The CLOUD Act & Data Archiving

In recent years, the Clarifying Lawful Overseas Use of Data (CLOUD) Act has significantly impacted how organizations handle data storage and compliance in the U.S. and beyond.

For businesses managing extensive archives of sensitive information — particularly in regulated sectors like finance, healthcare, and education — the implications of the CLOUD Act on data privacy, archiving practices, and compliance requirements are profound.

This article explores:

• The CLOUD Act and its key provisions
• Who’s affected by this legislation
• Criticisms of the CLOUD Act
• How to challenge it
• Its impact on other privacy laws
• How to ensure compliance with data archiving

What Is the CLOUD Act

The CLOUD Act (Clarifying Lawful Overseas Use of Data) is a U.S. law that addresses international data access in criminal investigations. It was put into effect in March 2018 as an amendment to the Stored Communications Act (SCA) of 1986.

This legislation enables U.S. law enforcement to request data stored by U.S.-based companies, even if that data is housed on servers outside U.S. borders.

The Act was designed to streamline cooperation between countries to access digital evidence in serious criminal cases, bypassing some barriers and delays associated with traditional Mutual Legal Assistance Treaties (MLATs).

Key provisions of the CLOUD Act:

• U.S. law enforcement requests — The Act allows U.S. agencies to demand access to electronic communications data from U.S.-based providers, even if the data is stored abroad.
• International agreements — The Act permits bilateral agreements between the U.S. and other countries, allowing those countries to directly request data from U.S. companies for investigations, bypassing lengthy legal processes.
• Privacy and safeguards — Countries entering into CLOUD Act agreements with the U.S. must demonstrate adherence to certain privacy standards, though critics argue that safeguards could be stronger.

Who Is Affected by the CLOUD Act?

The CLOUD Act primarily affects U.S.-based tech companies and any organizations that provide data storage, communications, or cloud services under U.S. jurisdiction.

This broad scope includes major cloud providers, email service providers, social media platforms, telecommunications companies, and other entities that manage or control digital communications data.

While the Act mainly targets technology and communications providers, it can also impact organizations in highly regulated industries that rely on U.S.-based cloud services.

For example, banks using cloud-based email archiving, hospitals using cloud storage for patient records, and educational institutions relying on U.S. providers for student information storage may find that their archived data could be accessible under the CLOUD Act if requested by U.S. authorities.

Additionally, foreign companies with branches or operations in the U.S. may be subject to the CLOUD Act if their U.S. branches control or have access to the data in question. Although the Act does not directly target foreign companies headquartered outside the U.S., it does apply to data that can be accessed or managed by U.S.-based subsidiaries, branches, or operations.

For U.S. parent companies with international branches or subsidiaries, the CLOUD Act’s reach is even broader. If the parent company is headquartered in the U.S., all its branches and subsidiaries worldwide are subject to the Act’s requirements, regardless of location. This includes foreign offices, data centers, and any operational sites outside the U.S., as the U.S.-based parent company can be compelled to produce data from any part of its global operations.

Criticism of the CLOUD Act

The CLOUD Act has sparked criticism from privacy advocates, legal experts, and international organizations. While the Act aims to streamline access to data for law enforcement, critics argue that it poses risks to privacy, data sovereignty, and international compliance.

Here are the primary concerns:

Privacy and data protection concerns

• Lack of strong privacy protections — Critics argue that the Act does not provide sufficient privacy protections for users, especially those outside the U.S. Unlike GDPR and other strict data privacy regulations, the CLOUD Act does not require companies to notify individuals if their data is accessed.
• Broad data access powers — The CLOUD Act allows U.S. law enforcement agencies to access data stored outside the U.S. without necessarily notifying the country where the data is located. This has raised concerns about surveillance overreach and a lack of transparency in data handling.

Challenges to data sovereignty

• Potential conflicts with foreign laws — By allowing U.S. authorities to request data stored overseas, the Act can create conflicts with local data protection laws, such as GDPR in Europe. This puts companies in a difficult position where they may risk violating either U.S. or foreign laws depending on their response to data requests.
• Compromised national sovereignty — Many countries see the Act as an infringement on their sovereignty, as it enables the U.S. government to access data stored within their borders without their consent or involvement. This raises concerns about a foreign power bypassing local legal frameworks and privacy protections.

