Understanding the CLOUD Act Executive Agreement’s Impact on the Channel
The recent executive agreement between the United States and the U.K., facilitated by the CLOUD Act, could impact the channel, particularly resellers and managed service providers with operations here and across the pond.
As a refresher, the CLOUD Act became law in April 2018. It “allows a foreign government with which the U.S. has a sharing agreement to contact U.S. companies directly to compel production of personal data without notifying the individual,” as law firm Squire Patton Boggs wrote in a recent blog.
On Oct. 3, the U.S. and the U.K. signed a deal to allow their respective law enforcement agencies “with appropriate authorization, to demand electronic data regarding serious crime, including terrorism, child sexual abuse, and cybercrime, directly from tech companies based in the other country, without legal barriers,” the U.S. Department of Justice wrote in a press release.
While current legislation already paves the way for such sharing, the process to obtain data can take up to two years. The executive agreement hastens that timeline.
“This agreement will enhance the ability of the United States and the United Kingdom to fight serious crime … by allowing more efficient and effective access to data needed for quick-moving investigations,” U.S. Attorney General William Barr said in a prepared statement. “Only by addressing the problem of timely access to electronic evidence of crime committed in one country that is stored in another, can we hope to keep pace with 21st Century threats. This agreement will make the citizens of both countries safer, while at the same time assuring robust protections for privacy and civil liberties.”
Few will argue the value of speeding up the time it takes for authorities to bring criminals to justice. However, the CLOUD Act is intended to apply broadly. The U.S.-U.K. executive agreement could put international channel partners in a bind.
“Unfortunately, the U.S.’s CLOUD Act is troublesome for companies that are trying to remain compliant with GDPR as the two regulations conflict with one another,” Jacob Serpa, senior product marketing manager at cloud security vendor Bitglass, told Channel Futures. “The CLOUD Act requires that contract data processors provide stored data to relevant U.S. authorities as requested. However, when these data processors share data as demanded under the CLOUD Act, it can lead to noncompliance for organizations under GDPR if said data falls within the scope of the EU’s data privacy law.”
Because of that, Serpa added, channel partners in the United States and the U.K. “must take both regulations into consideration when selecting a security solution. Additionally, they must wait to see how discussions between the U.S. and the EU will unfold as they seek to reconcile their data privacy laws.”
For partners contracting directly with the likes of Amazon Web Services, Google Cloud Platform, Microsoft Azure and similar public cloud providers, there should be less to worry about.
“The CLOUD Act does not impact AWS services or how we operate our business,” AWS says on its website. “Historically, we have…