Europe Frightened By US 'Cloud Act', Fearing National Security Risks

"A foreign power with possible unbridled access to Europe's data is causing alarm in the region. No, it's not China. It's the U.S.," writes Bloomberg (in an article shared by hackingbear).

"As the U.S. pushes ahead with the 'Cloud Act' it enacted about a year ago, Europe is scrambling to curb its reach." Under the act, all U.S. cloud service providers, from Microsoft and IBM to Amazon -- when ordered -- have to provide American authorities with data stored on their servers, regardless of where it's housed. With those providers controlling much of the cloud market in Europe, the act could potentially give the US the right to access information on large swaths of the region's people and companies.

The U.S. says the act is aimed at aiding investigations. But some people are drawing parallels between the legislation and the National Intelligence Law that China put in place in 2017 requiring all its organisations and citizens to assist authorities with access to information. The Chinese law, which the US says is a tool for espionage, is cited by President Donald Trump's administration as a reason to avoid doing business with companies like Huawei Technologies. "I don't mean to compare US and Chinese laws, because obviously they aren't the same, but what we see is that on both sides, Chinese and American, there is clearly a push to have extraterritorial access to data," said Ms Laure de la Raudiere, a French lawmaker who co-heads a parliamentary cyber-security and sovereignty group. "This must be a wake up call for Europe to accelerate its own, sovereign offer in the data sector."

Well duh

[Rosco+P.+Coltrane]

When you put your data elsewhere than on your own iron, expect it to be as good as public. Everybody has known this since the beginning of the internet. Security-conscious IT folks don't do cloud, even if it costs more.

In my opinion, the Cloud Act is just an official recognition of what's already going on.

No, because they need a warrant / subpoena

[raymorris]

In a word, no. There could be some concerns in some cases, but generally not an issue.

The Cloud Act relates to what a warrant or subpeona may reach, and doesn't change anything - it just affirms what existing law, stating explicitly what had been implicit.

It says that the pre-existing power of US courts to order US companies to turn over data material to a case cannot be thwarted by the US company stashing the bits on disks which are physically overseas. That was already a bit of a "duh, no shit" to anyone who has studied law, but Congress saw fit to state it explicitly.

GDPR doesn't say you can't comply with a subpoena or warrant. It explicitly says you can comply. So no problem, there, no conflict between Cloud Act and GDPR, generally.

The one wrinkle is that GDPR says when you send data to another country, one of two things needs to be in place

A mutual legal assistance agreement
Or
The other country has approved privacy law

The US has both. A new data privacy safe harbor agreement with the US was approved by the EU in 2016, after the previous one was found lacking. We also have a Mutual Legal Assistance Agreement (MLAA).

There could be cases, however, in which a subpoena is issued which doesn't comply with the MLAA. Then one could argue complying with that particular subpeona could violate GDPR. Except we ALSO have the 2016 safe harbor agreement, so the MLAA isn't actually necessary anyway.

So in rare cases you could argue that there might be a conflict, but you'd probably lose that argument.