June 6, 2018 | Posted in GRC by Britt Munnell

Businesses take note—there is a new U.S. law governing law enforcement’s access to data stored in servers overseas.  In March 2018, as part of its appropriation bill, Congress passed key provisions of the Clarifying Lawful Overseas Use of Data (CLOUD) Act.  The CLOUD Act was drafted in response to the Supreme Court’s decision in United States v. Microsoft Corp., which involved Microsoft’s refusal to comply with a search warrant for emails stored on an Irish server.

Here are some key considerations for businesses following the CLOUD Act’s passage:

 

1.  The CLOUD Act impacts businesses but does not require immediate action.

The CLOUD Act does not require businesses to take any action from a compliance perspective, but it does fundamentally change the U.S. government’s authority to access company data stored on foreign servers. The law has been criticized for giving the government unprecedented access to cross-border data based on virtually nonexistent warrant requirements.

 

2.  Data stored on overseas servers is no longer protected under U.S. law.

For U.S.-based companies, any digitally-stored information in foreign servers is now subject to U.S. law. The geographical location of servers or data centers does not create grounds for refusing to comply with subpoenas, warrants, or other legal process.

 

3.  The President can create agreements with other nations to exchange stored data.

Under the CLOUD Act, governments can participate in bilateral information sharing to exchange stored data on servers in their respective countries. Data sharing under the CLOUD Act works both ways—foreign governments can also get access to U.S. data through executive agreements. Although some safeguards exist to prevent excessive sharing of U.S. citizens’ data, the effectiveness of these safeguards remains to be seen.

 

4.  Businesses can appeal data requests from U.S. law enforcement.

The conditions to qualify for this exemption are difficult to meet. The customer/subscriber in question must not be a foreign national, or the data’s exposure must put the provider at risk of violating foreign law.

 

Public opinion on the CLOUD Act is divided. While some organizations believe this legislation will enable swifter prosecution of cyber criminals and improve visibility into the misuse of American data on foreign soil, privacy advocates insist the CLOUD Act permits governmental snooping that borders on being unconstitutional. Regardless, U.S. businesses must be prepared for the fact that the government may be able to access their data, no matter where it is stored.

If you have any additional question related to the CLOUD act or other regulatory & compliance needs, please contact our Governance, Risk & Compliance group at info@securityriskadvisors.com.