CLOUD ACT AND STRATEGIC OUTSOURCING CHOICES

 

CEO-Vision SAS, software publisher of the collaborative platform GoFAST is not a law firm; however the work below is based on an important analysis of the texts and the Cloud Act.


The Covid-19 lockdown and then the gradual recovery massively pushed companies towards collaborative and teleworking tools, but still too often towards GAFAM solutions. These are subject to the Cloud Act and some of them are poorly protected (eg the Zoom scandal). This crisis should not make us lose sight of the need to regain control of our data and our digital sovereignty.

In addition, a lot of ink has been spilled on the Cloud Act passed in the spring of 2018. Nevertheless, the approximations, all kinds of recoveries motivated us to write our own analysis, as factual and precise as possible.

This law recognizes that data is increasingly disseminated around the world and that this complicates, slows down, or even prevents certain American criminal investigations.

The limits of the "Stored Communications Act (SCA)", in force since 1986, appeared with the procedure between Microsoft and the United States of America for its refusal to provide emails stored in Ireland in the case of a drug trafficking that ended up in the US Supreme Court.

The Cloud Act, subtly inserted into the 2232 pages of the American budget law which absolutely had to be passed to avoid a new shutdown of the American government, therefore allows, under certain conditions and only in the case of a suspected serious criminal act, the seizure and /or the interception of data stored outside the United States by US law enforcement, and in some cases the reverse (if a mutual "Executive Agreement" has been signed). This request is made to telecommunications or outsourcing companies (CSP - Communication Service Provider or RSP Remote Service Provider).

Please note that this text arrived during a very important legal activity around personal data, coming into force of the "GDPR -General Data Protection Regulation", renewal in the US for 5 years of the "FISA -Foreign Intelligence Surveillance Act », production of the first version of the «e-Evidence» text by the European Commission. All this without mentioning the “Privacy Shield” of 2016 between the EU and Switzerland on the one hand, and the United States on the other.

A few years after the National Security Agency (NSA) eavesdropping scandal revealed by E. Snowden and despite the abolition of the most criticized clauses of the "Patriot Act", the Cloud Act made some defenders of individual private rights wince, just as extraterritoriality made the killers of American hegemony jump, each of which drew the conclusions that suit him, for example:

  1. That potentially this text is a risk for the confidentiality of personal data

Rather inaccurate: The Cloud Act only concerns investigations for alleged major criminal activities including terrorism. US law enforcement must obtain a warrant in order to initiate the request.

It should also be noted that this text does not govern intelligence activities and therefore does not concern either the NSA or the CIA.

  1. That only American companies with a presence abroad are concerned

Inaccurate. Contrary to what European hosts suggest, this is not correct. European companies will have to comply if they have a presence in the United States with access to European data.

  1. That European citizens are not concerned

Inaccurate. Requests may concern non-US citizens. More worryingly, if the country has not signed an Executive Agreement, the hosting (American or European with a presence in the U.S./access to U.S. data), cannot contest the request.

Overall, our interpretation leads us to the following analyses:

  • onpremise/colocation hosting is not concerned
  • that AWS, Microsoft or Google data centers in Europe do not provide legal data protection from a US legal request, at least until the Executive Agreement comes in force between the United States and the EU or France 
  • that for outsourcing and telecommunication companies concerned by the Cloud Act (American or European with US presence/access to EU data), refusal to transmit the requested information without an Executive Agreement exposes them to the risk of litigation in the United States.
  • that the EU has a priori interest in negotiating an Executive Agreement for all its Member States in order to benefit from reciprocity and recourse for requests concerning European citizens. However, this will certainly require amending the GDPR, which makes the probability low.
  • that the Cloud Act is not in total conflict with the GDPR, which provides (art.48) that no data can be transmitted to a third country outside an international agreement such as a mutual legal assistance treaty (MTLA – “Mutual legal assistance treaty”), a procedure in force before the CloudAct, because article 49 introduces exceptions, not to mention article 25 which allows national exceptions.
  • that despite some mention that it will be prohibited to provide backdoors to law enforcement, we did not find anything in the text on this subject (moreover the bill presented to Congress in 2018 on this subject, the “Secure Data Act” never came to fruition). Legal requests for data must, of course, be provided by the outsourcer in decrypted form if the latter uses encryption. If a request is encrypted (therefore by the targeted Customer), it will be interesting to see the outcome.

We note that "in an ideal world" (no drift) and within the framework of the fight against crime and international terrorism, this text seems more or less balanced if an "Executive Agreement" has been signed, which is not the case with EU, nor with France.

In the current case, the issues are:

  • An impact on non-US citizens / non-residents, without reciprocity and without notification of the judicial authorities of the country of origin of the intended user
  • the non-definition of “Serious crime” (note that violating American embargoes falls a priori into this category, a very important point)
  • the impossibility for the CSP to contest the request except to invoke the "common law committee principles", possibly indicating a certain contradiction with the GDPR but with a totally uncertain outcome

In general, the retention of sensitive data for a European company will be the least problematic:

  • Onpremise (while ensuring the same level of security as professional outsourcers)
  • Shared with a European outsourcer on European territory

Regarding the Cloud (the organization does not own the infrastructure):

  • In a sovereign (dedicated) private Cloud (E.U company without U.S presence with E.U data access)

In conclusion, therefore, it seems very reasonable to avoid subscribing to any hosting services from an American company such as AWS, Google (G-Suite, ...) and Microsoft (including Office 365 / Teams) even offering hosting in France or in Europe, at least until the case law around CloudAct and the GDPR begins to be known. Note that for Office 365 the problem concerns data storage (OneDrive, Teams, SharePoint Online) and not the office applications themselves.

Written by Christopher Potter, CEO-Vision S.A.S

GDPR and Cloud Act Bibliographic References
About svetlosemina

Discover GoFAST with one of our project managers!

To put an end to the file server bazaar and too many emails with a true turnkey Digital Wokplace, or check whether the GoFAST platform meets your specific project and the expectations of your business departments ...
Do not hesitate to contact us!