The CLOUD Act: What you need to know

Where does my personal information reside and do I need to care about it? This question becomes more and more pertinent as we move towards the end of one digital decade and into the beginning of another.

Data implications at the end of the 2020s

Back in the 20th century, save for some bright minds, no one realised the scale of the battle for data that would follow. Anyone that has a computer device and/or access to the internet has a stake in the game. The payoffs: profit, popularity and influence, to name a few, but most importantly control and the ability to access information about an individual or a company from behind the scenes.

As companies continue their quest to become more integrated and connected to their customer base, the need for privacy and data protection rises. Since there are no clearly defined boundaries to a company with a web address, owing to the global nature of the internet, the stage is set for international fraud and cybercrime levels to escalate. This in turn opens the door for governments to draft new laws and to reach over across borders on the hunt for data leads; their actions justified by the need to protect individuals’ data. So, the void between data privacy and data disclosure becomes more exaggerated, while the principle of territoriality, a fundament of international law, slowly fades.


The recent introduction of the ‘Clarifying Lawful Use of Overseas Data Act’ (otherwise known as the CLOUD Act) by the American government, serves to strengthen the case for cross-border government surveillance. Primarily the CLOUD Act amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil. Up until 23 March 2018, the only way for the American government to access overseas data had been to form a Mutual Legal-Assistance Treaty, an agreement whereby two countries consent to share information and work together to solve a legal investigation.

The CLOUD Act gives due consideration to data encryption and discourages the government from using it to insist that companies loosen their encryption, a process integral to the security of data. Nonetheless, many consider the Act to be flawed on a fundamental level. Along other concerns, it stands out that the Act has been drafted in an abrupt manner and issued without a publicised in-depth discussion as a part of the government’s spending bill, the Omnibus. Moreover, the CLOUD Act enables foreign countries to enter into an “executive agreement” with the U.S. President, the State Department, or the Attorney General and request data stored in the US by directly contacting companies and effectively circumventing the government’s scrutiny. Consequently, a wave of negative feedback has been unleashed on the web as a reaction to the foreseeable global implications to human rights and international law.

The CLOUD Act already applies to technological firms like Google, Facebook, Twitter and Instagram. Facebook and Google actually contributed to the new legislation draft along with Apple and Microsoft. The government’s collaboration with these companies indicates a shift in balance towards the large scale technical solution provider. As all enterprises will have the responsibility to assign a legal representative for data disclosure matters, the smaller entities, the startups and innovators, may struggle with the additional administrative load.

The global agenda

As a result of the new legislation, the European Commission has also made a legislative move to enable data information requests and to clear the way for the use of electronic evidence stored by EU-registered companies, regardless of specific member state privacy laws. It logically follows that the act will lead to a chain reaction, whereby other countries mirror the data disclosure laws and also demand information across borders which may lead to an overall degradation in the level of data privacy across the globe.

What does this mean for CloudSigma?

CloudSigma has a unique position among a sea of uncertainty rising around the newest data disclosure law. CloudSigma silo’s each cloud location that it operates wherever it may be in the world. It’s cloud locations in Australia are run by an Australian entity making them subject only to Australian law. Likewise it’s Swiss location is not subject to EU, US or any other jurisdiction barring Switzerland. Customers of CloudSigma can therefore easily control which jurisdictions they are exposed to and ensure that they themselves comply with the relevant data protection requirements they may be subject to. This is in stark contrast to the globalised approach of many other providers that exposes their customers to potentially numerous jurisdictions including the US and elsewhere. This may cause data to be accessed against their will and in violation of local data privacy laws, exposing them in turn to liability through no fault of their own. Such a scenario is avoidable through using a provider such as CloudSigma.

Share this Post

About Zhenya Mocheva

Zhenya is a Digital Marketing Expert at CloudSigma, focusing on brand strategy, social media marketing and digital marketing campaigns. She is passionate about the continuous innovation within the digital environment and the endless growth opportunities that inbound marketing brings.