CLOUD Act and Co: How trustworthy are US cloud offerings?14-06-2022 Author: Jan Tissler
Cloud offers from the US are popular but have a considerable flaw when it comes to data protection: US authorities have far-reaching rights to access information stored therein, even if the servers are located in Europe, for example. This article explains why this is particularly problematic for companies.
Amazon, Apple, Microsoft: these are just three examples of US-based cloud service providers. They dominate the market and are sometimes used without much thought. This is no wonder: they are often directly integrated into other offerings and thus particularly easy to use. Apple's iCloud, for example, works seamlessly with the manufacturer's devices. Another reason, especially for site operators and developers of web offerings, is that a cloud service like Amazon Web Services has several useful tools to offer. It is convenient to be able to handle everything in the one place with one account.
Businesses need to look more closely than consumers
Companies, however, cannot use these services without hesitation. This is especially true if they collect, process and store personal data. In 2020, the European Court of Justice (ECJ) once again found that data protection in the US is not up to standard for Europeans when it comes to storing sensitive data. The "Privacy Shield" agreement, which was supposed to provide an easy way to use the popular US services for companies too, was thus declared invalid.
To date, there is no successor and therefore hardly a legally secure basis. Even though the ECJ refers to the agreement between the US and the EU, lawyers foresee the same problem for the separate agreement with Switzerland.
Targeting servers outside the US
One possible way out is to rely exclusively on cloud servers based in the EU or Switzerland. All major providers have data centres here, if only for the sake of being able to offer better performance.
But this is where the US "CLOUD Act" once again comes into view: With it, the US has unilaterally given itself the right to demand the surrender of data stored on servers outside the United States.
According to the US Department of Justice, this is done with a "high level of protection of those citizens' rights". But this is precisely what critics doubt. Germany's top data protection official, Ulrich Kelber, for example, declared that police data should not, under any circumstances, be stored on services such as Amazon. The European Data Protection Supervisor has likewise already dealt with the issue in detail. Among other things, it criticised the fact that companies have too little leverage against requests based on the CLOUD Act.
Where does the CLOUD Act come from?
The basis for this controversial US law was a dispute between the Federal Bureau of Investigation (FBI) and Microsoft. The company refused to hand over data because it was stored on a server in Ireland.
Microsoft had therefore taken advantage of a legal loophole created by globally distributed server centres. The Stored Communications Act passed in the US in 1986 had not yet foreseen that information could be stored globally.
The US legislature finally reacted with the Clarifying Lawful Overseas Use of Data Act, abbreviated as the CLOUD Act, under which providers of communications services based in the US are now obliged to store data on their servers and hand it over to US law enforcement authorities under certain conditions, regardless of whether the data is stored in the US or not.
Way out: "Executive Agreement"
US providers with customers in the EU therefore find themselves in a legal dilemma. Domestic law obliges them to hand over data, but they may not be allowed to do so due to local data protection regulations.
The CLOUD Act sees a way out through "executive agreements" between the US and other countries. This would allow for more precise regulation of data access and would also give law enforcement authorities in the partner country the corresponding rights to request information stored in the US.
In this case, US companies would also have stronger leverage against data requests from the United States that violate data protection here. An analysis by the law firm MLL states:
"The Executive Agreements therefore provide indirect legal protection of sorts for non-US persons, and are intended to promote acceptance of the CLOUD Act's extraterritorial approach."
The Swiss Federal Office of Justice recently dealt with this in detail. In all of this, not only does Switzerland need to weigh its own interests against those of the US, but at the same time maintain a balance with the EU. After all, from the Union's perspective, Switzerland is considered a third country with an "adequate level of data protection". EU companies are therefore free to use Swiss services without hesitation. And the Confederation does not want to risk this status.
In the end, the Federal Office did not come to a final assessment. Rather, the report is intended to provide a basis for discussion.
Industrial espionage and surveillance
When it comes to the use of US cloud services, it is not just personal data that's a problem. Rather, it is essentially questionable to what extent these services can be trusted. After all, whistleblower Edward Snowden, among others, had already stated in 2014 that the National Security Agency (NSA) also uses its access to information for economic espionage. His revelations also confirmed what until then, conspiracy theorists had only suspected: The US systematically monitors internet traffic and stores this data on a large scale – even if it is encrypted.
Because encryption can of course be a way to protect data in the cloud. It should generally not be stored in plain text, if only because of possible hacker attacks. The highest French administrative court, the Conseil d'Etat, had also concluded in a ruling that this could suffice to use US services for personal data as well.
How secure these encryptions are in the long term is questionable to say the least. One could mention the debate about corresponding backdoors that keeps flaring up, again and again. What is supposed to be used for counterterrorism or crime-fighting, according to the official reading, would also enable misuse.
How problematic the CLOUD Act and Co. really are is thus an ongoing debate, even in expert circles.
However, they represent a fundamental problem with solutions arriving from the US: these come from a different political environment than European competitors, and this will very likely become an issue again and again in the future. This is especially true if companies want to use them to store sensitive information.
Cloud offers from Switzerland or the European Economic Area in general, are therefore also an alternative worth considering.