March 8, 2022
5 min read time

Maintaining data privacy beyond the reach of the US CLOUD Act

Cloud ACT feature image


Data privacy has never been hotter as a topic, in part because the US CLOUD Act came into force, making organizations once again question how their data is managed and who has access to it. In response the Court of Justice of the European Union passed the July 2020 Schrems II judgment, which invalidates the EU-US Privacy Shield, meaning companies cannot transfer personal data to the US any longer. Solving this dilemma when most companies use US-based cloud services is challenging but necessary.


While the CLOUD Act aimed to clarify the framework through which law enforcement could access data, Schrems II created an uncertain regulatory environment for all kinds of global organizations by revoking the aforementioned Privacy Shield. This poses new challenges for companies outside the United States that rely on US-based cloud and CDN providers. For all of these, particularly public sector organizations and companies that handle sensitive data, what will compliance look like in the face of the EU’s policies? What does risk look like? What should organizations whose commercial CDN suppliers are based in the United States know or do (even when the data itself is held elsewhere in the world)?


What is the CLOUD Act?

The US Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is a legal framework by which United States law enforcement agencies can request data held by telecommunications service providers. The CLOUD Act is “clarifying” because it describes more specifically the geographical scope of data requests, enabling law enforcement to request data stored both in the United States and overseas.


What is the impact of the CLOUD Act?

While the CLOUD Act does not supersede local law, and the circumstances under which law enforcement can request data have not changed (that is, there are still limitations to what data can be accessed and how). The Act creates conditions that may by their very existence conflict with GDPR regulations, data privacy laws and encryption laws. In theory, law enforcement could gain access to data that they have no right to, and the overall safety of information in the cloud comes into question.


What is Schrems II?

Schrems II is a legal decision that originated from the Court of Justice of the European Union in 2020. An activist called Maximilian Schrems challenged Facebook’s transfer of personal data from Ireland to its headquarters in the United States, arguing that it constituted a violation of both GDPR and EU law.

The background: “On 16 July 2020, the Court of Justice of the European Union (ECJ) in its Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (called “Schrems II case”) invalidated the EU-US Privacy Shield. The Court cast doubt over the extent transfers can be legitimized by the European Commission’s Standard Contractual Clauses (SCC) for personal data transfers to the US and globally. The SCC’s were still valid as a transfer mechanism in principle but would require additional work.”

The Privacy Shield was revoked largely because US law proved inadequate for protecting personal data. The judgment also ruled on standard contractual clauses (SCCs), which ultimately means that companies must ensure that data recipient countries must have equivalent data protection to that offered by the EU. SCCs (trust, sign and forget approaches) will not be adequate.


How does the CLOUD Act affect you? 

The US CLOUD Act means that no matter who you are, your data probably already exists on a US-based cloud or CDN provider’s servers and is thus subject to the Act no matter where in the world the data is stored. Access is just a subpoena away. In addition to potentially violating GDPR regulations, the implications of leaving large amounts of sensitive data accessible to CLOUD Act jurisdiction are significant. Almost every EU organization relies on US-based cloud providers as a key part of their infrastructure, and this includes multiple government agencies across Europe. 

How does Schrems II affect you?

Taking into account the CLOUD Act and more recent Schrems II judgment, the implications are becoming clearer, although there is no absolute clarity about how to apply these rulings and remain compliant. In the absence of absolute clarity on the nuances of law, and the complete invalidation of the EU-US Privacy Shield, many companies and organizations have begun to require that no US-based cloud services or commercial CDNs may be a part of future infrastructure, at least for certain specific, sensitive use cases. 

While cloud and CDN companies themselves are the ostensible focus of the law, it is the companies who use these services who need to think about how they handle data and its transfer and storage. Concerns have already been raised within governmental and public sector agencies, but should be on the radar of companies across sectors where personal data sovereignty and data privacy are a serious consideration, such as banking, financial services, insurance, law, and healthcare. 


What are alternatives to US-based cloud and CDN services?

The only foolproof solution to the Schrems II judgment is to avoid sending personal data outside of Europe in the first place. Companies have undertaken extensive compliance exercises, examining everything from local laws where data is being transferred to, evaluating supplier relationships where data transfers are involved, examining infrastructure setups and hybrid cloud solutions, all of which require compliance. 

Across Europe, organizations have opted for European-based, GDPR-compliant cloud, CDN, and hosting services and infrastructure in order to safeguard privacy and data protection. In use cases where traffic and data is sensitive, running one’s own private CDN solution either on private servers or in strictly Europe-based cloud infrastructure can deliver a viable alternative to the big US players. 


Varnish Private CDN: Flexibility for data privacy and performance

A private CDN isn't just relevant where data and traffic are sensitive. There are also throughput, latency, and availability benefits when you take control of your content delivery. With a private CDN solution, you can get both: flexibility that protects sensitive data within the parameters of your Schrems II (or other) compliance needs and offers high-performance content delivery.

If you’re ready to discuss adopting a private CDN solution where you need the most control, protection and flexibility, get in touch.