What is the Cloud Act?
3 min
The Cloud Act is a United States federal law enacted in 2018, that asserts U.S. data and communication companies must provide stored data for a customer or subscriber on any server they own when requested by warrant from a US law enforcement agency. However, the act contains mechanisms for the companies or the courts to challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in.
However, the act contains mechanisms for companies or courts to challenge such requests if they believe the request violates the privacy rights of the foreign country where the data is stored.
Cloud Act vs GDPR
Concerns from EU authorities
The European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) view the Cloud Act as a law that may conflict with the GDPR. They have conducted an official review of the act.
They highlight that Article 48 of the GDPR requires that any order from a non-EU authority requesting the transfer of personal data outside the EEA must be recognized by an international agreement (such as an MLAT) to be valid.
A quote from the official report states:
“We are of the view that currently, unless a US Cloud Act warrant is recognised or made enforceable on the basis of an international agreement, the lawfulness of such transfers of personal data cannot be ascertained…”
Need for international agreements
Because of this, EU authorities have proposed that it is urgent to create new MLATs between the EU and the US so the Cloud Act can be incorporated into the EU’s legal framework, which it currently is not.
Challenges for Organizations
Jurisdiction issues
Many organizations fall under U.S. jurisdiction, including:
- Businesses using cloud storage solutions owned by U.S. companies
- EU organizations with U.S. customers or subscribers
This creates complex legal exposure.
Legal conflict
An EU-based company that complies with a U.S. warrant requiring transfer of personal data may be in breach of Articles 44 and 48 of the GDPR if no international agreement exists. On the other hand, if the company refuses to comply, it risks violating U.S. law.
A Legal Dilemma
Organizations are put in a difficult position where they must choose which law to follow. Currently, there is no clear, universally accepted solution until further legislation is introduced.
How to Navigate the Situation
With regulations evolving rapidly, especially as more services move online, it is easy for organizations to unintentionally fall out of compliance. Partnering with experts can help ensure:
- Compliance with the latest legal requirements
- Reduced risk of penalties
- Better handling of cross-border data issues
Choosing local and secure cloud hosting partners, such as providers based in Sweden, can also minimize risks related to laws like the Cloud Act.