Time to consider which jurisdiction your data is stored in
If you work in privacy, chances are you’ve thought at least somewhat about where your data is stored — and this is the year where we all need to be thinking about that, all of the time. To cement this into the minds of every person reading this, I will discuss the recent passing of the US CLOUD Act. This bill did not receive a proper vote, it was added to a $1.3 trillion catch all omnibus spending bill allegedly needed to keep the US government open.
Why does this bill matter? There are two main points I’d like to highlight today:
- Primarily, the CLOUD Act amends the Stored Communications Act (SCA) of 1986 to allow federal law enforcement to compel U.S.-based technology companies via warrant or subpoena to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil. [source]
- § 2523. Executive agreements on access to data by foreign governments.
Until now, foreign government requests for data would go through mutual legal-assistance treaties, or a MLATs. These would take time, often months, to complete due diligence and safe guards. For example, here is information on MLAT requests to Canada, and here is information on MLAT requests by Canada. [world map of MLATS]
With the US CLOUD Act now law, a country like Canada can choose to enter an agreement with the U.S. President himself, the State Department, or the Attorney General, and can be granted access to personal information from any American tech company, including Amazon, Google, Microsoft, and Facebook, to name a few. This also means the government in the Philippines, or Russia, could make a similar agreement with the US, forcing any US tech company, by law, to provide that country your personal information.
Since this law passed, I’m advising all of my clients to ensure no personal, or sensitive data, such as a intellectual property, is stored by any American tech company. I don’t understand how even months later, so few organizations have heard of this law. I’m not even close to the first person to report on it, but I think this needs to quickly spread into the global narrative, so I appreciate you sharing this if you’ve learned something.
Another question we can all ask is; What is my government doing to protect my personal information, or my company’s intellectual property, from being victim to any foreign government’s fishing expeditions through US tech companies?
It’s time to re-consider if you’re using Skype, Facebook, Gmail, AWS, Cloudflare, WhatsApp, or any American tech company for any data that you don’t want published on the internet forever. There are local alternatives to these tech tools for you, but they’re jurisdictionally dependent and need to meet your personalized requirements. Reach out if we can help you move to more privacy centric solutions.