CLOUD Act and co: How trustworthy are US cloud offerings?

Jan Tissler

Cloud offerings from the USA are popular, but have a significant flaw when it comes to data protection: US authorities have far-reaching rights to access information stored there, even if the servers are located in Europe, for example. This article explains why this is particularly problematic for companies.

Amazon, Apple, Microsoft: these are just three examples of providers of cloud services based in the USA. They dominate the market and are sometimes used without much thought. And it's no wonder: they are often directly integrated into other services, making them particularly easy to use. Apple's iCloud, for example, works seamlessly with the manufacturer's devices. Another reason, especially for website operators and developers of web offerings: A cloud service such as Amazon Web Services has quite a few useful tools to offer. It is convenient to be able to handle everything in one place with one account.

Companies need to take a closer look than consumers

However, companies in particular cannot use these services without hesitation. This is especially true if they collect, process and store personal data. In 2020, the European Court of Justice (ECJ) once again ruled that data protection in the USA is not sufficient to store sensitive data from Europeans there. The "Privacy Shield" agreement thus became invalid. This agreement was intended to provide an easy way to use the popular US services in companies.

To date, there is no successor and therefore hardly any legally secure basis. Even if the ECJ refers to the agreement between the USA and the EU, lawyers see the same problem for the separate agreement with Switzerland.

Targeting servers outside the USA

One possible solution is to rely exclusively on cloud servers based in the EU or Switzerland. All major providers have data centers in this country, if only to be able to offer better performance.

However, this is where the US CLOUD Act comes back into focus: This means that the USA has unilaterally given itself the right to demand the release of data stored on servers outside the United States.

According to the US Department of Justice, this is done with a "high level of protection of those citizens' rights". But this is precisely what critics doubt. Germany's top data protection official Ulrich Kelber, for example, has stated that police data should never be stored on services such as Amazon. The European Data Protection Supervisor has also dealt with the issue in detail. Among other things, he criticized the fact that companies have too little leverage against requests based on the CLOUD Act.

Where does the CLOUD Act come from?

The starting point for this controversial US law was a dispute between the Federal Bureau of Investigation (FBI) and Microsoft. The company refused to hand over data as it was stored on a server in Ireland.

Microsoft thus exploited a legal loophole created by globally distributed server centers. The Stored Communications Act, which was passed in the USA in 1986, had not yet foreseen that information could be stored globally.

US lawmakers finally responded with the "Clarifying Lawful Overseas Use of Data Act", or CLOUD Act for short. Providers of communication services based in the USA are now obliged to store data on their servers and hand it over to US law enforcement authorities under certain conditions, regardless of whether it is stored in the USA or not.

The "Executive Agreement" way out

US providers with customers in this country are therefore in a legal dilemma. On the one hand, domestic law obliges them to disclose data that they may not be allowed to disclose due to local data protection regulations.

The CLOUD Act sees a way out through executive agreements between the USA and other countries. This would allow data access to be regulated more precisely and would also give law enforcement authorities in the partner country the corresponding rights to request information stored in the USA.

At that moment, US companies would also have greater leverage against data requests from the United States that violate data protection laws in this country. According to an analysis by the law firm MLL:

"The Executive Agreements thus introduce a kind of indirect legal protection for non-US persons and are intended to promote acceptance of the extraterritorial approach of the CLOUD Act."

The Swiss Federal Office of Justice recently dealt with this in detail. In all of this, Switzerland not only has to weigh up its own interests against those of the USA, but also maintain a balance with the EU. After all, Switzerland is considered by the EU to be a third country with an "adequate level of data protection". EU companies can therefore use Swiss services without hesitation. And the Swiss Confederation does not want to risk this status.

Ultimately, the Federal Office has not yet reached a final assessment. Rather, the report is intended to provide a basis for discussion.

Industrial espionage and surveillance

However, when it comes to the use of US cloud services, it is not just personal data that is a problem. Rather, the extent to which these services can be trusted is fundamentally called into question. After all, whistleblower Edward Snowden, among others, declared back in 2014 that the National Security Agency (NSA) also uses its access to information for industrial espionage. His revelations also revealed what only conspiracy theorists had previously suspected: The US systematically monitors internet traffic and stores this data on a large scale - even if it is encrypted.

Of course, encryption can be a way to protect data in the cloud. It should generally not be stored in plain text, if only because of possible hacker attacks. France's highest administrative court, the Conseil d'Etat, also came to the conclusion in a ruling that this may be sufficient to use US services for personal data as well.

But how secure these encryptions are in the long term is questionable to say the least. Just think of the recurring debate about corresponding backdoors. What is officially intended to be used for counter-terrorism or crime prevention would also enable misuse.

Closing words

Just how problematic the CLOUD Act and the like really are is therefore a debate that is also continuing in specialist circles.

However, they represent a fundamental problem with offers from the USA: they come from a different political environment than European competitors. This is likely to become an issue again and again in the future. This is especially true if companies want to use them to store sensitive information.

Cloud offerings from Switzerland or generally from the European Economic Area are therefore also an alternative worth considering.