The CLOUD Act: Implications of Storing Data with Cloud Providers – What Does it Mean for the Partner Ecosystem?

In the digital age, the widespread adoption of cloud computing has revolutionized the way individuals and businesses store and access their data. Cloud providers offer convenience, scalability, and cost-effectiveness, making them an attractive option for data storage. However, it is essential to be aware of the legal landscape surrounding cloud providers, particularly in relation to the CLOUD Act. This article aims to shed light on the implications of storing data with cloud providers bound by the CLOUD Act law, emphasizing the importance of understanding the potential impact on privacy and data security.

What is the CLOUD Act?

The CLOUD Act or the Clarifying Lawful Overseas Use of Data Act, was enacted in the United States in 2018. Its primary purpose is to provide law enforcement agencies with enhanced access to electronic data held by American technology companies. Even if the data is stored outside the United States. The CLOUD Act also enables reciprocal data-sharing agreements between the U.S. and other foreign governments. While the CLOUD Act has implications for data stored in the cloud, it primarily affects cloud providers subject to U.S. jurisdiction.

What are the Implications for our Partners’ Customers in terms of Privacy and Data Security?

1. Access to Data: Under the CLOUD Act, U.S. law enforcement agencies can compel cloud providers to disclose customer data, regardless of its physical location. As a Managed Service Provider or Reseller, this would mean that even if your client’s data is stored in a server outside the U.S., it may still be subject to access by U.S. authorities if your cloud provider is subject to the CLOUD Act. This raises concerns about potential infringement on individual privacy rights and the ability to maintain control over personal and sensitive information.

2. Data Security: When your client’s data, or yours for that matter, is stored with a cloud provider bound by the CLOUD Act, it is subject to additional risks in terms of security. The CLOUD Act requires cloud providers to provide access to data, potentially introducing vulnerabilities that malicious actors could exploit. This highlights the importance of robust security measures to protect data stored in the cloud, including encryption, access controls, and regular audits of the provider’s security practices.

3. International Data Protection: The CLOUD Act’s provisions for international data-sharing agreements raise questions about how data is protected and governed in different jurisdictions. Data stored with a cloud provider bound by the CLOUD Act may be subject to different legal standards and regulations, depending on the country involved. This can complicate compliance with data protection laws, such as the European Union’s General Data Protection Regulation (GDPR), which imposes stringent requirements on the handling of personal data.

How can you Mitigate this Risk for your Clients?

As a Reseller, System Integrator, Managed Service Provider or adviser, your client’s data and its security is at heart of your offering. The responsible choosing of a cloud provider is therefore imperative in order to reduce this risk. More concretely, you do it by choosing cloud providers that are transparent about their data handling practices, by assessing their jurisdiction and by understanding the legal frameworks they operate under.

At OVHcloud in Europe, we are CLOUD Act free.

Full Compliance with European Regulations, Freedoms and Fundamental Right

Organizationally, the OVHcloud Group is a European group in which European commercial entities fall under the exclusive jurisdiction of European Union member states, or states that have been subject to a European Commission adequacy decision. These entities are controlled by OVH Groupe, a company governed by French law, with no dependency links to any entity or organisation subject to the jurisdiction of states that do not provide an adequate level of data protection.

Requests from non-EU authorities (governmental, administrative, judicial or other) may be made for the communication of a European user’s data hosted in a datacenter located within the European Union. In this case, OVHcloud systematically opposes to such requests. In accordance with EU regulations; this is the  this is the case for example when they are not carried out in accordance with an international agreement — such as a treaty on mutual legal assistance in force between the requesting country and the Member State(s) of the European Union concerned.

Compliant with the Strictest Security Standards

The SecNumCloud Security Visa, obtained by OVHcloud in early 2021, plus the renewed SecNumCloud 3.2 gained in 2023 to accelerate OVHcloud strategy on its datacenters, give certified cloud service customers the assurance that they will choose solutions with a security and trust level verified by ANSSI (the French National Agency for Information Systems Security).  OVHcloud also obtained security labels in other countries (for example G-cloud in the UK and AgiD in Italy), and provides its cloud services to the administrations of several European Union state members, as well as European Commission institutions.

As the use of cloud storage becomes increasingly prevalent, it is vital to understand the implications of entrusting your customer’s data to cloud providers subject to the CLOUD Act. Balancing the benefits of cloud computing with the potential risks to privacy and data security requires informed decision-making and proactive measures. At OVHcloud, the data protection of our clients and of our partner’s clients is the core of our operation. By choosing providers wisely, implementing robust security measures, and staying vigilant about data protection, clients and partners can navigate the cloud landscape while safeguarding their information in the face of evolving legal frameworks.

Get to know more about how Data Sovereignty and Trusted Cloud is critical for business:

Partner Program Manager at OVHcloud | + posts