Insufficient safeguards in bilateral agreements

• Weak standards for international agreements — The CLOUD Act allows the U.S. to form agreements with other countries to facilitate cross-border data access. Critics argue that the standards required to enter into these agreements are too low, potentially allowing countries with weaker privacy protections to access data. This has led to concerns that these agreements could allow countries with limited protections for civil liberties to obtain data stored in the U.S. more easily.
• Limited judicial oversight — Some privacy advocates worry that the Act does not require robust judicial oversight in reviewing cross-border data requests, increasing the potential for abuse.

Increased compliance burden on companies

• Costly and complex compliance requirements — For companies operating globally, the CLOUD Act adds layers of complexity in managing compliance across jurisdictions. Organizations must implement detailed policies for data access, storage location, and residency tracking, and they may face increased costs for handling legal disputes or conflicts over cross-border data requests.
• Encryption and security challenges — While companies may choose to encrypt data to prevent unauthorized access, the Act could compel companies to provide decryption keys. This presents a challenge for organizations dedicated to strong data security practices, as it undermines their ability to fully protect user data from unauthorized access.

Impact on U.S. technology competitiveness

• Loss of trust among international clients — The CLOUD Act has caused some non-U.S. organizations to reconsider using American cloud providers due to fears that their data could be accessed by U.S. authorities. This could harm the global competitiveness of U.S.-based cloud and technology providers, as clients may choose to work with providers in countries that offer stronger privacy protections.
• Pressure on companies to build local data centers — To comply with local data protection laws and address customer concerns, some U.S. companies are investing in local data centers outside the U.S. However, this increases operational costs and complexity, which may limit the attractiveness of U.S. cloud services for smaller businesses unable to afford localized infrastructure.

Concerns over due process and limited recourse

• Minimal recourse for challenging requests — Companies and individuals have limited options to challenge data access requests under the CLOUD Act, especially if the data is deemed relevant to U.S. law enforcement. Although the Act includes a provision for companies to contest requests that conflict with foreign law, critics argue that this is often insufficient to protect against arbitrary or overly broad demands.
• Reduced transparency for affected users — Since the Act does not require companies to notify users about data requests, affected individuals and organizations are often left unaware when their data is accessed. This lack of transparency erodes trust and limits users’ ability to seek recourse if their data is improperly used.

Challenging the CLOUD Act

There are tools that are implemented within the CLOUD Act that allow a company to challenge it in order to avoid having to provide the requested data.

Motion to quash or modify a warrant

When authorities are looking to request the data from a certain company, a warrant is needed, and this warrant can be appealed. To do so, a motion to quash or modify is used, but there are conditions that have to be met.

• First, if the person whose data is being requested is not a U.S. citizen or does not reside in the U.S.
• Second, it has to be shown that meeting the request based on the CLOUD Act would actually put the provider of the data in a position where the laws of the qualifying foreign country would be broken.

Qualifying foreign country requirement

To succeed in challenging a CLOUD Act request based on foreign legal conflicts, the data must be located in a “qualifying foreign country.” The term refers to countries that have entered into a mutual data-sharing agreement with the U.S., known as an executive agreement. Such agreements ensure that both nations commit to respecting each other’s privacy and data protection laws for data access.

The caveat here is in the term “qualifying country,” as the CLOUD Act only recognizes those that have made a mutual data-sharing agreement with the US already. The United Kingdom has a signed agreement with the U.S., making it the first and only “qualifying foreign country” under the CLOUD Act.

This means that a motion to quash or modify could be feasible for data located in the U.K., provided it meets other conditions.

However, for data stored in non-qualifying countries, companies generally have limited options to challenge requests effectively.

The CLOUD Act and the AWS

AWS has consistently reassured its clients regarding data protection amidst concerns about the CLOUD Act. The company emphasizes its commitment to safeguarding customer data and points out that historically, the number of such requests from U.S. authorities has been relatively limited.

For more information on how AWS handles legal requests, clients can refer to Amazon’s Law Enforcement Information Requests page.

Additionally, AWS maintains that the CLOUD Act will not have an effect on their clients nor the product that they are being provided. The company underscores that it follows stringent data protection practices and legal protocols to minimize the risk of unauthorized data access.

AWS emphasizes that clients retain control over how and where their data is stored, which can include choosing data center locations to align with specific data residency requirements.

