News
A European Sovereign Cloud: the Silver Lining to the U.S. CLOUD Act
The adoption of the U.S. Cloud Act weakens the integrity and security model of leading public cloud providers.
It all started with an American investigation into a drug-trafficking case. Data on this criminal network was reportedly located on a user’s Outlook account in Microsoft’s servers in Ireland. The U.S. Government issued a warrant requiring Microsoft to disclose data in its possession but the Redmond firm refused to comply on the grounds that the data was located outside the United States. Microsoft faced backlash over its refusal, some even questioning its patriotism.
While the case was being decided by the Supreme Court, the U.S. Congress tackled the issue by enacting on March 23, 2018, a rider tacked onto an omnibus budget bill, called the “CLOUD Act” (standing for Clarifying Lawful Overseas Use of Data Act) (1).
CLOUD Act: What Does it Say?
The CLOUD Act amends the Stored Communications Act of 1986 that involved a tedious process —requests for international legal assistance based on bilateral treaties — in order to obtain the communication of any data hosted outside the American territory.
Now, a simple warrant is sufficient to enjoin any U.S. company to provide such information, regardless of the data’s physical location.
The CLOUD Act applies to any “United States person”, defined very broadly (for legal persons) as a corporation that is incorporated in the United States, including a foreign subsidiary.
Not surprisingly, the procedure against Microsoft Ireland was abandoned (2) and reopened under the CLOUD Act, Microsoft having already publicly announced that the data would be transmitted in accordance with this new framework (3).
CLOUD Act: The European Response
Beyond preparing its own piece of legislation (4), the European Union expressed, via its European Digital Commissioner, its serious concerns following the hasty passing of the CLOUD Act (5).
Already in 2001, when the Patriot Act providing the U.S. Government access to some data for cases relating to national defence was signed into law, Europeans feared data “leaks” to the United States. Those fears were subsequently confirmed by the Snowden, PRISM or Echelon cases. From now on, with the CLOUD Act, the transmission of data to the American justice system can be systematised for any ordinary criminal cases.
However, the processor or the controller who would respond too quickly to a U.S. court order would necessarily incur liability, to the extent that Article 48 of the European General Regulation on the Protection of Personal Data (GDPR) clearly provides that “[a]ny judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement (...)”. The problem is that such international agreement does not exist (yet).
The protection of European citizens’ data would mean not entrusting their data to a company governed by American law — but this is both technically and economically unreasonable.
Under the very strong influence of the GDPR, cloud players, including Americans, have already started to make offers that are more respectful of European standards, with the installation of servers in Europe.
Many are calling for a European sovereign cloud (6). Various certification initiatives, such as ANSSI’s SecNumCloud (formerly known as Cloud Secure), are working in this direction, in particular on public architectures. Cloud security can also be achieved through the Network and Information Security Directive (NIS Directive) (7), recently implemented into French law (8).
For several years already, some users are following a “cloud strategy” consisting in using both a public cloud for less sensitive data and a private cloud for more sensitive data. The hybrid cloud architecture thus tends to develop.
This may be quite expensive, but this is the price for greater technical and legal security.
References
- The provisions of the CLOUD Act (amending the Stored Communications Act (SCA) of 1986, codified in Chapter 121, Part 1, Title 18 of the US Code) were enacted with the Consolidated Appropriations Act (Division V: Cloud Act) on 23 March 2018.
- U.S. Supreme Court’s United States v. Microsoft Corp. decision dismissing the case as moot, 17-4-2018
- « Après le vote du Cloud Act, la Cour Suprême jette l’éponge face à Microsoft », Le Monde Informatique, 7-4-2018;
- The EU is committed to improving cross-border access to electronic evidence. To make it easier and faster for law enforcement and judicial authorities to obtain the electronic evidence they need, such as e-mails or documents located on the cloud, to investigate and eventually prosecute criminals and terrorists, the Commission proposed on 17 April 2018 new rules in the form of a Regulation (Proposal for Regulation on cross-border access to e-Evidence) and a Directive (Proposal for a Directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings). See the European Commission’s Press release: http://europa.eu/rapid/press-release_IP-18-3343_en.htm?locale=EN
- « Pourquoi le «Cloud Act » américain inquiète l’Union européenne », Le Soir, 27-3-2018.
- « Cloud souverain et offre informatique : état des lieux », www.alain-bensoussan.com, 7-12-2015.
- NIS Directive, Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19.7.2016, p. 1-30.
- Loi n° 2018-133 du 26 février 2018 portant diverses dispositions d’adaptation au droit de l’Union européenne dans le domaine de la sécurité, JORF, 27-2-2018.
Article provided by:
Eric Le Quellenec, Lawyer, Head of the IT Advisory department Lexing Alain Bensoussan Avocats.
Eric Le Quellenec is a lawyer in Paris (France). A specialist in new technologies, information technology and communications law, Eric Le Quellenec is the Head of the IT Advisory department, where he also provides litigation services. He holds a Master 2 in business law (DJCE) and studied at the University of Ottawa (Canada). Having a solid experience in GDPR, he is leading the compliance programme of worldwide automotive and agribusiness groups. He is the exiting Vice-President of the Young Lawyers Association of Paris (Union des Jeunes Avocats de Paris – UJA), and previously chaired the new technologies and prospective commission of the French federation of young lawyers associations (Fédération des Unions des Jeunes Avocats de France - FNUJA). He has been appointed expert for the business and IT commissions of the French Bar Association (CNB).
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org
News Archiv
- Alle zeigen
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010