The CLOUD Act and How It Might Impact the GDPR and CCPA On March 23, 2018, President Trump signed the $1.3 trillion Omnibus spending bill, which contained the Clarifying Lawful Overseas Use of Data (CLOUD) Act. With little fanfare, and amid many other tense issues surrounding the spending bill, many Americans may not know a great deal about this controversial Act.  

The crux of the controversy stems from the potential misuse of the CLOUD Act—whether intentional or incidental—to infringe upon the Fourth Amendment of the U.S. Constitution, as well as the newly instituted General Data Regulation Plan (GDPR) and the California Consumer Privacy Act (CCPA) of 2018.  

What Is the CLOUD Act and How Might It Affect the GDPR and CCPA?  

This federal law allows for federal law enforcement to compel U.S.-based technology companies to provide any requested data stored on their servers, no matter where the data is stored throughout the world. This means that U.S. law enforcement can request data stored on foreign soil. 

Here are a few of the provisions of the CLOUD Act:  

  • The Act gives U.S. law enforcement the right to issue orders under the Stored Communications Act (SCA) to gain access to certain data stored in other countries.  
  • The Act allows for certain foreign governments to enter into bilateral agreements with the United States, which further allows them to bypass the need for a mutual legal assistance treaty.  
  • The Act provides businesses with the rights to challenge any law enforcement request that they feel is an infringement of personal privacy and rights.  
  • The Act addresses civil liberty and privacy concerns by imposing certain limits on the requests of law enforcement.  

The Act’s origin goes back to a drug trafficking case in 2013 wherein the FBI issued a SCA warrant to gain access to emails that a U.S. citizen had stored on a Microsoft remote server, based in Ireland. Microsoft rightly refused the FBI access to the information, resulting in the case moving to the U.S. Supreme Court for the hearing case entitled Microsoft Corp v. United States

Since that time, Microsoft and the government had agreed to monitor the progress of the case. However, with the passing of the CLOUD Act, there is no need since the facts of the case fall within the parameter of the Act.  

How Might the CLOUD Act Impact the GDPR and CCPA? 

While the GDPR was enacted to cover EU consumers, and the CCPA is set to protect California consumers, they share enough in common to spark some concern over privacy issues when it comes to the CLOUD Act.  

The passing of the CLOUD Act actually flies in the face of these two significant regulations focused on the protection of private citizen information.  

What Are the Basic Rights of the GDPR?  

The GDPR was passed by the European Parliament to regulate the collection, storage and transmission of personal data via the internet for any consumer making a purchase while in the EU, which includes non-EU nations Iceland, Norway and Liechtenstein. There are eight essential rights associated with the Regulation: 

  • Right to be informed 
  • Right to access  
  • Right to rectification 
  • Right to erasure, also known as Right to be forgotten  
  • Right to restriction of processing  
  • Right to data portability  
  • Right to object  
  • Right against automated processing or profiling  

What Are the Basic Protections That Comprise the CCPA?  

Passed on June 28, 2018, and officially going into effect on January 1, 2020, the wheels are already turning regarding CCPA. Affected businesses were required to have their data tracking systems in place at the beginning of 2019.  

The CCPA features a few core principles and goals to serve California consumers:  

  • Transparency regarding the collection and processing of information  
  • Control over data  
  • Accountability of businesses entrusted with consumer data  

Will the CLOUD Act Impact Your Business?  

It is difficult to predict how, or if, the CLOUD Act may impact a business since it is primarily a reactionary law, set in motion due to a law enforcement body’s request. By its very nature, you cannot predict your experiencing it or a possible reason why. However, it is important that you understand the law and how to respond since any business owner could receive a request at any time.  

The chances of encountering such a request are somewhat greater if your business involves cloud services, colocation, internet services, or anything wherein your business works with data. If work with EU and California customers, which nearly anyone in such businesses likely would, the chances increase even more.  

Business leaders worry about how diametrically opposed to the GDPR and CCPA that the CLOUD Act is, wondering if they will put their organizations at risk by complying. Faced with heavy fines and other penalties with both laws, it makes sense that business owners want to learn more about this Act.  

Do You Have Additional Questions About the CLOUD Act and Your Responsibilities Related to It?  

If you need additional information about the CLOUD Act and how it could impact your business, our team is here to help.