Cloud Act - Clarifying Lawful Overseas Use of Data

The Clarifying Lawful Overseas Use of Data Act (a.k.a. the “CLOUD Act”) was incorporated into the Omnibus Spending Bill of 2018 that was passed by the House and Senate and signed into law by the President on March 23, 2018.  The CLOUD Act amends the 1986 Stored Communications Act.

The CLOUD Act addresses a challenging problem in the technology industry: how to respond to a lawful request for information when that request conflicts with privacy obligations in another jurisdiction? In response, the CLOUD Act outlines a legal framework for law enforcement to request data stored in other countries while setting baseline standards for the protection of data privacy. It also provides a mechanism by which cloud companies, like OVH, can initiate a legal challenge, when necessary, to defend customer data. 

As a global, hyper-scale cloud provider, we are committed to protecting our customers’ data privacy and complying with U.S. and international privacy frameworks. The CLOUD Act provides important guidelines for law enforcement groups seeking to access cross-border data by:

  • Clarifying the conditions under which U.S. law enforcement can legally access data owned by U.S. domestic companies but stored overseas; and
  • Specifying how a foreign government can request data from a U.S. company.

In accordance with our Privacy Policy, OVH will comply with lawful requests from public authorities. Under the CLOUD Act, that could include data stored outside of the United States. OVH will consider the availability of legal mechanisms to quash or modify requests as permitted by the CLOUD Act.

The CLOUD Act authorizes the President to establish executive agreements permitting “qualifying” foreign governments to request records pertaining to foreign citizens from U.S.-based providers. To qualify, a foreign government must both be approved by the Attorney General and the Secretary of State and also abide by “robust” substantive and procedural protections for “privacy and civil liberties.”  

No such executive agreements currently exist. Until then and for the countries without agreements, OVH US would continue to honor requests only if they followed the MLAT process.

The CLOUD Act does not change how OVH transfers or stores its customers’ data. It also does not create an obligation that a cloud service provider must decrypt the data stored on its networks.