Expert Opinion : Cloud Act and Strategic Choices of managed services outsourcing

CEO-Vision SAS, software editor of the collaborative platform GoFAST is not a law firm, however this article is based on an important analysis of the reference texts and the Cloud Act. (download the PDF)

Much has been written about the Cloud Act, voted in the spring of 2018. Nevertheless, all kinds of approximation and misrepresentation have motivated us to write our own analysis, as factual and precise as possible.

This law acknowledges that data is increasingly spread around the world and that it complicates, slows down, and even precludes some American criminal investigation.

The limits of the law “Stored Communications Act” (SCA) in force since 1986, came to the fore with the procedure between Microsoft and the United States of America for its refusal to provide emails stored in Ireland in the case of drug trafficking, proceedings which ended at the United States Supreme Court.

The Cloud Act, delicately inserted in the 2232 pages of the American budget law, which had to be voted to avoid a new shutdown of the American government, therefore allows under certain conditions and only in the case of an alleged serious crime, the seizure and / or interception of data stored outside the United States, by American police, and in some cases the reverse (if a mutual agreement "Executive Agreement" has been signed). This request is made to telecommunications or outsourcing companies (CSP - Communication Service Provider or RSP Remote Service Provider).

Note that this text appeared during a very important legal activity around personal data, coming into force of the "GDPR - General Date Protection Regulation", renewal of the "FISA - Foreign Intelligence Surveillance Act "in the US for 5 years, production of the 1st version of the text " e-Evidence " by the European Commission. All this without mentioning “Privacy Shield” (2016) between the EU and Switzerland on the one hand, and the United States on the other hand.

A few years after the NSA eavesdropping scandal revealed by E.Snowden and despite the abolition of the most criticized clauses of the "Patriot Act", the Cloud Act has caused some defenders of individual private rights to jump, just as extraterritoriality upset the American hegemony groups. There are some drawing conclusions which suit them, for example:

  1. Potentially this text is a risk for the confidentiality of personal data

Rather inaccurate: The Cloud Act only concerns investigations of alleged major criminal activities including terrorism. The American law enforcement must obtain a warrant to be able to trigger the request 

Note also, that this text does not govern intelligence activities and therefore does not concern either the NSA or the CIA

  1. Only American companies working abroad are concerned

Inaccurate. Contrary to what European hosting providers suggest, this is incorrect. European companies will need to comply if they have a presence in the United States with access to European data.

  1. European citizens are not concerned

Inaccurate. The requests may concern "non-US-people". More worryingly, if the country has not signed an Executive Agreement, hosting provider (American or European with a presence in the US / access to EU data) cannot challenge the request.

Overall, our interpretation brings us to the following analyzes:

  • on-premise / colocation hosting is not concerned
  • the datacenters of AWS, Microsoft or Google in Europe don’t protect the data against an American judicial inquiry at least until an Executive Agreement between the United States and the EU or France is not in force.
  • for outsourcing and telecommunications companies affected by the Cloud Act (American or European with US presence / access to EU data), refusal of providing the requested information without an Executive Agreement, exposes them to the risk of court proceedings in the United States.
  • the EU is interested in negotiating an Executive Agreement for all its Member States to benefit from reciprocity and challenge the requests concerning European citizens. However, it will certainly require amendments to the GDPR, thus the probability is low.
  • the Cloud Act is not completely contrary to the GDPR stipulating (art.48) that no data may be transmitted to a third country outside of an international agreement such as a " Mutual legal assistance treaty ” (MTLA), procedure in force before the Cloud Act, because article 49 introduces exceptions not to mention article 25 which allows national exceptions.
  • despite some references indicating that it would become prohibited to provide backdoors to the police, we did not find anything to that effect in the text (moreover the act presented to Congress in 2018 on this subject, the "Secure Data Act" never came to fruition). Judicial requests for data must be provided decrypted by the outsourcer if it does an encryption. If an application encryption is carried out (therefore by the target customer), it will be interesting to see the outcome.

We see that "in an ideal world" (no abuse) and in the context of the fight against crime and international terrorism, this text seems almost balanced if an "Executive Agreement" has been signed which is not the case with EU, or with France.

In the current case, the issues are:

  • a scope of non-American / non-resident citizens, without reciprocity and without notification from the judicial authorities of the intended user’s origin country 
  • the non-definition of "Serious crime" (note that violating American embargoes goes into this category, very important point[1])
  • the impossibility by the CSP to challenge the request except to invoke the "common law comity principles", possibly indicating a certain contradiction with the GDPR but with a completely uncertain outcome

In general, the storage of sensitive data for a European company will be the least problematic:

  • On-premise (while ensuring the same level of security as professional outsourcers)
  • In collocation with a European outsourcer on European territory

Regarding the Cloud (the organization does not own the infrastructure) :

  • In a sovereign (dedicated) private cloud (E.U company without U.S presence with E.U data access)

In conclusion, it seems very prudent to avoid subscribing to any hosted service from an American company such as AWS, Google (G-Suite, ...) and Microsoft (including Office 365[2]) even offering hosting in France or in Europe, at least until jurisprudence around Cloud Act and the GDPR begins to be known. Note that for Office 365 the problem concerns the data storage (OneDrive, Teams, SharePoint Online) and not the office applications themselves.

Article written by Christopher Potter, CEO-Vision S.A.S


[1] As a reminder BNP was fined $ 9 billion for circumventing embargoes with Cuba, Libya, Iran and Sudan

[2] For those who want a recent fleet of Office, turn to Office Pro licenses 2019 or the very good OnlyOffice (not to be confused with OpenOffice)

GDPR Bibliographic References and Cloud Act 

« Cloud Act », U.S. Senate :

"GDPR", European Parliament :

« Forecasting the Impact of the New US CLOUD Act », Dechert LLP

« European Data Protection Authorities Explore U.S. CLOUD Act’s Potential Impact on the GDPR », Cleary Gottlieb

« CLOUD Act Establishes Framework To Access Overseas Stored Electronic Communications», Cleary Gottlieb

Harvard Journal of Law & Technology Volume 32, Number 1 Fall 2018

« The CLOUD Act, Explained », Orrick, Herrington & Sutcliffe LLP

« The CLOUD Act and its consequences », Legal ICT

« Cloud Act Implementation Issues », Lawfare

« Frequently Asked Questions about the U.S. CLOUD Act », CBDF Cross Border Data Forum

« Setting the Record Straight: The CLOUD Act and the Reach of Wiretapping Authority Under US Law », CBDF Cross Border Data Forum

« Demystifying the U.S. CLOUD Act: Assessing the law’s compatibility with international norms and the GDPR », Hogan Lovells, January 2019

« GDPR Exemptions: Who is Exempt from GDPR Requirements? », HIPAA Journal, May 11, 2018

« What are executive agreements under the Cloud Act ? », Avocats Mathias

"What differences between CLOUD Act and PATRIOT Act (and what impacts on French companies)", LeMagIT, August 21, 2018