The recent accord between the US and the UK could have repercussions for resellers, managed service providers.

Kelly Teal, Contributing Editor

November 13, 2019

5 Min Read
Cloud question marks
Shutterstock

The recent executive agreement between the United States and the U.K., facilitated by the CLOUD Act, could impact the channel, particularly resellers and managed service providers with operations here and across the pond.

As a refresher, the CLOUD Act became law in April 2018. It “allows a foreign government with which the U.S. has a sharing agreement to contact U.S. companies directly to compel production of personal data without notifying the individual,” as law firm Squire Patton Boggs wrote in a recent blog.

On Oct. 3, the U.S. and the U.K. signed a deal to allow their respective law enforcement agencies “with appropriate authorization, to demand electronic data regarding serious crime, including terrorism, child sexual abuse, and cybercrime, directly from tech companies based in the other country, without legal barriers,” the U.S. Department of Justice wrote in a press release.

While current legislation already paves the way for such sharing, the process to obtain data can take up to two years. The executive agreement hastens that timeline.

Barr-William_US-Atty-Gen.jpg

US Attorney General William Barr

“This agreement will enhance the ability of the United States and the United Kingdom to fight serious crime … by allowing more efficient and effective access to data needed for quick-moving investigations,” U.S. Attorney General William Barr said in a prepared statement. “Only by addressing the problem of timely access to electronic evidence of crime committed in one country that is stored in another, can we hope to keep pace with 21st Century threats.  This agreement will make the citizens of both countries safer, while at the same time assuring robust protections for privacy and civil liberties.”

Few will argue the value of speeding up the time it takes for authorities to bring criminals to justice. However, the CLOUD Act is intended to apply broadly. The U.S.-U.K. executive agreement could put international channel partners in a bind.

Serpa-Jacob_Bitglass.jpg

Bitglass’s Jacob Serpa

“Unfortunately, the U.S.’s CLOUD Act is troublesome for companies that are trying to remain compliant with GDPR as the two regulations conflict with one another,” Jacob Serpa, senior product marketing manager at cloud security vendor Bitglass, told Channel Futures. “The CLOUD Act requires that contract data processors provide stored data to relevant U.S. authorities as requested. However, when these data processors share data as demanded under the CLOUD Act, it can lead to noncompliance for organizations under GDPR if said data falls within the scope of the EU’s data privacy law.”

Because of that, Serpa added, channel partners in the United States and the U.K. “must take both regulations into consideration when selecting a security solution. Additionally, they must wait to see how discussions between the U.S. and the EU will unfold as they seek to reconcile their data privacy laws.”

For partners contracting directly with the likes of Amazon Web Services, Google Cloud Platform, Microsoft Azure and similar public cloud providers, there should be less to worry about.

“The CLOUD Act does not impact AWS services or how we operate our business,” AWS says on its website. “Historically, we have…

…received very few United States law enforcement requests, and we are transparent about the number of requests that we receive.”

AWS, the world’s largest cloud vendor, says it carefully examines any such requests for accuracy and lawfulness.

“Where we need to act to protect customers, we’ll continue to do so,” the provider states. “We have a history of challenging government requests for customer information that we believe are over-broad or otherwise inappropriate. If we are required to disclose customer content, we will continue to notify customers before disclosure to provide them the opportunity to seek protection from disclosure, unless prohibited by law.”

Microsoft has been a vocal supporter of the CLOUD Act, calling it “the foundation for a new generation of international agreements [that] preserves rights of cloud service providers like Microsoft to protect privacy rights until such agreements are in place.”

Kurian-Thomas_Google-Cloud.jpg

Google Cloud’s Thomas Kurian

Meanwhile, Google Cloud CEO Thomas Kurian wrote in an Oct. 24 blog that the U.S.-U.K. executive agreement does not change the company’s approach to government requests to disclose enterprise data.

“Our team reviews and evaluates each and every one of the requests we receive for legal validity and appropriate scope, as well as for compliance with international human rights standards, our own policies, and applicable law,” Kurian wrote. “We do not provide ‘backdoor’ direct access to any government and we do not hesitate to protect customer interests.”

As such, starting early next year, Google Cloud will publish the number of law enforcement requests it receives for Google Cloud Platform and G Suite enterprise data. Kurian called the initiative “an important milestone in our efforts to improve transparency and help address broader uncertainty about how often governments are coming to Google to request access to enterprise customer data.”

Channel Futures reached out to several partners and analysts for comment on the CLOUD Act executive agreement between the United States and the U.K. to no avail. Some declined to comment while others did not respond to interview requests.

Read more about:

MSPsVARs/SIs

About the Author(s)

Kelly Teal

Contributing Editor, Channel Futures

Kelly Teal has more than 20 years’ experience as a journalist, editor and analyst, with longtime expertise in the indirect channel. She worked on the Channel Partners magazine staff for 11 years. Kelly now is principal of Kreativ Energy LLC.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like