European companies with data processing operations in Europe also sometimes fall under the scope of the American CLOUD-Act. This allows data stored in Europe to be accessible to the US government. The example of the CLOUD-Act shows the consequences of legislation if it has an extraterritorial effect. Legislation in the digital domain increasingly has such an extraterritorial effect. This makes the security of information in the EU and compliance with EU and national laws and regulations in the field of information security and data protection more difficult. Are there options to reduce these risks? The NCSC had a leading law firm investigate the CLOUD-Act.
Information processing in the digital domain is an international affair. The storage, transport and processing of information often ignore national borders and are certainly not limited by this. In addition, and partly because of this, countries make legislation and regulations for the digital domain that also influence data processing outside their national borders. As a result, data processing is subject to different legal and regulatory regimes, which can conflict or interfere with each other. For example, measures that apply to security or granting access to sensitive information and (personal) data.
One of the most discussed examples of conflicting legislation is the US CLOUD-Act (in full Clarifying Lawful Overseas Use of Data Act) and European data protection and information security rules. European data that is processed or stored in the US must be secured by the GDPR (European legislation, the European General Data Protection Regulation in the Netherlands, the AVG). At the same time, this data also falls under the American legal regime that monitors access to that data. The CLOUD-Act allows federal law enforcement in the US to subpoena or subpoena technology companies to provide requested data from users, even if that data is stored on foreign territory. Many experts assume that this risk does not exist if a European service provider processes data and certainly if that takes place within Europe. From a legal point of view, however, this is more nuanced, and the US CLOUD-Act may also apply to data processing operations outside the US, for example, in the EU.
The NCSC has asked the law firm, GreenbergTraurig, to interpret this issue with the critical question:
To what extent can a European company or organisation be covered by the CLOUD-Act, even if it is not based in the US?
https://english.ncsc.nl/latest/weblog/weblog/2022/how-the-cloud-act-works-in-data-storage-in-europe
Written by:
Paul van den Berg,
Strategic Vendor Relations Cybersecurity
Click here for a follow-up to this article and answer to the question: what is the risk of information in Europe being requested by the U.S. government based on the CLOUD act?
You must be logged in to post a comment.