Over time, the tech industry has become increasingly regulated, and so has the data around which everything in the industry revolves. More and more laws are being put into effect, and new compliance standards need to be followed. Regulation has an impact on cloud computing platforms like AWS by dictating how they approach data protection—especially since the infrastructure of these platforms spans many countries, each with its own set of data protection rules. While the relevance of data in today’s world requires that it be regulated to some degree, overregulation could lead to problems sooner or later. The CLOUD Act, a recently enacted legislation is the perfect example of how its impact on AWS data has brought an enormous amount of controversy.
How does The CLOUD Act, a 2018 United States federal law, affect AWS and its customers and what implications might it have on data protection in general?
What Is the CLOUD Act?
The CLOUD Act (Clarifying Lawful Overseas Use of Data Act) amends the 1986 SCA (Stored Communications Act), which allowed U.S. authorities to request access to any data that belongs to U.S. based technology companies and is stored on U.S. soil. The CLOUD Act significantly expands the reach of the SCA by giving U.S. authorities the right to request data that is stored overseas as well. It applies to technology companies located in the U.S. which have ‘’possession, custody, or control’’ of information, regardless of where that information is geographically stored.
In simple terms, the CLOUD Act applies to enterprises with a parent company in the U.S. If a company only has a subsidiary in the U.S, it can avoid complying with the CLOUD Act. But, if a parent company is located in the U.S., then it and all of its subsidiaries located both within and outside of the U.S. are subject to the CLOUD Act.
In order to actually gain access to the data, authorities first need a signed search warrant. Typically, this is granted by the U.S. judge who determined probable cause for the information to be used as evidence in an ongoing investigation. The targeted company can appeal this warrant using the “motion to quash or modify,” but in order to do so, the company has to fulfil two requirements:
- The customer whose information is being requested is not a U.S. person and does not reside in the U.S.
- The required disclosure would risk the provider violating the laws of a qualifying foreign government.
A country is “qualifying” if it has entered into an agreement with the U.S to mutually share data. As of yet, no country has done this; therefore, it is impossible to actually appeal a warrant at this time. Even if the appeal were possible, it might not be successful.
The Justification for the CLOUD Act
The CLOUD Act was introduced after the Federal Bureau of Investigation (FBI) had difficulties obtaining remote data from various service providers through SCA warrants. One specific case that gained a lot of attention involved Microsoft refusing to provide the FBI with access to emails. These emails, which were stored in Ireland, were supposedly crucial to a drug trafficking investigation. The case (Microsoft Corp. v. United States) went as far as the Supreme Court but was rendered moot with the subsequent signing of the CLOUD Act.
This is not the first time a bill like this was proposed. In the past, unsuccessful attempts to amend the SCA included the LEADS Act in 2015 and ICPA in 2017.
The signing of the CLOUD Act has generated controversy, as it is seen by many to violate Fourth Amendment rights. Additionally, it could violate other international laws, one of which is the EU’s General Data Protection Regulation (GDPR).
How does it fit into GDPR?
The General Data Protection Regulation (GDPR) is the core of the EU’s digital privacy legislation. It gives all EU citizens more control over their personal data and puts pressure on organizations who gather and manage data to protect it. If companies do not comply with these regulations, they can face severe financial penalties.
When a company is compelled to provide data to U.S. authorities under the CLOUD Act, a conflict can arise. The absence of executive agreements under the CLOUD Act not only prevents companies from appealing warrants, it may also cause providers to violate EU law by sharing data that is protected under GDPR.
“Common law comity principles” state that companies do not have to meet U.S. legal obligations if they (1) conduct business in good faith, and (2) put the company at risk for sanctions under the law of a foreign country by meeting the obligations. Because there are currently multiple conflicting laws in multiple countries, there is no clean answer to the question, “Between the CLOUD Act and GDPR, who has jurisdiction?” As it stands, they are in conflict, and many companies could be forced into uncomfortable positions.
How the CLOUD Act Affects AWS and Data Protection
The CLOUD Act is a cause for concern for AWS’s clients; however, the cloud giant is assuring its clients that they need not worry.
On their CLOUD Act compliance page, AWS claims that this legislation won’t have any impact on their services or on how their clients or partners use them. AWS is focusing on the fact that, historically, the U.S. government hasn’t requested much data. AWS further states that it will always act to protect its clients. This makes sense, since by protecting the clients’ data, AWS is directly protecting its own business as well. Additionally, AWS points out that the CLOUD Act recognizes the company’s right to challenge requests that conflict with another country’s laws. Whether they will actually be able to do so successfully in the future is another question. For AWS, as well as for other public cloud services, there is nothing to do but wait and see how this story unravels.
Even though the intention behind the CLOUD Act is straightforward, it is hard to predict how its effects with play out in the long term. Obviously, there are, and will continue to be, conflicts between the CLOUD Act and other countries’ laws. Even though it has been a year since the signing of this legislation, we are still without any official executive agreements between countries. The EU has stated that it will try to negotiate one such agreement that will apply to all of its member states. Whether or not that is successful and where it might take us is uncertain. And, while the EU is a big part of the entire data protection story, there are many other countries with their own laws and opinions about how data should be handled.
The CLOUD Act has been in effect for a year, but it’s going to take some time before we see the consequences of its implementation.