In March 2018, the US government passed legislation referred to as the CLOUD Act (Clarifying Lawful Overseas Use of Data), permitting United States law enforcement the ability to access data of any US citizen or US company hosted by USA based corporations, regardless of the jurisdiction the data resides in.
In May of 2018, the European Union (EU) passed the General Data Protection Regulation which defines how EU citizen data should be handled both within the EU and abroad. It places significant legal burden on what the regulation terms “processors” and “controllers” of information, regardless of whether they operate within the EU or not.
Both sets of legislation, for different reasons, have far-reaching international impacts on the ICT business domain. However, they also present opportunities in the ICT business domain, particularly in the commercial cloud sector. The following is the first of two articles which are designed to provide an overview of both the USA CLOUD Act and the EU GDPR and how they can be "used" to grow the commercial cloud sector in the Caribbean. This first article focuses on the USA CLOUD Act.
Defining the CLOUD Act
The CLOUD Act is primarily concerned with getting access to data for US law enforcement purposes. It owes its origins to a legal case between the US government and the Microsoft corporation concerning the right of the US government, under the existing Stored Communications Act, to access information stored in the Microsoft cloud physically located in another jurisdiction, often referred to as the Microsoft Ireland case. The US authorities believed they had the right to access the information although it was physically stored in another jurisdiction. Microsoft challenged whether the existing USA laws had extra-territorial jurisdiction over the data. The legal battle went all the way to the USA supreme court. However, before the USA supreme court could rule on the case, the CLOUD Act was adopted by the US Congress and signed into law by American president Trump. This effectively “mooted” the court case. Both the US government and Microsoft agreed to have the case terminated at the supreme court, as both parties were satisfied that the CLOUD Act clarified the data access issue which had initiated the case in the first place.
The Central Aims of the CLOUD Act is to:
- allow US government authorities with access to information stored on servers operated by US based corporations, regardless of where these servers are located (i.e. in other jurisdictions)
- provide safeguards to allow corporations the opportunity to challenge requests for information and,
- provide a mechanism for foreign governments to access information stored in the USA.
With this last point, the mechanism effectively states that the US authorities have to approve the qualification of countries who wish to get access to information stored in the USA.
This legislation co-exists with the USA Patriot, Freedom and FISA Acts, which all have clandestine elements incorporated that essentially allow US authorities to access non-USA subject information via US companies and companies operating subsidiaries in the USA, regardless of where the information is stored. Sufficing to say that if you are a US company providing international cloud services, you are subject to the CLOUD, The Patriot, Freedom and FISA Acts, making it extremely difficult, if not impossible, to say “no” to providing information to US authorities when they come knocking on the door.
Each of these major pieces of legislation offer opportunities to extrinsic managed cloud service providers and countries, such as CARICOM countries, to develop a thriving cloud services sector.
Where to Host Your Data: Opportunities Under the CLOUD Act
The CLOUD Act enables extrinsic managed cloud services providers (eMCSP), who are not subject to US regulation, the opportunity to truly provide data privacy for organizations residing outside of the USA. In regions such as CARICOM, it provides an opportunity for small and medium-sized eMCSPs to step up and differentiate themselves from the larger players, such as AWS, Google or Microsoft. Regardless of where these large global players locate their cloud infrastructure or host their data they are subject to USA legislation. If a hosting provider has no affiliation to the US, they are not obligated to grant the US government access to data, and their only obligation is to maintain compliance to the jurisdiction of where the data is resident. Maintaining jurisdictional understanding of data residency is now more imperative than ever before. At the time of writing, no countries have entered into CLOUD Act agreements with the USA and only US-based hosting companies increase liability and risk for data.
The CLOUD act also presents the opportunity for more cloud and managed service providers to operate in the Caribbean and Latin America. As our CEO Scott MacKenzie mentioned in an article for Nearshore Americas, “One of the reasons [Cloud Carib operates in] this region is because the Caribbean has been trusted with people’s money for 50 years. Now, the new valuable commodity is data, so we are pushing to make it the trusted region for data, an opportunity that it is mature enough to handle.”
After all, if there are alternatives that meet the service level sophistication required, why host your data in a US-based data center or with a US-based hosting provider? If data privacy is considered a high priority for your organization why not reduce exposure by leveraging the cloud computing services of an extrinsic provider who can guarantee your data will not traverse across borders or be susceptible to the US surveillance legislation such as the FISA, Freedom and CLOUD act?
In Part One of this series we discuss the USA's Cloud Act and the implications for managed service providers in the Caribbean, stay tuned for Part Two of the series in which we discuss Europe's GDPR and how it in turn affects the region. To stay informed subscribe to our blog, and be the first to know when Part Two is released.