The American Government has recently passed legislation that will grant it more access to digital data. The “Clarifying Lawful Overseas Use of Data” or CLOUD Act was a last-minute addition to the $1.3 trillion federal spending bill, which was signed into law by President Donald Trump this past March. The controversial act allows both U.S. officials and foreign governments more access to personal data stored in the cloud.
This new legal framework supersede MLATs (the “Mutual Legal Assistance Treaties”) that formerly facilitated data access. Many see the CLOUD Act as a refreshing change from the complicated series of bilateral and multilateral treaties that MLATs consisted of. However, there are apprehensions around the act and its inconsistencies.
As with any new legislation there is much to unpack. Here is our ultimate guide for Canadians who will be directly affected by the CLOUD Act.
What Is U.S. CLOUD Act?
Officially enacted on March 23rd 2018, the CLOUD Act gives the American government more access to the private data of its own citizens. It also helps foreign governments attain data held by U.S. providers.
This act amends the Stored Communications Act (SCA) – part of the Electronic Communications Privacy Act of 1986. The SCA covered requirements for federal and state law enforcement to obtain stored communications. It also determined the circumstances in which service providers could disclose the communication records of their customers. Both the U.S. government and major tech companies believed that this dated act could not withstand today’s world of electronic communications.
Why Is the CLOUD Act Controversial?
It has long been requested that the SCA become modernized. Under the CLOUD Act, American authorities can now issue a warrant or subpoena to compel U.S. based service providers to present requested data. This applies to service providers located in both the U.S. and in foreign countries such as Canada. The U.S. government has given itself the power to request data even when it breaches foreign law.
For many companies, this new act poses a problem. Government A might issue a subpoena for data stored in Country B. A conflict could arise if Government B requires a more protective warrant instead of a subpoena. Now the company storing the data is in a difficult situation. How can they comply with one country’s laws when they violate the laws of another country?
The CLOUD Act extends the reach of law enforcement, but no update has been made to the law requiring a warrant for content. Typically, officials are obliged to show a reason for investigating a suspected criminal or possible crime. But current law does not impose a standard of probable cause for electronic communications. This discrepancy has been recognized by America’s most high-ranking law enforcement officers and has been fixed in similar bills. However, the CLOUD Act remains untouched.
This new legislation does little to help fix the mutual legal assistance treaty system that is currently in place. The MLAT system has been the main procedure for exchanging evidence across borders. It was built on privacy protection and reciprocity – principals that are missing from the CLOUD Act.
What Does This Mean for Canadians?
Do you know who has control of your data? This question is becoming more and more imperative for Canadians. Sectors such as health care and education (particularly those located in provinces with stricter data laws such as British Columbia) should be especially aware of the location and availability of sensitive client information.
Some larger cloud companies can appear to be trustworthy providers if they have data centres located in Canada. But location means nothing if these companies are American-owned.
Where your data is being held and who has access to it is information that you need to know. If you are choosing a service provider, Server Cloud Canada recommends asking the following questions:
- Even if the data centre is located in Canada, is the cloud provider a Canadian company, who understands data sovereignty?
- Can I trust how the cloud provider will handle my data?
- Can I protect the data against unauthorized access or retrieval?
- Can I trust the data always stays in the host country?
This new bill presents many modified and seemingly scary changes to the nature of data storage. If you are feeling unsure, our experts would be happy to help provide peace of mind that your critical information is protected.