the cloud act featured image

The CLOUD Act: What you need to know

Where does my personal information reside and do I need to care about it? This question becomes more pertinent as we move towards the end of one digital decade and into the beginning of another.

Data implications at the end of the 2020s

Back in the 20th century, few people realized the scale of the battle for data that would follow. Anyone that has a computer device and/or access to the internet has a stake in the game. The payoffs include profit, influence, control and the ability to access information about an individual or a company from behind the scenes.

As companies continue their quest to become more integrated and connected to their customer base, the need for privacy and data protection rises. Since there are no clear boundaries to a company with a web address, the stage is set for international fraud and cybercrime levels to escalate. This in turn opens the door for governments to draft new laws and to reach over across borders on the hunt for data leads; their actions justified by the need to protect individuals’ data. Thus, the void between data privacy and data disclosure becomes more exaggerated. At the same time, the principle of territoriality, a fundament of international law, slowly fades.


The recent introduction of the ‘Clarifying Lawful Use of Overseas Data Act’ (otherwise known as the CLOUD Act) by the American government, serves to strengthen the case for cross-border government surveillance. Primarily the CLOUD Act amends the Stored Communications Act (SCA) of 1986. It allows federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil. Up until 23 March 2018, the only way for the American government to access overseas data had been to form a Mutual Legal-Assistance Treaty, an agreement whereby two countries consent to share information and work together to solve a legal investigation.

The CLOUD Act gives due consideration to data encryption. It also discourages the government from using it to insist that companies loosen their encryption. This is a process integral to the security of data. Nonetheless, many consider the Act to be flawed on a fundamental level. Among other concerns, it stands out that the Act was drafted in an abrupt manner. Additionally, it was issued without a publicized in-depth discussion as a part of the government’s spending bill, the Omnibus. Moreover, the CLOUD Act enables foreign countries to enter into an “executive agreement” with the US. President, the State Department, or the Attorney General and request data stored in the US by directly contacting companies and effectively circumventing the government’s scrutiny. Consequently, a wave of negative feedback was unleashed on the web as a reaction to the foreseeable global implications to human rights and international law.

Application of the CLOUD Act

The CLOUD Act already applies to technological firms like Google, Facebook, Twitter and Instagram. Facebook and Google actually contributed to the new legislation draft along with Apple and Microsoft. The government’s collaboration with these companies indicates a shift in balance towards the large scale technical solution provider. All enterprises will have the responsibility to assign a legal representative for data disclosure matters. On their end, the smaller entities, the startups and innovators, may struggle with the additional administrative load.

The global agenda

As a result of the Cloud Act, the European Commission has made a legislative move to enable data information requests. The Commission will also clear the way for the use of electronic evidence stored by EU-registered companies, regardless of specific member state privacy laws. It logically follows that the act will lead to a chain reaction. Other countries will mirror the data disclosure laws and also demand information across borders. In turn, this may lead to an overall degradation in the level of data privacy across the globe.

What does this mean for CloudSigma?

CloudSigma has a unique position among a sea of uncertainty rising around the Cloud Act. CloudSigma silo’s each cloud location that it operates wherever it may be in the world. For example, an Australian entity runs its locations in Australia. Thus, they are subject only to Australian law. Likewise, its Swiss locations are not subject to EU, US or any other jurisdiction barring Switzerland. Therefore, CloudSigma customers can easily control under which jurisdictions to operate.

Further, customers can ensure that they themselves comply with the relevant data protection requirements they may be subject to. This is in stark contrast to the globalised approach of many other providers. This approach exposes customers to potentially numerous jurisdictions including the US and elsewhere. Thus, data could be accessible against their will and in violation of local data privacy laws. As a result, the data could expose them in turn to liability through no fault of their own. Such a scenario is avoidable through using a provider such as CloudSigma.


About Zhenya Mocheva

Zhenya is a Digital Marketing Expert at CloudSigma, focusing on brand strategy, social media marketing and digital marketing campaigns. She is passionate about the continuous innovation within the digital environment and the endless growth opportunities that inbound marketing brings.