Legal
THE CLOUD ACT AND ITS EFFECT ON ESTONIAN DATA STORED ON THE CLOUD

On March 23, the Clarifying Lawful Overseas Use of Data Act (or CLOUD Act) was adopted in the United States. This is an addendum to the Stored Communications Act from thirty years ago, which now gives U.S. authorities the right to compel service providers registered in the United States to provide requested data even if it is stored on servers that aren’t located on U.S. territory, writes ADM Hosting Managing Partner Klemens Arro.

The CLOUD Act was enacted by the U.S. Congress last week because American service providers had successfully proven in court that subpoenas issued based on the Stored Communications Act do not apply to data stored outside of the U.S. This even in the case that the data is controlled by U.S. service providers, i.e. it is stored on servers that belong to them.

How does the CLOUD Act affect Estonian companies?

Theoretically, the new law affects all people and companies who use services provided by companies registered in the U.S. – be that Google or its service Gmail, Microsoft and Office 365, Dropbox, SalesForce or some other cloud service provider with its main headquarters located in the U.S. but servers spread out in different corners of the world. Even though it might now seem that the government has direct and unlimited access to data belonging to clients of cloud services, including Estonians, that’s fortunately not the case. Authorities from the U.S. and other countries must present each data query separately and always with sufficient justification for the request. This must be done regardless of the law that governs the particular data request. If the query is not valid, the service provider will, as a rule, contest it and refuse to give out the requested data.

Even though the CLOUD Act applies to all U.S. service providers and all of the cloud services they offer, it’s important to know that different types of clouds offer clients different options for protecting their data. Whereas the aforementioned corporations usually offer Software as a Service, or SaaS, Amazon’s AWS cloud service is an example of Infrastructure as Service, or IaaS. With SaaS cloud service, the service provider administers the products and services. That means, for example, that Microsoft is the one who administers Office 365 client applications, data and everything else on the cloud. There isn’t much that the client can do because the owner of the cloud is in control. With IaaS cloud service, each client decides for themselves how many resources, including hardware, they need and what services they’ll use. With the example of Amazon AWS, if a client limits access to their services to only certain people, then no one (including governments and the service provider) can access the data without the client’s encryption key. AWS also always lets the client know when someone makes a request to access their data (Guidelines for access to AWS data:
http://d0.awsstatic.com/certifications/Amazon_LawEnforcement_Guidelines.pdf). Therefore, the client can challenge the data request.

From a data protection perspective, there is another important difference between SaaS and IaaS cloud services. With SaaS services, the client should keep in mind that the whole crypto chain is in the hands of the service provider, making it easy to create a cryptographic backdoor without the client’s knowledge. With IaaS solutions, clients can set up their services and encryptions in a way that they are not accessible to the service provider or anyone else.

What can companies do to protect their data?

Even though flexible and adaptable IaaS type cloud services (such as Amazon AWS, Google Cloud or Microsoft Azure) seem essentially safer, users of SaaS services need not worry if they use independent encryption solutions before loading their data onto a cloud server.

No matter the type of cloud service, the client is the one who decides on the access and safety of their data. If all data kept on a cloud (both stored and transmitted) is always encrypted, the key is safe and access is limited, then it doesn’t matter what third party asks for access or who stores your data where. There is nothing anyone can do with the data unless they ask the client for their encryption key.

Protecting data from strangers is important for all services, data and clients no matter their field or changing laws, which is why cloud service providers constantly reiterate the importance of encryption. Therefore, most cloud services have made encryption so easy, cost-effective and accessible that clients should always take advantage of the opportunity. The same principle applies when data is stored on physical servers.

Therefore, by familiarizing themselves with new laws such as the CLOUD Act and encrypting their data, companies can do their part in protecting sensitive information in our constantly changing regulatory environment. And if you fall a bit short on your own, your IT-partner and cloud service provider is ready to help.