'Small chance' of U.S. government accessing European data under CLOUD Act

By our experts

In August, the NCSC published a research report on the CLOUD act, prepared by the law firm Greenberg Traurig. The report describes the impact of extraterritorial legislation from outside Europe on the security of data processing in Europe (at European digital service providers). For that study, the U.S. CLOUD act was specifically examined because it is a widely known and well-documented example of extraterritorial legislation.

The choice to focus on the CLOUD Act did not stem from an assumed substantial threat from that legislation. Nevertheless, after the study was published, we received several inquiries about the risk of information being requested by the U.S. government based on the CLOUD Act. We asked Greenberg Traurig to map this out.

Risk management is at the heart of adequate security of (personal) data. The integral risk analysis that underlies it requires a clear assessment of the probability and impact of the various risks. This makes it possible to distinguish between hypothetical risks and actual risks. Greenberg Traurig's research shows that while the risk of the U.S. government gaining access to European (personal) data, specifically on the basis of the CLOUD act, is conceivable, yet in practice also (very) small.    

This insight is important for organizations when making risk assessments around the deployment of certain digital services and facilities. Whether this involves proprietary on-prem services or, for example, the use of (public) cloud services.

Combined with the previous research, we can state that in principle it does not matter whether organizations invest data processing and/or storage with U.S. suppliers or whether they do so with European suppliers under U.S. jurisdiction. The CLOUD act is just one example of extraterritorial legislation impacting data processing in Europe. Other countries also have such legislation. What the actual risk of this is has not been investigated with this.

Written by:
Paul van den Berg, 
Strategic Vendor Relations Cybersecurity

Leave a comment

You can leave a comment here. Inappropriate comments will be removed. Comments are limited to 2,000 characters.

* mandatory fields

Comments are limited to 2,000 characters.


No comments have been published yet.