CLOUD Act: Attack on Data Protection & Privacy Rights

Time to leave Google & Facebook behind

The CLOUD Act - Clarifying Lawful Overseas Use of Data Act - has recently been enacted into US federal law. It allows US authorities to request data from American companies whether the data is stored in the US or abroad. While US cloud services such as Google and Facebook welcome this law, it is heavily criticized by data protection experts and privacy rights activists.


What is the CLOUD Act?

The CLOUD Act has been enacted into law following the Microsoft email case, in which Microsoft refused to hand over data stored on its servers in Ireland after being presented with a US court order only.

After the CLOUD Act being signed into law, the Department of Justice issued a new warrant to Microsoft and it complied, handing over the requested. The Supreme Court then decided to close the Microsoft email case.

The CLOUD Act also provides an alternative to MLATs through “executive agreements”. The Executive Authority of the USA is able to enter into bi-lateral agreements with foreign countries to provide requested data related to its citizens in a streamlined manner. The Attorney General has to renew such an agreement every five years.

US cloud services welcome CLOUD Act

US cloud providers such as Microsoft, Apple, Google, Facebook and Verizon/Yahoo welcome the CLOUD Act in a letter to the Senate. If you disagree with this move, why not delete your Facebook or your Yahoo account.

They argue that the new law “is an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer”.

Conflicts of law

However, this supposedly legal clarity disguises the real issue: The CLOUD Act undermines data protection laws such as the upcoming European General Data Protection Regulation (GDPR).

The CLOUD Act enables US law enforcements to ask for any record stored by Gmail, Facebook, Twitter, Dropbox, etc. on foreign servers - so long as this would not break that country’s law, e.g. the GDPR. So when asking yourself whether these US services like Dropbox are secure, you must keep in mind their location is not the best for data protection.

As there is no juridical oversight (apart from a US court order to a US cloud service), European users of US cloud services cannot be sure that their data is being protected well enough even though this is being requested by the GDPR. The CLOUD Act is in stark contrast to the GDPR, which takes effect on May 25th.

No matter what big US tech companies say, clarity of law is not achieved at all with the CLOUD Act.

CLOUD Act threatens human rights

Amnesty International describes the CLOUD Act as a threat to human rights and press freedom globally. They are particularly worried about the executive agreements with foreign countries.

”We’re essentially relying on tech companies to be a kind of failsafe,” said Amnesty International’s U.S. director Naureen Shah.

Once a foreign government is safe-listed, Shah said, that nation can freely request information held by tech companies without congressional oversight for any particular request for five years. He mentions Turkey as an example where human rights and press freedom have dramatically declined over the past years.

”The CLOUD Act jeopardizes the lives and safety of thousands of human rights defenders around the world at a time when they face unprecedented threats, intimidation and persecution.”

CLOUD Act threatens privacy rights

The Electronic Frontier Foundation (EFF) also criticizes the executive agreements in this statement: “The CLOUD Act is a far-reaching, privacy-upending piece of legislation that will:

  • Enable foreign police to collect and wiretap people’s communications from U.S. companies, without obtaining a U.S. warrant.
  • Allow foreign nations to demand personal data stored in the United States, without prior review by a judge.
  • Allow the U.S. president to enter “executive agreements” that empower police in foreign nations that have weaker privacy laws than the United States to seize data in the United States while ignoring U.S. privacy laws.
  • Allow foreign police to collect someone’s data without notifying them about it.
  • Empower U.S. police to grab any data, regardless if it’s a U.S. person’s or not, no matter where it is stored.”

CLOUD Act not reviewed in a democratic process

Furthermore, the EFF criticizes that the CLOUD Act has never been debated in a democratic process.

”It was never reviewed or marked up by any committee in either the House or the Senate. It never received a hearing. It was robbed of a stand-alone floor vote because Congressional leadership decided, behind closed doors, to attach this un-vetted, unrelated data bill to the $1.3 trillion government spending bill. Congress has a professional responsibility to listen to the American people’s concerns, to represent their constituents, and to debate the merits and concerns of this proposal amongst themselves, and this week, they failed.”

Time to leave Google & Facebook behind

The CLOUD Act undermines data protection laws by turning US cloud services into deputy sheriffs for US authorities.

The only way to make sure that the US does not get direct access to your data is by not using American cloud services. It is time to leave Google and Facebook behind. Fortunately, there are a lot of European services that focus on protecting your right to privacy.

We recommend using encrypted services as alternatives. When all data is encrypted, no one but yourself can get access. Read our recommendations on how to leave Google behind and make the switch today.