News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Member Directory Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | How the CLOUD Act will affect the way cloud providers serve their customers  Related reading: European Parliament: Suspend Privacy Shield unless US fully complies

rss_feed

""

The signing into law of the Clarifying Lawful Overseas Use of Data Act earlier this year has not gone unnoticed among the privacy or law enforcement communities.

Its intention was to simplify the process for the U.S. government to gain access to potentially vital data in the interest of national security when held on foreign soil, without impinging on the privacy rights of the individual or the duties of the cloud service provider to protect those rights.

But what does this mean? And why was it necessary?

The U.S. government has repeatedly found itself in conflict with the cloud industry when trying to access data relevant to national security stored by U.S. CSPs. Despite these CSPs being U.S.-headquartered, the very nature of cloud computing often meant that the data itself would not be stored in the U.S. Which in turn meant that the data was subject to the privacy laws of the local territory, making a CSP’s obedience of a U.S. warrant to disclose the data illegal and also contrary to its duty to protect the privacy of its customers and subscribers. This is the exact situation highlighted in the U.S. government’s recent case with Microsoft and access to its data in Ireland.

In such a situation, the U.S. government’s main recourse would then be to pursue the diplomatic processes of either a local warrant or a Mutual Legal Assistance Treaty with the country in question. Although, these processes are inherently slower and typically politically sensitive, explaining why they were not employed in the Microsoft case resulted in a stalemate and legal conundrum. 

In essence, the principal benefit of cloud computing – the fact that data is stored in multiple locations to improve access, resilience and performance – was too often in conflict with the U.S. government’s interests of ensuring national and international security. 

The CLOUD Act was designed to solve these ethical and legal dilemmas facing both the cloud industry and the government.

At a basic level, the new legislation simultaneously gives the government the right to access data even when stored abroad and also gives the CSP the right to quash the warrant if complying would be contradictory to local privacy laws.

These rights have naturally spawned heated debate between law enforcement and privacy advocates over international security and personal privacy. The Electronic Frontier Foundation, for example, considers the lack of judicial review within the CLOUD Act to be a massive overreach on the part of the U.S. government that contravenes the norms of international law.

But there is another issue at stake that has received far fewer column inches, perhaps because it is less obvious.

How does the CLOUD Act impact CSPs?

CSPs will have welcomed the CLOUD Act, especially in light of the Microsoft case. Indeed, many of the largest ones, Microsoft and Apple included, supported its introduction.

Before the CLOUD Act, the cloud industry’s quiet fear was that if the U.S. government was allowed to access the Microsoft data in Ireland, it would show the international community that local privacy laws were not enough to deny requests for data relevant to a given country’s national security. This precedent would likely lead to various countries demanding access to data wherever it is stored, though most often in the U.S. These demands would naturally be challenged, leading to drawn-out legal battles, in turn leading to missed opportunities to prosecute or worse, prevent terrorist acts.

As Gregory Nojeim, director of the Freedom, Security, and Technology Project at the Center for Democracy & Technology, put it, “Countries around the world would be insisting that their legal process compels Microsoft and other providers to disclose data that they hold in the United States, which would result in chaos."

The feared response to this potential chaos was that to bypass the political difficulty of accessing data abroad, more and more countries would legislate that CSPs be required to guarantee that data on their citizens remained strictly within their own borders. Such guarantees would be a technologically difficult and expensive step for most CSPs, especially the largest ones, as brought into focus by legislation such as the EU General Data Protection Regulation.

But the CLOUD Act mitigated this danger. Because CSPs now have a legal right to quash warrants when disclosure is contrary to local laws, the indirect impact of the Act is that the MLATs will become more likely. This will encourage the U.S. to simplify the processes around them in order to make accessing data abroad easier. And because MLATs are bi-lateral, foreign countries will be simultaneously afforded the same ease of access to data stored in the U.S. (unless it is data on a U.S. citizen), removing the temptation to be protectionist about their citizens’ data, and in turn removing the danger of additional costs to CSPs.

What all this means is that on the face of it, the CLOUD Act preserves the status quo. 

But I thought you said the CLOUD Act affects CSPs?

Well actually, it should. Fundamentally because privacy in the cloud is an increasingly complicated space, and the CLOUD Act, despite its intentions, has not simplified matters. 

The CLOUD Act is by no means the only data privacy legislation at play here. The U.S. has many mechanisms available to it through which national security data may be demanded, including the USA FREEDOM Act and the FISA Amendments Act of 2008 (re-confirmed in January this year). How the CLOUD Act will interact with these remains to be seen.

