The CLOUD Act has been enacted into law following the Microsoft email case, in which Microsoft refused to hand over data stored on its servers in Ireland after being presented with a US court order only.
After the CLOUD Act being signed into law, the Department of Justice issued a new warrant to Microsoft and it complied, handing over the requested. The Supreme Court then decided to close the Microsoft email case.
The CLOUD Act also provides an alternative to MLATs through "executive agreements". The Executive Authority of the USA is able to enter into bi-lateral agreements with foreign countries to provide requested data related to its citizens in a streamlined manner. The Attorney General has to renew such an agreement every five years.
They argue that the new law "is an important step toward enhancing and protecting individual privacy rights, reducing international conflicts of law and keeping us all safer".
However, this supposedly legal clarity disguises the real issue: The CLOUD Act undermines data protection laws such as the upcoming European General Data Protection Regulation (GDPR).
The CLOUD Act enables US law enforcements to ask for any record stored by Gmail, Facebook, Twitter, Dropbox, etc. on foreign servers - so long as this would not break that country's law, e.g. the GDPR.
However, as there is no juridical oversight (apart from a US court order to a US cloud service), European users of US cloud services cannot be sure that their data is being protected well enough even though this is being requested by the GDPR. The CLOUD Act is in stark contrast to the GDPR, which takes effect on May 25th.
No matter what big US tech companies say, clarity of law is not achieved at all with the CLOUD Act.
"We’re essentially relying on tech companies to be a kind of failsafe," said Amnesty International’s U.S. director Naureen Shah.
Once a foreign government is safe-listed, Shah said, that nation can freely request information held by tech companies without congressional oversight for any particular request for five years. He mentions Turkey as an example where human rights and press freedom have dramatically declined over the past years.
"The CLOUD Act jeopardizes the lives and safety of thousands of human rights defenders around the world at a time when they face unprecedented threats, intimidation and persecution."
The Electronic Frontier Foundation (EFF) also criticizes the executive agreements in this statement: "The CLOUD Act is a far-reaching, privacy-upending piece of legislation that will:
Furthermore, the EFF criticizes that the CLOUD Act has never been debated in a democratic process.
"It was never reviewed or marked up by any committee in either the House or the Senate. It never received a hearing. It was robbed of a stand-alone floor vote because Congressional leadership decided, behind closed doors, to attach this un-vetted, unrelated data bill to the $1.3 trillion government spending bill. Congress has a professional responsibility to listen to the American people’s concerns, to represent their constituents, and to debate the merits and concerns of this proposal amongst themselves, and this week, they failed."
The CLOUD Act undermines data protection laws by turning US cloud services into deputy sheriffs for US authorities.
The only way to make sure that the US does not get direct access to your data is by not using American cloud services. It is time to leave Google and Facebook behind. Fortunately, there are a lot of European services that focus on protecting your right to privacy.
We recommend using encrypted services as alternatives. When all data is encrypted, no one but yourself can get access. Read our recommendations on how to leave Google behind and make the switch today.
No comments available