Quiet before the storm: CLOUD act

Compliance    | April 10, 2018

Recent developments in the court case between the US Government and Microsoft have impacts to companies offering services globally.   The Clarifying Lawful Overseas Use of Data Act (CLOUD Act) aims to simplify the way enforcement groups obtain personal data stored by U.S.- based technology companies.

What Has Happened:

In December 2013, a United States Magistrate Judge issued a warrant under the authority of the Stored Communications Act (SCA) to Microsoft for production of data that was hosted at a Microsoft Data Centre in Ireland.   Microsoft refused to comply with the parts of the order that required production from their Ireland Data Centre based on the warrant violating European Law.

Microsoft appealed the decision to the US Second Circuit court which received submissions in support of Microsoft from various parties.  The Irish Government submitted a brief stating that the warrant violated the European Union’s Data Protection Directive, Ireland’s own Privacy Laws, and that the US Government should have used the longstanding Mutual Legal Assistance Treaty between the US and Ireland which allows for the collection of data supported by local warrants.  The US Second Circuit found in favour of Microsoft and the US Department of Justice appealed to the Supreme Court.

Oral Arguments on the case were heard on Feb 27^th.  However, in March, the US Congress Passed, and the President signed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act).  This law amended the SCA to make it a requirement that US based service providers must turn over data that is in their possession regardless of where in the world the data is located.  Based on this development, the US Department of Justice asked the Supreme Court to dismiss the case as moot and Microsoft did not oppose.

Even prior to this decision, there had been significant questions raised with respect to US Government Access to data on citizens in other countries.  The Article 29 Working Group had released a report calling into question if the US was adhering to the requirements of the US/EU Privacy Shield agreements. In the report they recommended that new negotiations between the US and EU begin to develop a plan to close a few identified gaps.   They Working Group warned that if action was not taken, they would take the issue to court to have the Privacy Shield agreement invalidated.

Impact on Market:

This is all happening in the context of the coming into force of the EU General Data Protection regulation which has strict requirements on companies who deal with the data of EU residents.  Specifically, Article 48 of the EU General Data Protection Regulation states that:

 Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.

 This directly contradicts the requirements of the CLOUD Act which directly override the need to use the MLAT approach.

Naturally, this leaves many questions as to who’s laws are more relevant, the status of previously agreed treaties and agreements, and a few other questions. It is also likely to have a significant impact on US companies as subscribers move to cloud service providers in their local jurisdictions – or at least those in jurisdictions that do not have such legal entanglements.

Echoworx is a Canadian based company, and current Canadian law requires the use of Mutual Legal Assistance Treaties (MLATs) when that data is stored in a foreign country. Echoworx is also committed to meeting the privacy and legal requirements of the countries in which it operates. Echoworx continues to add data centres around the world to ensure that data is resident as close as possible to the country or region of origin. We currently operate data centres in the US, UK, Ireland, Mexico, and Canada to ensure data can be stored and maintained in accordance with the regulations and legislation that our customers are subject to.

By David Broad CISSP, Information Security and Audit Lead, Echoworx