Cloud Act and GDPR: What implications for EU companies’ data protection?

With the rapid evolution of today’s digital landscape and the emergence of cloud computing, the issue of data confidentiality and security is more central than ever. Thanks to this technology, data is now stored and processed in the cloud, i.e., on servers located all over the world and accessible via the Internet, raising new challenges for individuals, businesses, and governments.  

In this context, the Cloud Act has emerged as a major piece of legislation that has shaken up the international data storage and transfer landscape. Passed in the United States in 2018, this federal law raises numerous questions and debates about data protection, state sovereignty and international cooperation.

In an increasingly interconnected world, it’s therefore essential that users of cloud services understand what’s at stake with the Cloud Act, and are able to understand its implications and explore possible alternatives. So, what is the impact of this law on UE businesses? And what are the best practices to be aware of to guarantee data protection while respecting everyone’s rights and interests? 

What is the Cloud Act?   

Definition  

Originally born out of a dispute between Microsoft and the US government, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act) is a US federal law passed in 2018. This law aims to regulate access to data hosted in the Cloud by service providers based in the US or of US nationality, even when this data is hosted outside US borders. Like many U.S. laws with extraterritorial reach, this law prevails over the legislation of the country in which the company or entity is based and theoretically provides the U.S. government with a very powerful weapon.  

The Cloud Act has raised serious concerns about privacy and data sovereignty, as it allows US authorities to access the data of individuals and companies (and their customers) located outside the USA, provided that the entity hosting the data has a link with the USA. And this without having to inform them, and without going through local judicial procedures or a request for international judicial assistance. This has also raised questions about conflicts of law between the US and other countries, with the GDPR in Europe in particular, on several counts. 

Conflicts with the GDPR  

Indeed, the European Union’s GDPR (General Data Protection Regulation) grants strong protection to individuals’ personal data, imposing strict obligations on companies brought in to process this type of data. The Cloud Act, on the other hand, may allow US authorities to access such data without necessarily complying with the same data protection standards.   

There are also difficulties in understanding cross-border data transfers, and the consent and control of individuals over their personal data. These difficulties are not about to dissipate, given the slowness of the European response. Since 2018, the European Council has been working on drafting the e-Evidence Directive and Regulation, the “European Cloud Act”, aimed at improving judicial cooperation with GAFAMs and harmonizing European injunctions for the production and preservation of electronic evidence in criminal matters. This context of interminable negotiations with the American authorities benefits the Cloud Act.  

What impact does the Cloud Act have on companies in the European Union?   

With the Cloud Act, US authorities can now require US service providers, or those with a sufficient link to the US, to disclose the data they host, even if stored abroad, provided this data is associated with an individual or entity under US jurisdiction.   

This raises privacy and data protection concerns for European companies using cloud services managed by US providers.  

To be solicited, a European entity may thus be subject to the Cloud Act if three criteria are met:  

• Service providers must have “possession, control or responsibility” for the data sought;  
• There must be a probability that the requested data contains evidence of US-related offenses/crimes, based on “reasonable and credible” facts; and  
• A U.S. court must have jurisdiction to act.  

The “jurisdiction to act” criterion is met if the European entity satisfies the “minimum contact” test with the USA. To determine this, the U.S. court relies on a set of indicators such as: 

• The sale of products or services to persons or companies located in the United States;  
• Marketing or advertising products or services in the USA;  
• Business relations with American suppliers;  
• For online services, to have a site accessible in the United States (particularly a site in English);  
• Use of servers located in the United States.  

These are not criteria, but a set of indicators: the court relies on the facts to decide whether the links with the United States are sufficient.  

In fact, many companies are now subject to the Cloud Act, given the ubiquitous nature of their links with the USA. Today, it is very difficult for European companies and software publishers to escape the extraterritoriality of American law, due to the omnipresence of GAFAM in our personal and professional daily lives. 

How can European entities protect themselves from the Cloud Act?  

European companies can take steps to comply with both the Cloud Act and the GDPR. For example, they can choose cloud service providers based in Europe or in countries offering an adequate level of protection. To avoid falling under the scope of the Cloud Act, they must not have any business relationships with companies present in the United States.

European entities can also use data encryption to reinforce security, and put in place specific contractual clauses to protect themselves from the Cloud Act. 

Data encryption, the last line of defense against the extraterritoriality of the Cloud Act?   

Data encryption is currently the most effective barrier against the side effects of the Cloud Act. This technical protection makes data accessible to American authorities but not readable, and thus protects the interests of European companies. Companies can encrypt sensitive data before storing it in the cloud. In this way, even if US authorities access the data, they will not be able to read it without the decryption key, which can be kept under the company’s control. This provides an extra layer of protection in the event of a data access request from the US government.  

Finally, companies can put in place robust security measures to protect encryption keys, to prevent attacks aimed at compromising the keys. 

A solution like Closd’s legal project management platform enables legal and deal-making professionals, who are often called upon to handle sensitive international deals, to guarantee the highest level of protection for their data.   

Applying the highest standards of data protection (hosting in France, data encryption using the powerful AES- 256 algorithm, used by banks and governments, TLS protocol to encrypt the connection between customers and the platform), Closd also regularly has security audits’ and penetration tests carried out by certified service providers.  

To find out more about Closd’s data processing schedule a free demo with our team!