If European GDPR legislation is all about increasing user transparency of data, the CLOUD Act in contrast has a secretive component. In reality The CLOUD act means that US law enforcement can demand data and emails to be handed over if stored by a US corporation, regardless of where in the world the data is stored.
Be prepared to meet these challenges with SkyFlok: an encrypted cloud storage and sharing service made in Denmark that puts you in control of your data privacy and where you store it.
Do not let others decide on your data privacy. Protect your and your clients’ files with SkyFlok!
For the past months everyone has been focusing on the GDPR deadline the 25th of May . In the meantime the passing of another important new privacy and security legislation, with big implications for European businesses using cloud services from US tech giants, went almost totally unnoticed.
On 22 March the so called CLOUD Act (Clarifying Lawful Overseas Use of Data) was passed by the US congress, as part of a 2232-page, $1.3 trillion spending bill.
Handing over data to US Law enforcement
In reality The CLOUD act means that US law enforcement can demand data and emails to be handed over if stored by a US corporation, regardless of where in the world the data is stored. This has serious implications for European organisations using public cloud services.
Cloud services from Microsoft, Amazon and Google are cheap and easy to use, and perfect for certain types of data, however it might not be the right place for all types of data. Digitally mature organisations have already discovered the advantages with a hybrid cloud strategy and the US CLOUD Act is yet another argument for why a hybrid cloud strategy is where we’re heading.
Learning that not all data should be treated in the same way, defining what data should to be stored in local cloud solutions and what can go up in the public cloud becomes imperative for responsible organisations.
Some sectors are more digitally advanced than others in this respect, the financial sector, for example, have long acknowledged the need for sensitive data to the stored with local cloud solutions, as do many public sector organisations dealing with confidential personal data.
A proper risk analysis will reveal which data is suitable to be stored in a public cloud and which should not. This risk analysis should also take into consideration areas like cloud based email services like Office 365 and Google’s G Suite, run in the public cloud.
So with the CLOUD Act in place, what should European organisations do?
- Be aware of the existence of the CLOUD Act and its potential implications for your business.
- Conduct a proper risk analysis, covering all areas of operations, including the use of cloud based email services. If sensitive or confidential data is being communicated, consider using an encrypted email service.
- Adopt a hybrid cloud strategy, which clearly defines which data can be stored in public cloud services, and what should be stored in data centres operated by European managed service operators.
- If you have large amounts of customer data, and would like to alert them if you do get a request to hand over personal data under the CLOUD Act, you might want to consider adding a warrant canary clause on your website.