What is the CLOUD Act?
SCA “warrant” recipients in the U.S. (U.S. based cloud providers) are now obligated to turn over evidence <u>wherever located</u>, so long as the recipient has “possession, custody, or control” over the evidence.
Estimated reading time: 2.5 minutes
In order to combat the international nature of 21st-century crime and make investigations by law enforcement easier, in March 2018, the Clarifying Lawful Overseas Use of Data Act was enacted. The CLOUD Act amends the Stored Communications Act to make clear that SCA “warrant” recipients in the U.S. (U.S. based cloud providers) are obligated to turn over evidence wherever located, so long as the recipient has “possession, custody, or control” over the evidence. That means that the cloud provider can, under certain circumstances, exfiltrate your data stored on their servers – even if that information is stored on servers outside the U.S. If you are a non-U.S. organization and thought that the privacy of your data was protected because the server is located within the geographic territory of your own government, you might be mistaken. With the passing of the CLOUD Act, under certain conditions, data stored on cloud servers can be exfiltrated no matter where or what country that server is physically located, without using the previous treaty process, without notification to the host government, and without notification to the data owner.
The scant protections of the CLOUD Act
The privacy of data stored with a U.S. based cloud provider for non-U.S. based organizations is protected only if all of the following conditions are satisfied:
First is that the cloud provider must ask a U.S. federal court to quash or modify the warrant. Since SCA warrants are served in secret directly to the cloud provider and your cloud provider is prohibited from informing you that they have received a warrant to hand over your data, you are depending on them to defend your privacy. If for whatever reason they fail to do so, your data will be exfiltated without your knowledge.
Second, if your cloud storage provider does ask a U.S. federal court to nullify or modify the warrant on your behalf then, in order to protect your privacy, all 3 of the following conditions must be met:
- the target is not a U.S. person; AND
- compliance would conflict with the law of the country where the data is stored; AND
- the court concludes that disclosure isn’t warranted.
If the data requested in your cloud storage is for a U.S. person, then you have no protection. If the target of the request is a non-U.S. person but your own country does not have any specific privacy law to protect that data, you have no recourse. Finally, even if the request is for data on a non-U.S. person and it violates the privacy laws of your local government but the U.S.-based court determines that U.S. law enforcement really needs it, then your data will be exfiltrated.
Privacy protection via data residency is no longer valid
In conclusion, protecting privacy via data residency is no longer necessarily valid. Data privacy is best preserved by keeping that data on-premise, behind the corporate firewall, on corporate storage assets, in specific geographic regions, and access controlled. Privacy is best protected by organizational data sovereignty.
FileFlex Enterprise protects data sovereignty and prevents possible data exfiltration inherent to cloud solutions. That is because nothing is moved, copied, or stored on a third-party server. You access, share and collaborate files from their source locations, on your own storage, behind your firewall. There is no chance any third-party can gain access to files without the organization’s knowledge.
Get the full Data Sovereignty – The New Priority: Preventing Possible Data Exfiltration Inherent to Cloud Solutions whitepaper by submitting your email below.