Data protection has become a top priority for companies, both those that are part of the IT industry and those outside of it.
As everything revolves around data, keeping it secure is of utmost importance when running a business. This includes not only business data, but also private data – information such as medical records, PHI, personal emails or credit card numbers.
To properly protect the data, various regulations have been implemented, but as with most other things, overregulation can be an issue. With multiple compliance regulations and laws being imposed, it was only a matter of time when a conflict between them would occur.
One such potential conflict came into focus with the enactment of the CLOUD Act back in 2018.
In this article we’ll talk about the CLOUD Act and look at the effects it might have on AWS and data archiving.
Overview of the CLOUD Act
The Clarifying Lawful Overseas Use of Data Act or CLOUD Act was put into effect in March 2018 as an amendment to the Stored Communications Act (SCA) of 1986. The Stored Communications Act was enacted to provide various US authorities the ability to request access to the data that any US-based technology company stores in the US.
The CLOUD Act goes a step further and empowers the authorities to request all the data belonging to companies based in the US and have possession, custody or control of that data – regardless of whether the data resides in the US or outside of it.
This doesn’t apply to foreign companies with a branch office in the US. Those organizations where the parent company is located in the US are affected, along with all their branches that are outside of it.
This makes the CLOUD Act extremely overreaching, so it’s not surprising that it quickly became a burning issue and a topic of heated debates when it comes to data protection. This is especially true for the US-based clients of large public cloud providers like AWS.
Challenging the CLOUD Act
There are tools that are implemented within the CLOUD Act that allow a company to challenge it in order to avoid having to provide the requested data.
When authorities are looking to request the data from a certain company, a warrant is needed, and this warrant can be appealed. To do so, a motion to quash or modify is used, but there are conditions that have to be met.
First, if the person whose data is being requested is not a US citizen or does not reside in the USA.
Second, it has to be shown that meeting the request based on the CLOUD Act would actually put the provider of the data in a position where the laws of the qualifying foreign country would be broken.
The caveat here is in the term qualifying country, as the CLOUD Act only recognizes those that have made a mutual data-sharing agreement with the US already. As of now, no foreign countries have entered such an agreement, making a motion to quash or modify effectively useless.
The CLOUD Act and the AWS
So how does the AWS respond to the worry around the CLOUD Act?
AWS has stated over and over that it will protect their clients’ data, and also refers to the fact that in the past, the US authorities didn’t have many requests of this kind. You can view the Amazon’s page for Law Enforcement Information Requests here.
Additionally, AWS maintains that the CLOUD Act will not have an effect on their clients nor the product that they are being provided.
AWS also refers to their ability to challenge the requests made through the CLOUD Act, especially if it conflicts with the laws of other countries in which the branch offices reside. While this may be the case, we’re still to see whether this will work out in practice because of the various requirements that are imposed.
The Effect of the CLOUD Act on the GDPR
The General Data Protection Regulation, or most commonly known as GDPR is the EU legislation that ensures the privacy of digital data. And as things stand, it can potentially end up in direct conflict with the CLOUD Act. The lack of necessary agreements aside, requests made based on the CLOUD Act can cause providers like AWS to break the EU law, leading to lots of issues both for the provider and their customers.
And of course, there are other countries, each with their own laws and requirements, so many are wondering how these situations will resolve.
At the moment, it’s difficult to predict how the story of the CLOUD Act will unfold. Just by looking at the multitude of contrasting requirements between it and the GDPR, one can clearly see that the EU is going to have a tough time dealing with the CLOUD Act.
On a global level, there are many more countries with branch offices of US companies, and each of those countries will have their opinion on this matter, as well as their laws and regulations that could likely be conflicting with the CLOUD Act. The question that’s on everyone’s mind is how strongly the US plans to push these requests for data. The answer is still unknown.