News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How to comply with both the GDPR and the CLOUD Act Related reading: Government-owned company now stores Apple iCloud data in China

rss_feed

""

""

On March 23, 2018, U.S. Congress enacted the Clarifying Lawful Overseas Use of Data Act, which had the immediate effect of mooting the ongoing U.S. v. Microsoft litigation, where a central issue of the case was whether a web-based or cloud-based telecommunications or data service provider, subject to U.S. jurisdiction, could avoid being required to provide stored electronic communications for which a search-and-seizure warrant had been served, when such stored electronic communications were stored on servers outside of the U.S. The U.S. CLOUD Act amended the Stored Communications Act of 1986, which was enacted to create Fourth Amendment–like privacy protection for email and other digital communication stored or held by internet service providers. Such providers are those that provide services including email, instant messaging, video conferencing, wireless telephone, remote or backup data storage, and cloud hosting or processing.  

The U.S. CLOUD Act provides that the obligation to comply with search warrant requirements under the SCA apply regardless of whether a communication, record or other information is located within or outside of the United States:

"A [service provider] shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States."

A warrant or subpoena under the U.S. CLOUD Act gives the U.S. government, such as a U.S. law enforcement agency, the ability to compel a recipient to hand over data regardless of where such data is stored in the event that all three of the following requirements are met: 

  • A U.S. court has jurisdiction over the entity whose data is being sought.
  • The entity is an electronic communication service or remote computing service provider intended to be in scope of the U.S. CLOUD Act.
  • The entity has possession, custody or control over the data being sought.

The U.S. CLOUD Act applies only to the contents of electronic communications, documents stored in the cloud, and to certain types of transmission and account information. The U.S. CLOUD Act allows U.S. law enforcement agencies to issue warrants to gain access to data held by organizations under U.S. jurisdiction, even if such data is held outside the U.S. and such data involves individuals other than U.S. citizens.

An entity on whom a warrant or subpoena is served pursuant to the U.S. CLOUD Act may challenge the warrant by arguing that any one of the above three requirements is not met.

Repercussions of U.S. CLOUD Act on the GDPR

Given its relatively recent enactment date, the U.S. CLOUD Act's compatibility with the EU General Data Protection Regulation is still an open question. With regard to data transfer to third countries for which such transfer is subject to the GDPR, Articles 44 to 50 of the GDPR apply. In particular, Article 48 of the GDPR comes into play when EU data is being requested by a U.S. law enforcement agency.

Article 48

From the EU perspective, there is significant concern that U.S. authorities might undermine the GDPR requirements set out in Article 48 by utilizing the U.S. CLOUD Act to compel U.S. organizations providing electronic communication services and remote computing services to allow access to certain types of data stored outside the U.S. U.S. law enforcement agencies can serve a search warrant for a U.S. organization's data and, unless one of the three above-referenced requirements is not met, that organization must comply, even if the data is stored in a foreign jurisdiction.

Implications for corporations located in the US with data storage in the EU

What happens if a U.S. electronic communication services or remote computing services corporation receives a warrant or subpoena from a U.S. law enforcement agency for data being stored in an EU-based subsidiary of that U.S. corporation? Must that data be disclosed, even though it may contain data corresponding to EU individuals? The answer will partly depend on the organizational setup of the U.S. corporation including, specifically, the parent’s relationship to its offshore affiliates. If the U.S. corporation has possession, custody or control over the data being sought, that data would be subject to production under the CLOUD Act.

Use case 1: Data storage in EU affiliate and no data access from the non-EU corporate parents

The data held at the EU affiliate would not likely be accessible to U.S. authorities under the CLOUD Act if the following facts apply:

  • The EU subsidiary has all its offices in the related EU country, conducts no business in the U.S., and operates independently of its corporate parents.
  • The computer network established in the EU subsidiary is fully segmented from the networks of its corporate parent.
  • As a technical matter, it is not possible for personnel of the corporate parent to reach remotely into the telecommunication infrastructure of the EU affiliate to obtain data. 

Use case 2: Vendor services 24/7 around the globe, or disaster recovery systems with limited access to data of US corporate parents

IT support service providers whose services "follow the sun" — meaning that the jurisdiction from which the services are provided shifts over the course of a day, and disaster recovery systems, where data is stored outside the U.S. in the ordinary course but backup retrieval systems in the U.S. may be activated in certain circumstances — raise the question of whether they open the door to requests for data under the CLOUD Act.

However, as in the case of 24/7 service providers, if the entity in the U.S. gets access to the data at a certain point every day (from a technical or technological perspective), such that if the government showed up and demanded access and the U.S. entity only needed to wait a specified period of time before it had access to the data, presumably there is a greater risk that that data could be accessible under the act.

General recommendations

Corporations that operate in multiple jurisdictions, when considering entering into service agreements with global electronic communication services or remote computing service providers, would be well advised to conduct due diligence about the organizational setup of those service providers.

A principal line of inquiry should be whether the U.S.-based parent or affiliate may have “possession, custody or control” of such data held by the non-U.S. affiliates. For such scenarios, the service recipient might seek to modify the service provider agreements to limit U.S. access to the data held in non-U.S. jurisdictions, including in the European Union. As part of such a risk mitigation, agreements with U.S. service providers should be evaluated to determine whether data held outside of the U.S. by non-U.S. entities is accessible via keyboards in the U.S. Language should be added to such service provider agreements to make clear that non-U.S. data is “siloed” (physically and logically segregated) at non-U.S. data storage locations and cannot be accessed from the U.S. Further, unless such notification is prohibited by law, prospective service recipients that envisage entering into service agreements with these types of service providers should seek to use contractual language committing the U.S. service provider to notify them, as service recipients, of having received a legally binding request under the CLOUD Act.

In instances when critical data, including proprietary, confidential information or personal data of individuals, is stored in the cloud, state-of-the-art security, including encryption at rest and encryption in transit, should be utilized. By all means, encryption key management must be under the full control of the service recipient (the controller of such data being stored in the cloud) and must not be accessible by the U.S. cloud service provider without permission of the controller of such data.

photo credit: nima; hopographer chubby via photopin (license)

Authors
Headshot Matthias Artzt, CIPP/E IAPP Member Contributor
Headshot Walter Delacruz IAPP Member Contributor
Tags
Europe
U.S.
Cloud Computing
Privacy Law
Privacy Operations Management
Transborder Data Flow
2 Comments

If you want to comment on this post, you need to login.

  • comment janet waston • Feb 1, 2019 
    Cloud hosting is making its mark in the world of web hosting. It is by far one of the most powerful hosting service. Companies should ponder investing in this.
  • comment Martin O'Dwyer • Oct 11, 2019 
    A helpful short piece about a topic which has yet to be fully appreciated and understood by some data handlers, thank you. The only comment by way of constructive criticism I would respectfully make is, in the last line...'must not be accessible by the U.S. cloud service provider without 'lawful' permission of the controller of such data'.
Related Stories
Announcing the new Cross-Border Data Forum
With cloud computing, law enforcement investigations increasingly seek evidence that is held across borders, in a different country. As we describe in a separate IAPP post, this globalization of criminal evidence is prompting major legislative change and proposals. In 2018 alone, the United States p...
Read More queue Save This
Related Stories
Tags
Europe
U.S.
Cloud Computing
Privacy Law
Privacy Operations Management
Transborder Data Flow
Recent Comments