How the CLOUD-Act works in data storage in Europe

Blog post | 16-08-2022 | NCSC

Information processing in the digital domain is an international affair. The storage, transport and processing of information often ignore national borders and are certainly not limited by this. In addition, and partly because of this, countries make legislation and regulations for the digital domain that also influence data processing outside their national borders. As a result, data processing is subject to different legal and regulatory regimes, which can conflict or interfere with each other. For example, measures that apply to security or granting access to sensitive information and (personal) data.

One of the most discussed examples of conflicting legislation is the US CLOUD-Act (in full Clarifying Lawful Overseas Use of Data Act) and European data protection and information security rules. European data that is processed or stored in the US must be secured by the GDPR (European legislation, the European General Data Protection Regulation in the Netherlands, the AVG). At the same time, this data also falls under the American legal regime that monitors access to that data. The CLOUD-Act allows federal law enforcement in the US to subpoena or subpoena technology companies to provide requested data from users, even if that data is stored on foreign territory. Many experts assume that this risk does not exist if a European service provider processes data and certainly if that takes place within Europe. From a legal point of view, however, this is more nuanced, and the US CLOUD-Act may also apply to data processing operations outside the US, for example, in the EU.

The NCSC has asked the law firm, GreenbergTraurig, to interpret this issue with the critical question:

• To what extent can a European company or organisation be covered by the CLOUD-Act, even if it is not based in the US?

The impact of extraterritorial legislation

One of the central conclusions is that, contrary to popular belief, European companies and data storage in Europe are not immune to non-European legislation, such as the US CLOUD-Act. Data and (personal) data that are processed and stored in Europe, and therefore in principle, are and remain in Europe, sometimes fall under American law and can be requested by the American government based on the CLOUD-Act. And that is sometimes even possible at European companies that do all the processing and storage entirely in Europe. In their analysis, GreenbergTraurig goes into detail about the conditions and circumstances in which this occurs and discusses several measures that can be taken to limit this risk as much as possible.

The analysis concerns the extraterritorial effect of the CLOUD-Act in Europe. By extra-territorial, we mean that legislation does not only apply within the borders of the country that made it (in this case, the US), but it also applies elsewhere in the world – so here we have looked at its functioning within the EU. Legislation that can be used both within and outside national borders is increasingly happening worldwide – especially in the digital domain. A well-known, existing one is the GDPR (in the Netherlands, the AVG), which applies not only in the EU but also to European data processing outside of it. Other European legislation, such as the Digital Markets Act (DMA) and Digital Services Act (DSA), also work in this way. Data legislation with an extraterritorial effect is also increasingly being introduced outside the EU and the US, from Australia and South Africa to India and China. The latter is relevant because hardware and software (as well as other digital services) increasingly come from China. One of those Chinese laws with an extra-territorial effect is the Data Security Law. The DSL is, to some extent, a response to the US CLOUD-Act and regulates the processing of data in China and data or information outside China when it is "relevant to China's national security or other social interests."

GreenbergTraurig's analysis concerns only one of the extraterritorial laws that intervene from outside the EU on the security of information and data within the EU. The US CLOUD-Act is the best known and most analysed of these laws and has therefore been chosen as an example. So there are more, of which it is not entirely clear what the exact impact is or will be on data processing in the EU or at European digital service providers.

The analysis shows that, in the case of the US CLOUD-Act alone, it is challenging for a data owner or controller to determine whether a service or service provider is subject to extraterritorial influences from non-European legislation. This is not only determined by various factors at the supplier but also by the supply chain and the companies that are active in it. This requires thorough risk analyses and realising that it is impossible to exclude extraterritorial influences completely. As the use of extraterritorial legislation continues to grow internationally – and it is expected that this will undoubtedly be the case for legislation in the digital field in the coming years – the complexity in the practical application and compliance of such (European) legislation will only increase. Organisations and companies must always ask themselves against which extraterritorial legal regimes, and therefore countries, they will and can arm themselves and what that means in terms of supplier choice and the use of additional control measures. In terms of compliance, however, it also means that companies and organisations are, in fact, less able to guarantee or ensure that the information they process is sufficiently protected against viewing by foreign, non-European, powers.

Written by:
Paul van den Berg, 
Strategic Vendor Relations Cybersecurity

Click here for a follow-up to this article and answer to the question: what is the risk of information in Europe being requested by the U.S. government based on the CLOUD act?