Could the US CLOUD Act force UK channel companies to break GDPR?

US flag outside Congress
(Image credit: Shutterstock)

Although the channel won't likely have much to fear from corporate espionage, the US Clarifying Lawful Overseas Use of Data (CLOUD) Act may yet increase costs and complexity, especially in the face of post-Brexit GDPR reform.

Nigel Seddon, vice president of EMEA West at IT services management vendor Ivanti, says the act will probably increase complexity in relationships and global supply chains already struggling with different data handling regimes from the EU to Singapore and beyond.

"You've got the dynamics of the UK now being separate from Europe, and here is yet another country, creating its own specific rules and regulations," Seddon points out.

Seddon notes that computer records are already increasing "tenfold" because electronic evidence is now required from online services providers in a majority of criminal investigations. Some 85% of European criminal investigations require such evidence.

Additional data storage means extra cost, and the "number two expense" is the need for B2B services providers to learn how to handle related legislative queries with the correct levels of impartiality, authority and accuracy.

Another edge for the larger players

If you get the feeling this will disadvantage SMBs and sharpen the edge of large services providers with extensive legal and intellectual resources to devote to such tasks, Seddon agrees.

"More due diligence is going to be needed to understand the organisations and data you're working with to work out whether it's worth taking on a project – with potential implications to cost and brand if you mess up," Seddon notes.

RELATED RESOURCE

Reinvention starts with cloud migration of your data infrastructure

Explore why the most efficient way forward is data-driven

FREE DOWNLOAD

The CLOUD Act was created under president Donald Trump in March 2018 to help US agencies chase down criminal activity by helping them request data held by service providers in other jurisdictions.

The UK indicated cooperation with this law by passing the Crime (Overseas SCA orders) Act in 2019 – but while under the EU's GDPR Act, it wasn't clear if UK providers would be subject to such requests.

John Story, general counsel and chief data ethics officer at cloud platform provider Acoustic, notes the CLOUD Act conflicts with GDPR, giving US law enforcement powers to request data stored by US companies on servers outside the US.

"This extra-territorial compulsion has raised concerns about the safety of information in the cloud and potential conflicts with EU and UK data laws, including GDPR," he says.

"Under US law, the service provider has to accept the request. But under European and UK regulations, there must be a lawful basis for processing that data."

All still to play for with GDPR reform

Michael Queenan, chief executive of cloud services brokerage Nephos Technologies, thinks nothing will change in the short term due to the CLOUD Act.

However, the UK can now diverge from GDPR, having announced in August that it will reform data protection law.

"It might mean UK data needs to reside in the UK in the future. That would be a large change," Queenan says.

Christina Walker, global channel sales and programmes director at data erasure software vendor Blancco, says most of Blancco's UK channel have reported that they're data managers only – not data owners – and therefore don't expect "a tonne" of legal complexity.

"The CLOUD Act was to create a more effective process, instead of taking 10 months to get data that can help close a crime. And Google or those US cloud providers can and do reject requests," Walker points out.

General Data Protection Regulation (GDPR)

The UK's enabling Act is about protecting its citizens amid the continued evolution of the US cloud, streamlining a process to reject requests from the US government, Walker explains.

On the other hand, Fredrik Forslund, vice president of cloud and datacentre erasure solutions at Blancco and a director of the International Data Sanitisation Consortium (IDSC), says that the "jury is still out".

Real-world ramifications

The CLOUD Act was initially about helping the US Federal Bureau of Investigation (FBI) carry out its duties and expectations more easily, but since then it has experienced mission creep. Bodies including the CIA and National Security Agency (NSA) may now also gain access, suggesting requests could go beyond crime-fighting into more political interests, Forslund suggests.

RELATED RESOURCE

Reinvention starts with cloud migration of your data infrastructure

Explore why the most efficient way forward is data-driven

FREE DOWNLOAD

"In Europe, local and regional companies are using the CLOUD Act to promote their commercial alternatives to any US cloud service," he says. "They have a golden opportunity to promote a distinct difference as part of their commercial messaging."

US tech giants will naturally wish to comply with their national interests, but this won't be seen that way everywhere, he says. How will business partners in China, Iran or Russia feel about greater exposure to US legislation, for example?

Forslund also wonders whether UK public sector contracts might pull back from US cloud services for sensitivity reasons, as well as the expected rise in cost and complexity for IT providers.

"It can be really complicated to pull specific data out of these cloud architectures, and then being able to combine the technical aspect of it with the administrative aspect of the document. What you're looking for and how it has been approved, and that is a burden," says Forslund.

Fleur Doidge is a journalist with more than twenty years of experience, mainly writing features and news for B2B technology or business magazines and websites. She writes on a shifting assortment of topics, including the IT reseller channel, manufacturing, datacentre, cloud computing and communications. You can follow Fleur on Twitter.