There’s been a big development in the DoJ v Microsoft case which we’ve covered before. This is the case where the DoJ had been seeking to rely upon a broad interpretation of legislation passed before email and cloud services became prominent to get access to data held in Microsoft’s Dublin datacentre. As part of this ongoing battle, the US government has passed another
stupidly appropriately named law, the CLOUD Act (Clarifying Lawful Overseas Use of Data Act). This requires a provider to “preserve, backup or disclose” data even if the data is held outside the USA. This clarity is useful and enables Microsoft and other providers to point to a clear obligation to comply with an up-to-date law.
However, given how long this battle has lasted and the principles at stake, I can’t imagine cloud providers will simply roll over now. I anticipate providers will try to show that data outside the USA is not in their “possession, custody, or control” as required by the Act, but that of someone else – the customer or a third party maybe? Or they might offer data encryption as standard, with the customer holding the decryption keys. The provider might hand the data over but – without the key to decrypt it – the data would be useless. Unless of course, the NSA is able to decrypt it.
This new Act might fan the flames higher of the ongoing claim that Privacy Shield is no more valid than its defunct predecessor, the Safe Harbor. Finally, we await to see whether the new European Data Protection Board appointed under GDPR will recognise this as a “necessary and proportionate measure…to safeguard national security” or an attempt to overreach and undermine GDPR from afar.
My comments on this update were first published by The Register. Go read their article for the full story.