AWS also refers to their ability to challenge the requests made through the CLOUD Act, especially if it conflicts with the laws of other countries in which the branch offices reside. While this may be the case, we’re still to see whether this will work out in practice because of the various requirements that are imposed.

The Effect of the CLOUD Act on the GDPR

The General Data Protection Regulation, most commonly known as GDPR, is the EU legislation that ensures the privacy of digital data.

GDPR enforces strict data privacy rules in the EU, while the CLOUD Act allows U.S. authorities to access data stored by U.S.-based providers, even abroad. This overlap can create conflicts — if a U.S. provider like AWS complies with a CLOUD Act request for data stored in the EU, it risks violating GDPR, leading to potential fines and legal issues.

The lack of comprehensive U.S.-EU data-sharing agreements adds to the problem, leaving companies uncertain about how to reconcile both laws.

Strategies for CLOUD Act Compliance in Data Archiving

Navigating the CLOUD Act while maintaining data archiving compliance can be challenging, but there are several effective strategies to minimize risk and ensure data privacy.

Develop a comprehensive information governance framework

A well-structured information governance framework outlines how data should be managed, protected, and accessed. It includes establishing policies that define data retention, access controls, and compliance obligations.

Data archiving should be an integral part of this framework to ensure that archived data complies with relevant regulations and is securely stored but retrievable if necessary.

Implement multi-jurisdictional compliance policies

The CLOUD Act’s reach across borders requires policies that take multiple jurisdictions into account.

Develop policies that address both U.S. and international requirements, paying particular attention to the legal protections and limitations on data in different regions. For example, consider the implications of GDPR on data stored in the EU or other national data protection laws.

Choose archiving solutions with strong compliance and security capabilities

Opt for data archiving solutions equipped with features to support compliance, such as encryption, robust access controls, and activity logging.

Providers specializing in compliance for regulated industries, like healthcare, finance, and education, such as Jatheon, are typically well-versed in handling complex data access and residency requirements, making them ideal partners for CLOUD Act compliance.

Regular compliance audits and monitoring

Periodic audits help organizations assess compliance readiness and identify areas needing improvement.

Data archives should be subject to regular monitoring and auditing to ensure they adhere to the established governance and compliance framework. This can include testing encryption integrity, access control verifications, and reviews of international data residency requirements.

Summary of the Main Points

• The CLOUD Act allows U.S. law enforcement to access data stored abroad by U.S.-based companies for criminal investigations. The Act empowers U.S. agencies to request electronic data stored overseas and supports bilateral agreements with other countries for data-sharing.
• This law primarily impacts U.S.-based tech firms, cloud providers, and regulated industries using U.S. cloud services, as well as foreign companies with U.S. branches. Companies face complex compliance requirements, including data residency and potential legal conflicts, as well as encryption challenges.
• Organizations can challenge requests with a motion to quash or modify, but only if certain conditions are met, including conflicts with qualifying foreign laws.
• Concerns include weak privacy protections, conflicts with foreign laws like GDPR, compromised data sovereignty, and limited judicial oversight.
  The CLOUD Act may conflict with GDPR, potentially putting U.S. companies at risk of non-compliance when accessing EU data.
• Organizations should implement comprehensive data governance, multi-jurisdictional policies, secure archiving solutions, and regular compliance audits.

FAQ

What types of data does the CLOUD Act apply to?

The CLOUD Act covers electronic communications and related data, including emails, messages, and files managed by U.S.-based service providers, regardless of whether the data is stored domestically or internationally.

How does the CLOUD Act affect compliance?

The CLOUD Act can complicate GDPR compliance as it potentially allows U.S. authorities access to data stored in the EU, which may conflict with GDPR’s strict data privacy rules. Companies should implement strong encryption and data residency strategies to address these conflicts.

Are non-U.S. companies impacted by this legislation?

If non-U.S. companies use U.S.-based cloud providers, their data may be subject to the CLOUD Act’s provisions. This applies particularly to data hosted by cloud providers with U.S. headquarters or subsidiaries.

How can organizations respond to conflicting data residency and CLOUD Act requirements?

To manage conflicting requirements, organizations should work with legal experts to assess compliance risks and partner with cloud providers offering data residency options and localized storage solutions.

About the Author

Marko Dinic

As Jatheon’s CEO, Marko Dinic oversees new business development and has a leadership role in shaping the company’s vision, strategy, and product development. Outside work, he loves visiting places off the beaten path, investing, and space travel.