Cloud Act - Clarifying Lawful Overseas Use of Data

The Clarifying Lawful Overseas Use of Data Act (a.k.a. the “CLOUD Act”) was incorporated into the Omnibus Spending Bill of 2018 that was passed by the House and Senate and signed into law by the President on March 23, 2018. The CLOUD Act amends the 1986 Stored Communications Act.

Why was this law passed?

The CLOUD Act addresses a challenging problem in the technology industry: how to respond to a lawful request for information when that request conflicts with privacy obligations in another jurisdiction. In response, the CLOUD Act outlines a legal framework for law enforcement to request data stored in other countries while setting baseline standards for the protection of data privacy. It also provides a mechanism by which cloud companies, like OVHcloud, can initiate a legal challenge, when necessary, to defend customer data.

What does the CLOUD Act mean for OVH US ("OVH") and its customers?

As a global, hyper-scale cloud provider, we are committed to protecting our customer's data privacy and complying with U.S. and international privacy frameworks. The CLOUD Act provides important guidelines for law enforcement groups seeking to access cross-border data by:

Clarifying the conditions under which U.S. law enforcement can legally access data owned by U.S. domestic companies but stored overseas; and
Specifying how a foreign government can request data from a U.S. company.

What about requests from foreign governments?

The CLOUD Act authorizes the President to establish executive agreements permitting “qualifying” foreign governments to request records pertaining to foreign citizens from U.S.-based providers. To qualify, a foreign government must both be approved by the Attorney General and the Secretary of State and also abide by “robust” substantive and procedural protections for “privacy and civil liberties.”

No such executive agreements currently exist. Until then and for the countries without agreements, OVH US would continue to honor requests only if they followed the MLAT process.

How will OVHcloud comply with U.S. law enforcement requests?

In accordance with our Privacy Policy, OVHcloud will comply with lawful requests from public authorities. Under the CLOUD Act, that could include data stored outside of the United States. OVHcloud will consider the availability of legal mechanisms to quash or modify requests as permitted by the CLOUD Act.

How will CLOUD Act affect the data transmitted or stored by OVHcloud? Will OVHcloud be required to un-encrypt currently encrypted services?

The CLOUD Act does not change how OVHcloud transfers or stores its customers’ data. It also does not create an obligation that a cloud service provider must decrypt the data stored on its networks.

If you would like more information, please reach out to OVHcloud at privacy@corp.ovh.us.