informed .

What are the issues raised by the Cloud Act for companies and individuals?

Cloud Act applies to all communication service providers , processing or electronic storage , ofcloud computing or remote computing services the activity of which is governed by US law, whether established in the United States or not. This means that any foreign company with a subsidiary in the United States is subject to the Cloud Act. The Cloud Act thus applies indirectly to all economic players who have chosen to entrust their data to American service providers.

The Cloud Act has raised concerns in Europe and around the world regarding respect for privacy and the fate of personal data entrusted to GAFAM ( Google, Apple, Facebook, Amazon, Microsoft ). However, the US authorities can only force providers to provide data by virtue of an express mandate issued by a US court . The Cloud Act therefore does not give American authorities carte blanche to access without any conditions or control all the data entrusted to the United States.

Do French and European legislation make it possible to block data communication requests from the American authorities?

In France as in Europe, there are laws or regulations likely to oppose the requisitions of the American judicial or regulatory authorities relating to data stored in Europe. Emmanuelle Mignon, partner at the law firm August Debouzy, distinguishes three in her article Should we be afraid of the Cloud Act :

  • Article 48 of the GDPR, which provides that: ” Any decision of a court or administrative authority of a third country requiring a controller or a processor to transfer or disclose personal data can only be recognized or enforced in any way on condition that it is based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer under this Chapter ”;
  • law n ° 68-678 of July 26, 1968 relating to the communication of documents and information of an economic, commercial, industrial, financial or technical nature to foreign natural or legal persons , known as the “French blocking law”, by virtue of which it is forbidden to communicate to foreign authorities documents or information of an economic, commercial, industrial, financial or technical nature ” the communication of which is likely to undermine the sovereignty, security, essential economic interests of France or public order ”. This law, very little applied, is in the process of being modified and reinforced;
  • European Directive No. 2016/943 of 8 June 2016 relating to business secrecy, transposed in France in July 2018, according to which ” is protected (…) any information meeting the following criteria: 1 ° it is not ( …) generally known or easily accessible to people familiar with this type of information because of their sector of activity; 2 ° it has a commercial value, actual or potential, because of its secret nature; 3 ° it is subject to reasonable protection measures by its legitimate holder (…) to keep it secret”(Article L. 151-1 of the Commercial Code). It is also provided that “business secrets are not enforceable when the obtaining, use or disclosure of the secret is required or authorized by European Union law, international treaties or agreements in force or national law, in particular in the exercise of the powers of investigation, control, authorization or sanction of the judicial or administrative authorities ”(article L. 151-7 of the Commercial Code).

Conversely , the communication to the American authorities of data covered by business secrecy, outside any international agreement, – that is to say on the sole basis of a unilateral request formulated by the American administration, (for example from a GAFAM) -, and in application of the Cloud Act, is, in principle, prohibited and exposes the electronic service provider who would communicate such data to the questioning of its responsibility .

These legal elements show that beyond the objections that American hosts can make to requests for data from the American authorities, foreign laws in the United States continue to protect both companies and individuals as much as possible on data protection and cybersecurity.

The Cloud Act and Cloud Providers, what impact?

Depending on the security policy of your company, the question of the choice of cloudis important. This question is further accentuated in the context of the Cloud Act.

If you use an American cloud provider , a relationship of trust must exist between your company and this cloud provider, so that upon receipt of your data, it encrypts them. If you decide to opt for one of these cloud providers, there is another way to protect your data. It is then a question of encrypting them upstream and putting them in the cloud provider . However, this approach adds great complexity.

Some companies have a security policy whose compliance requires hosting their data in their country . If your company is French, for example, and you have this security policy, you now have three options to host your data in France:

  • A French cloud provider like OVH
  • A private cloud
  • An American cloud provider by taking the hosting option in France

Note that for this third option, it is advisable to check with the chosen cloud provider in order to guarantee the complete European isolation of your data.

Are you looking to make strategic choices in terms of cybersecurity for your business? We have just taken a look at what the Cloud Act is and its challenges for your business and your customers’ data.


Leave a Reply

Your email address will not be published. Required fields are marked *