Since 2001, companies in the USA have been required under the Patriot Act to surrender stored data that is the subject of criminal investigations on official or judicial orders. This was followed by other agreements such as the Safe Harbor and Privacy Shield, which caused worry lines among European data protectionists.
Since the end of March 2018, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a new US law that is clearly underestimated in this country. This is because the CLOUD Act regulates the handling of data that is physically located outside the USA but for which a US company is responsible. However, it obliges not only US companies to disclose data to US authorities even without a court order, but also other companies if they are part of a US company or exchange data with US companies.
This applies extensively to all data in the possession, custody or control of the company, i.e. not only personal data, but also company data, measurement and telemetry data or patents. Thus, the CLOUD Act is currently in conflict with the EU Data Protection Regulation (GDPR).
Companies in Europe therefore run the risk of violating either the US CLOUD Act or the GDPR. For this reason, every company in Germany or Europe should examine in detail what effects who has the CLOUD Act.
A permanently unacceptable situation. But talks between the USA and the EU are completely at the beginning, because the USA prefers talks with individual member states. Until everyone has agreed on a solution, there is currently legal uncertainty. European companies are the ones who are suffering.
These Privacy Problems Affect Your Company
The US CLOUD Act came into force almost simultaneously with the GDPR. This makes it clear that privacy has a completely different status in the EU: In the EU, privacy is based on the fundamental right to informational self-determination and has a generally valid legal basis in the GDPR. In contrast, privacy in the USA is integrated into commercial law as part of consumer protection. US companies can therefore set their own level of privacy.
This means that two different legal opinions are now in conflict for European companies. This is because, according to the CLOUD Act, US companies that process data abroad are always subject to US law and therefore obliged to do so, those in their control, possession or custody disclose data to the US authorities if necessary, even without a court order. The CLOUD Act removes any boundaries, so it is equally irrelevant whether the data is stored in the cloud, in a data center outside the cloud, in the US or abroad. The only decisive factor is that they belong to a US company.
The declared goal of the CLOUD Act is to accelerate US law enforcement by simplifying access to data stored abroad. Until now, this has been done through mutual legal assistance agreements between the individual government authorities.
Providers, IT service providers and cloud providers based in the USA and their customers are particularly affected by the CLOUD Act. These can also be German and European companies that have their data processed by an American service provider, even if the data is stored in Europe or Germany. These must be transmitted without restriction to the US authorities.
In addition, there is a risk that the US authorities will not only restrict themselves to companies based in the USA, such as Microsoft, Dropbox, Amazon & Co. but also to companies that have any demonstrable connection with the USA.
"As a result of the CLOUD Act, companies today have to examine exactly which (software) provider they choose," says Christian Volkmer, privacy expert and managing director of Projekt 29 GmbH & Co. KG.
>>> When data is released, cloud operators are not even obliged to inform the companies concerned.