Also, the very foundations of the CLOUD Act are MLATs, which the U.S. will now clearly pursue with as many countries as possible. It already has MLATs with many countries, and it is in the process of applying with others. There are then those countries with whom MLATs were rejected, or are being amended. For example, the potential MLAT between the U.S. and the U.K. was nullified by the EU last year but is now in motion again.

All in all, the CLOUD Act’s legislative landscape is blurry to say the least. But this ambiguity, peculiar to the CLOUD Act, is in fact systemic of a far wider problem for businesses relying on the cloud. 

Privacy has become such a potent issue that the international community, individual governments and even various industry sectors have all deemed it important enough to create their own rules. This constantly growing variety means that businesses are likely to be obliged to conform with a huge number of privacy requirements – each with its own complications and many of which may conflict.

For example, a single international health insurer could need to be simultaneously watchful of the CLOUD Act, the GDPR, Canada’s PIPEDA, Singapore’s PDPA, HIPAA and the data privacy requirements of any number of financial services regulators. And that is by no means an exhaustive list.

The impact of this confusion on CSPs is not on the technology within their service, but on their duty to their customers.

A significant proportion – if not the majority – of any CSP’s customers will be highly conscious of where its data resides, or may end up. These businesses will naturally look to their CSP for advice on how best to store their data, and particularly how to ensure a balance between the practical considerations of access and availability alongside their privacy obligations, all while maintaining the ambition to innovate is not undermined. This will require a new breed of CSP, comfortable advising on both technical and legislative queries with impartiality, authority and accuracy.

In fact, despite the technical complexity of cloud service provisions, it is probably the privacy side of the equation that entails the most intricacy and even depth of knowledge.

This burden will surely become all the greater as society’s use of technology evolves. The GDPR was a direct response to the inadequacy of existing privacy regulations in the internet age. Similar realizations in the near future, such as how IoT data is used or how smart cities are lived in, will trigger comparable reactions and new legislation, and in faster timeframes than the GDPR.

At the center of all this is of course the way in which businesses collect, store and monetize their data, creating this firm duty for CSPs to be able to provide clients with practical and legally accurate advice on how best to preserve the ambition of innovation, alongside protecting the privacy rights of data subjects.

However, too few CSPs are currently equipped to do so. The focus on cloud service contracts is now less about latency, uptime and reliability, and infinitely more to do with supporting a client’s data privacy obligations. Most CSPs see privacy legislation as an obstacle that their terms and conditions need to circumvent, rather than a business issue that their clients need active input on.

Most CSPs will not – perhaps cannot – evolve to support their clients in this manner. A policy of "caveat emptor" will persist. But not for the more prudent CSPs, for whom ethics, privacy and the provision of appropriate cloud service are non-negotiable. These CSPs will inevitably be the future of the cloud industry.

photo credit: Hindrik S Heitelân - Homeland #54 via photopin (license)

Author
Headshot Julian Box Nonmember Contributor
Tags
Cloud Computing
Privacy Law
Privacy Opinion
Transborder Data Flow
1 Comment

If you want to comment on this post, you need to login.

  • comment Edwin van der Kaden • Jul 14, 2018 
    Great article.
I don't believe governments want access to our data to prevent terrorist acts. There are far greater threats to mankind than terrorist acts. Access to our data gives control and power. Terrorist acts are used as an excuse here to gain access.
I do believe there is a great business case in Privacy for CSPs, even if this seems not an easy task. 
Thanks for pointing this out.
Related Stories
What the CLOUD Act means for privacy pros
3
Readers brave enough to get to page 2201 the United States’ latest omnibus spending bill will find the newly enacted Clarifying Lawful Overseas Use of Data Act. This blog post first explains how the CLOUD Act resolves the Supreme Court case between Microsoft and the U.S. Department of Justice regard...
Read More queue Save This
The CLOUD Act explained
Late in the afternoon last Friday, U.S. President Donald Trump signed the omnibus spending bill. Buried within the bill was the Clarifying Lawful Overseas Use of Data Act, a law that will change how the U.S. government can access user data stored overseas, among other things. The law also resolves t...
Read More queue Save This
Quick passing of CLOUD Act draws criticism
The European Commission is concerned the quick passing of the CLOUD Act in the U.S. could affect its attempts to pass similar legislation, EUobserver reports. "Unfortunately, the US Congress has adopted the US Cloud Act in a fast-track procedure, which narrows the room for the potential compatible s...
Read More queue Save This
Related Stories
Tags
Cloud Computing
Privacy Law
Privacy Opinion
Transborder Data Flow
Recent Comments