In this blog Yulia Filipovich explains what has happened since the CLOUD Act was introduced and how new regulations are changing the game.Watch related webinar!
What significant steps need to be taken to defend digital sovereignty in regard to overseas laws? In order to clarify the situation and in an attempt to dispel some doubts and skepticism concerning the CLOUD Act, let’s recap what has happened since its introduction.
The CLOUD Act shouldn't be associated with cloud providers only; it applies to all companies doing business in the US. The act has two distinct parts. The first clarifies the existing legal situation and process to be used by US law enforcement agencies, referring to concerns that the MLAT (mutual legal assistance treaty) is too slow and creates massive challenges for crime-fighting authorities. The second part authorizes the US to enter into executive agreements with foreign states. On October 3, 2019, the US and the UK entered into the world’s first-ever CLOUD Act Agreement – the US-UK Bilateral Data Access Agreement. This agreement allows law enforcement agencies of both countries to demand, with proper authorization, electronic data regarding serious crime directly from tech companies based in the other country.
No EU member states have signed such an agreement with the US. MLAT is still the norm for cross-border data discovery as the optimal mechanism for law enforcement requests for data involving EU data controllers or processors.
On July 16, 2020, the Court of Justice of the European Union (CJEU) released the Schrems II judgment, which had significant implications for users of US cloud services. The CJEU annulled Decision 2016/1250 on the adequacy of the protection provided by the EU-US Privacy Shield, and reiterated the fact that it considered Commission Decision 2010/87 on standard contractual clauses (SCCs) for the transfer of personal data to processors established in third countries to be valid. The clauses contain obligations for both data exporters and data importers who transfer personal data to counties outside the EU and receive such data from the countries outside the EU.
In practice this means
Customers of US cloud service providers must now verify the recipient country's data protection laws, document its risk assessment, and confer with its customers. The full list of non-EU countries that the EU considers to have an adequate level of data protection is available on the European Commission website.
On May 19, 2021, the European Data Protection Board established by the General Data Protection Regulation (GDPR) adopted the Cloud Infrastructure Services Providers in Europe Data Protection Code of Conduct (CISPE Code), the first pan-European data protection code of conduct for cloud infrastructure service providers under Article 40 of the European Union’s General Data Protection Regulation. One of the key advantages offered by the CISPE Code that goes beyond GDPR is retaining sovereignty over data by giving an option to select services that store and process customer data, ensuring it remains within the EU. It helps EU organizations to ensure that their cloud service providers are in compliance with GDPR and to avoid the uncertainty caused by the Schrems II ruling.
The CLOUD Act is so-called “encryption neutral”. It does not give US law enforcement agencies any new powers to compel a service provider to break the encryption of communications. Also, the CLOUD Act neither prevents a service provider from assisting the customer in encrypting their information nor places restrictions on foreign countries having their own rules regarding decryption in domestic law.
On October 11, 2020 the US released an international statement: End-To-End Encryption and Public Safety. This statement calls on technology companies to collaborate with governments on mutually agreeable solutions, pointing out that today's end-to-end encryption solutions preclude all access to content, even when investigating the most serious crimes. This initiative has already been signed by the governments of the UK, Australia, Canada, India, Japan, New Zealand, and the US.
In November 2020, the European Council adopted a resolution on encryption: Security through encryption and security despite encryption. It calls upon EU member states to join forces with the tech industry to find the right balance between security despite and through encryption, develop a regulatory framework, and innovate investigative capabilities around encryption.
To add to the list of regulations you should be aware of, there is also Gaia-X. Gaia-X is a European initiative to promote and develop the digital economy by establishing the next generation of data infrastructure: an open, transparent, and secure digital ecosystem where data and services can be made available, collated, and shared in an environment of trust. One of the aims of this initiative is to mitigate dependency on overseas providers by bringing together people from different companies, research institutions, associations, administrations, and political parties to form a European cloud provider ecosystem and to build solutions that can be protected by European data laws. CISPE is one of the founding members of Gaia-X.
We will continue to combat requests that are contrary to digital sovereignty in terms of overseas laws. While we are witnessing what is happening on the legal battlefield and wondering whether our information may be the subject of a criminal investigation, we must ask ourselves if our security practices are strong enough to confront the real cybersecurity threat.
In real life, attackers don't care where a workload is located, and in fact, an attack might move from the on-premises local network up to the cloud and vice versa. Security experts need visibility that spans all environments to understand the broader picture of what malicious actors might be doing. The high road for handling security issues is having insight in the form of a centralized dashboard that combines both preventive and reactive measures to ensure a holistic approach.
To future-proof your business, your organization needs data classification and a multi-cloud strategy that can secure safe data flow across different environments and ensure business continuity. This strategy must comply with global, local, regional, and industry-level regulatory requirements.
In our next blog, we will discuss more about how organizations can manage the regulatory maze and give some practical examples.