Last month Utah Senator Orrin Hatch and Georgia Representative Doug Collins introduced The CLOUD (Clarifying Lawful Overseas Use of Data) Act to the United States Congress in an attempt to change how data is collected from tech companies stored outside of the U.S. by both U.S. law enforcement agencies and foreign governments seeking data from U.S. tech companies. The act, in their eyes, is meant to “streamline” which law enforcement agencies have access to personal data stored on U.S.-based tech companies. Then, to get the act passed, it was snuck into the current spending bill that has been on the floor for the past few weeks. Well, this past Friday, March 23rd, the bill passed in Congress. And people ARE NOT happy.
What’s the big deal?
Following the proposal “privacy advocates such as Neema Singh Guliani of the American Civil Liberties Union showed concerned about how the proposed law gives a great deal of leeway to the executive branch when it comes to determining which countries are allowed to subpoena U.S. tech companies, removing a judicial review” according to an article by Tom Krazit on GeekWire. Krazit goes on to further say that, “Guliani and others believe this bill exposes individuals to abuse by law-enforcement agencies and also puts an undue burden on smaller tech companies to respond directly to requests from foreign governments.”
The Electronic Freedom Foundation has even gone as far to say that the CLOUD Act provides a loophole to the 4th Amendment of the Constitution, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
“The CLOUD Act has two major components. First, it empowers U.S. law enforcement to grab data stored anywhere in the world, without following foreign data privacy rules. Second, it empowers the president to unilaterally enter executive agreements with any nation on earth, even known human rights abusers. Under such executive agreements, foreign law enforcement officials could grab data stored in the United States, directly from U.S. companies, without following U.S. privacy rules like the Fourth Amendment, so long as the foreign police are not targeting a U.S. person or a person in the United States.
When foreign police use their power under CLOUD Act executive agreements to collect a foreign target’s data from a U.S. company, they might also collect data belonging to a non-target U.S. person who happens to be communicating with the foreign target. Within the numerous, combined foreign investigations allowed under the CLOUD Act, it is highly likely that related seizures will include American communications, including email, online chat, video calls, and internet voice calls.”
To put more clearly, according to Rhett Jones’ article in Gizmodo:
“The CLOUD Act would weaken those privacy protections and open up a free for all of data sharing. A foreign government could request data about a non-US citizen from a company storing it on US soil without the need for a warrant. It could also intercept communications or metadata of a non-US citizen target in real time. If, by chance, that foreign government collected communications or content from an American in the course of their surveillance, it could then turn it over to US law enforcement. As long as the information ‘relates to significant harm, or the threat thereof, to the United States or United States persons,’ that information could then be used to investigate or criminally charge a US citizen.”
So what does this mean for the rest of the world? How would this affect the soon to be implemented General Data Protection Regulation?
The CLOUD Act threatens to undermine the new General Data Protection Regulation (GDPR), which will be implemented on May 25, 2018. The intent of GDPR is to strengthen and unify data protection for all individuals within the European Union, and to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. However, “the CLOUD Act creates a framework for new bilateral agreements with foreign governments for cross-border data requests. Under these bilateral agreements, the United States and participating foreign governments would remove legal restrictions that otherwise prohibit technology providers from complying with the other country’s legal requests” according to the National Law Review.
With the passing of the CLOUD Act, ownCloud users still have no need to worry about data-transfer restrictions. ownCloud can connect federated servers in multiple geographic locations into a single user experience for seamless collaboration. Federated File Sharing provides frictionless file sharing across multiple ownCloud servers while maintaining the security, control and attributes of the original server as set up by IT – and leaving the master file copy on the originating ownCloud server. By keeping your data on your own servers, you maintain full control of your data and are, therefore, not susceptible to the restrictions of the CLOUD Act or GDPR.