Most companies are currently busy adapting their processes to the new GDPR in order to avoid getting into serious trouble. However, another event that is of similar importance for many European companies and private individuals is being overlooked. On the other side of the Atlantic, US President Donald Trump signed the CLOUD Act. This law supplements the existing Stored Communications Act (SCA) and stands for Clarifying Lawful Overseas Use of Data Act. This law, which has been neglected in the media, has far-reaching consequences for EU citizens and companies.
What is the CLOUD Act?
The CLOUD Act requires US-based internet companies such as Microsoft to grant US security authorities access to user data. This also applies if the data is not stored in the US and the data protection rules of other countries actually apply, as is the case with the EU GDPR.
Conversely, the CLOUD Act is also intended to enable foreign security authorities to access the user data of persons residing in the USA via a bilateral agreement.
background
Since 2013, the US government has been in court with the software giant Microsoft over the release of data from non-US citizens, for example from us EU citizens.
The reason for this dispute was an order from a US judge turkey number dataset to hand over email data from Microsoft. In principle, the company is obliged to do so under the PATRIOT Act. However, in this case the data was stored in an Irish data center. Microsoft refused access and referred to the jurisdiction of the local court.
As a result, the case went to the Supreme Court, the highest US court. The final decision was originally expected this summer. However, due to the CLOUD Act, the court has now dismissed the Microsoft case because - according to the judges - there is no longer a conflict as the CLOUD Act applies to the dispute.
What does this mean for EU citizens?
Until now, data stored in German data centers in particular was considered safe due to the country's strict data protection guidelines. But now EU citizens must expect that their data will no longer remain solely in Germany when used by services from US companies.
It is important to note that in this case there is a distinction in the treatment of US citizens and people who live in the USA and people who do not belong to this group of people, such as EU citizens. The new legal situation requires the release of personal data of US citizens and people who live in the USA without the possibility of objection. In the case of EU citizens and people outside of the above-mentioned group of people, the US service providers can object and not release the data. However, the authorities can sue against this and the US courts have the explicit option of forcing the providers to release the data if this is "in the interest of the USA".
Everyone should therefore ask themselves the question “Where is the company based and is my data safe?” before using an online service. There may also be an alternative to the desired US service.