Data has become so important that it’s been called “the currency of the future”, so privacy and security are vital for maintaining its value. With the introduction of the CLOUD Act in the US, new changes in the law bring that privacy and security under question.
Focusing in on US companies and US hosting providers – like Microsoft Azure, Google Drive, Amazon, or IBM Cloud – the CLOUD Act essentially gives the US government access to ALL data on those platforms, or any data owned by a US company.
“If you don’t have valuable data, it doesn’t matter, but if your data is something you need to protect, whether it is intellectual property, sensitive data, or has any kind of value, then you need to be highly concerned about where it is located,” said Scott MacKenzie, CEO of Cloud Carib.
Breaking down The Basics of The CLOUD Act
On March 23, 2018, the Clarifying Lawful Overseas Use of Data (CLOUD) Act was quickly – and quietly – signed into law by President Trump, introducing new rules that require US companies to provide data to law enforcement agencies on request, regardless of its physical location.
There are two key elements that make up the backbone of the CLOUD Act:
- Opening up US access to foreign stored data
- Allowing foreign law enforcement to access US stored data
Now that it is officially US law, authorities in the US have the power to access data that is stored abroad by a US company or entity. This doesn’t require the cooperation of foreign governments, effectively giving US courts global authority over all data that is collected by a US entity.
Secondly, the Act gives foreign countries the opportunity to sign agreements with the US, allowing law enforcement authorities in those countries to access data within the US, without necessary privacy protections. The United Kingdom is likely to be the first to make this agreement, but others are expected to quickly be influenced by this.
It remains to be seen if any Nearshore countries will sign similar agreements – or if the US Attorney General will let them do so, as the final decision falls there – so the Act only currently applies to US companies and US hosting providers.
Pros and Cons
On the one hand, the Act serves to modernize some data privacy laws, providing clear legal guidelines that make the process of obtaining data much faster and less costly. It also requires that law enforcement entities obtain government approval on their requests for data, adding an extra layer of privacy protection.
However, on the other hand, the Act doesn’t protect the human rights of regular end users, so once foreign law enforcement requests are approved by the US, the personal information of Regular Jane and Regular Joe is exposed without their consent.
“While this version of the CLOUD Act includes some new safeguards, it is still woefully inadequate to protect individual rights,” said Sharon Bradford Franklin, Director of Surveillance & Cybersecurity Policy, New America’s Open Technology Institute. “Despite overwhelming opposition from privacy and human rights groups, Congress never held a hearing on the CLOUD Act, and entirely preempted any meaningful debate on the legislation by attaching it to the must-pass omnibus spending bill.”
Many small- to medium-sized businesses around the world rely on Google for their email service, their file storage, and many operational tasks. Now, if the US government needs access to that data for whatever reason, they can give a warrant to Google under the Cloud Act and Google has to hand it over, without telling the owner about the seizure.
From the perspective of foreign business owners and corporations, it’s now advisable to exercise a lot more caution in ensuring that business and technology operations are aligned with local data regulations, not those of the US.
Hosting providers with no affiliation to the US are not obligated to hand over data, as they adhere to local data laws. However, if the US government demands data directly from a US company, they can bypass this.
One example of high risk is with intellectual property or proprietary code, which some software development companies use US Cloud services to store. Now, the US government can have access to that IP, which is an extremely valuable commodity for those companies.
On the plus side, the CLOUD Act may offer an opportunity for more hosting providers to open up in the Caribbean and Latin America, creating new competition in the region and potentially causing the US to take notice.
“I hope that competition does increase and causes enough pain that causes the US government to re-think those policies,” said MacKenzie. “One of the reasons we are in this region is because the Caribbean has been trusted with people’s money for 50 years. Now, the new valuable commodity is data, so we are pushing to make it the trusted region for data, an opportunity that it is mature enough to handle.”
Concerned about Cloud? Check out our infographic, Data Security Threats To Be Aware of Before Investing in The Cloud.