CEO-Vision SAS, software editor of the collaborative platform GoFAST is not a law firm, however this article is based on an important analysis of the reference texts and the Cloud Act. (download the PDF)
Much has been written about the Cloud Act, voted in the spring of 2018. Nevertheless, all kinds of approximation and misrepresentation have motivated us to write our own analysis, as factual and precise as possible.
This law acknowledges that data is increasingly spread around the world and that it complicates, slows down, and even precludes some American criminal investigation.
The limits of the law “Stored Communications Act” (SCA) in force since 1986, came to the fore with the procedure between Microsoft and the United States of America for its refusal to provide emails stored in Ireland in the case of drug trafficking, proceedings which ended at the United States Supreme Court.
The Cloud Act, delicately inserted in the 2232 pages of the American budget law, which had to be voted to avoid a new shutdown of the American government, therefore allows under certain conditions and only in the case of an alleged serious crime, the seizure and / or interception of data stored outside the United States, by American police, and in some cases the reverse (if a mutual agreement "Executive Agreement" has been signed). This request is made to telecommunications or outsourcing companies (CSP - Communication Service Provider or RSP Remote Service Provider).
Note that this text appeared during a very important legal activity around personal data, coming into force of the "GDPR - General Date Protection Regulation", renewal of the "FISA - Foreign Intelligence Surveillance Act "in the US for 5 years, production of the 1st version of the text " e-Evidence " by the European Commission. All this without mentioning “Privacy Shield” (2016) between the EU and Switzerland on the one hand, and the United States on the other hand.
A few years after the NSA eavesdropping scandal revealed by E.Snowden and despite the abolition of the most criticized clauses of the "Patriot Act", the Cloud Act has caused some defenders of individual private rights to jump, just as extraterritoriality upset the American hegemony groups. There are some drawing conclusions which suit them, for example:
- Potentially this text is a risk for the confidentiality of personal data
Rather inaccurate: The Cloud Act only concerns investigations of alleged major criminal activities including terrorism. The American law enforcement must obtain a warrant to be able to trigger the request
Note also, that this text does not govern intelligence activities and therefore does not concern either the NSA or the CIA
- Only American companies working abroad are concerned
Inaccurate. Contrary to what European hosting providers suggest, this is incorrect. European companies will need to comply if they have a presence in the United States with access to European data.
- European citizens are not concerned
Inaccurate. The requests may concern "non-US-people". More worryingly, if the country has not signed an Executive Agreement, hosting provider (American or European with a presence in the US / access to EU data) cannot challenge the request.
Overall, our interpretation brings us to the following analyzes:
- on-premise / colocation hosting is not concerned
- the datacenters of AWS, Microsoft or Google in Europe don’t protect the data against an American judicial inquiry at least until an Executive Agreement between the United States and the EU or France is not in force.
- for outsourcing and telecommunications companies affected by the Cloud Act (American or European with US presence / access to EU data), refusal of providing the requested information without an Executive Agreement, exposes them to the risk of court proceedings in the United States.
- the EU is interested in negotiating an Executive Agreement for all its Member States to benefit from reciprocity and challenge the requests concerning European citizens. However, it will certainly require amendments to the GDPR, thus the probability is low.
- the Cloud Act is not completely contrary to the GDPR stipulating (art.48) that no data may be transmitted to a third country outside of an international agreement such as a " Mutual legal assistance treaty ” (MTLA), procedure in force before the Cloud Act, because article 49 introduces exceptions not to mention article 25 which allows national exceptions.
- despite some references indicating that it would become prohibited to provide backdoors to the police, we did not find anything to that effect in the text (moreover the act presented to Congress in 2018 on this subject, the "Secure Data Act" never came to fruition). Judicial requests for data must be provided decrypted by the outsourcer if it does an encryption. If an application encryption is carried out (therefore by the target customer), it will be interesting to see the outcome.
We see that "in an ideal world" (no abuse) and in the context of the fight against crime and international terrorism, this text seems almost balanced if an "Executive Agreement" has been signed which is not the case with EU, or with France.
In the current case, the issues are:
- a scope of non-American / non-resident citizens, without reciprocity and without notification from the judicial authorities of the intended user’s origin country
- the non-definition of "Serious crime" (note that violating American embargoes goes into this category, very important point)
- the impossibility by the CSP to challenge the request except to invoke the "common law comity principles", possibly indicating a certain contradiction with the GDPR but with a completely uncertain outcome
In general, the storage of sensitive data for a European company will be the least problematic:
- On-premise (while ensuring the same level of security as professional outsourcers)
- In collocation with a European outsourcer on European territory
Regarding the Cloud (the organization does not own the infrastructure) :
- In a sovereign (dedicated) private cloud (E.U company without U.S presence with E.U data access)
In conclusion, it seems very prudent to avoid subscribing to any hosted service from an American company such as AWS, Google (G-Suite, ...) and Microsoft (including Office 365) even offering hosting in France or in Europe, at least until jurisprudence around Cloud Act and the GDPR begins to be known. Note that for Office 365 the problem concerns the data storage (OneDrive, Teams, SharePoint Online) and not the office applications themselves.
Article written by Christopher Potter, CEO-Vision S.A.S
 As a reminder BNP was fined $ 9 billion for circumventing embargoes with Cuba, Libya, Iran and Sudan
 For those who want a recent fleet of Office, turn to Office Pro licenses 2019 or the very good OnlyOffice (not to be confused with OpenOffice)