Do You Know About the New CLOUD Act Data Regulation?
Do You Know About the New CLOUD Act Data Regulation?
A lot has been said about the GDPR. If you're interested to learn about what the US government is doing to protect data, read on.
Join the DZone community and get the full member experience.Join For Free
Protect your applications against today's increasingly sophisticated threat landscape.
Have you heard about the new CLOUD Act data regulation?
The new CLOUD Act data regulation became law as part of the recent $1.3 Trillion (USD) omnibus U.S. government budget spending bill passed by Congress on March 23, 2018, and signed by President of the U.S. (POTUS) Donald Trump in March.
The CLOUD Act is the acronym for Clarifying Lawful Overseas Use of Data, not to be confused with initiatives such as U.S. federal governments CLOUD First initiative, among others, which are focused on using the cloud, security, and compliance (e.g. FedRAMP among others). In other words, the new CLOUD Act data regulation pertains to how data stored by cloud or other service providers can be accessed by law environment officials (LEO).
CLOUD Act Background and Stored Communications Act
After the signing into law of the CLOUD Act, the US Department of Justice (DOJ) has asked the Supreme Court of the U.S. (SCOTUS) to dismiss the pending case against Microsoft (e.g., Azure Cloud). The case or question in front of SCOTUS pertained to whether LEO can search as well as seize information or data that is stored overseas or in foreign counties.
As a refresher, or if you had not heard, SCOTUS was asked to resolve if a service provider who is responding to a warrant based on probable cause under the 1986 era Stored Communications Act, is required to provide data in its custody, control or possession, regardless of wheter it's stored inside or outside the US.
This particular case in front of SCOTUS centered on whether Microsoft (a U.S. technology firm) had to comply with a court order to produce emails (as part of an LEO drug investigation) even if those were stored outside of the US. In this particular situation, the emails were alleged to have been stored in a Microsoft Azure Cloud Dublin Ireland data center.
For its part, Microsoft senior attorney Hasan Ali said via FCW “This bill is a significant step forward in the larger global debate on what our privacy laws should look like, even if it does not go to the highest threshold." Here are some additional perspectives via Microsoft Brad Smith on his blog along with a video.
What Is the CLOUD Act
The new CLOUD Act law allows for the POTUS to enter into executive agreements with foreign governments about data on criminal suspects. Granted what is or is not a crime in a given country will likely open Pandora’s box of issues. For example, in the case of Microsoft, if an agreement between the U.S. and Ireland were in place, and, Ireland agreed to release the data, it could then be accessed.
Now, for some who might be hyperventilating after reading the last sentence, keep in mind that if you are overseas, it is up to your government to protect your privacy. The foreign government must have an agreement in place with the U.S. that a crime has or had been committed, a crime that both parties concur with.
Also, keep in mind that is also appeal processes for providers including that the customer is not a U.S. person and does not reside in the U.S. and the disclosure would put the provider at risk of violating foreign law. Also, keep in mind that various provisions must be met before a cloud or service provider has to hand over your data regardless of what country you reside, or where the data resides.
Where to Learn More
Learn more about the CLOUD Act, cloud, data protection, world backup day, recovery, restoration, and the GDPR along with related data infrastructure topics for cloud, legacy, and other software-defined environments via the following links:
- AWS Cloud Application Data Protection Webinar
- U.S. House and Senate versions of CLOUD Act data regulations
- CLOUD (Clarifying Lawful Overseas Use of Data) Act data regulation became law
- $1.3 Trillion (USD) omnibus U.S. government budget spending bill passed by Congress
- US DOJ has asked SCOTUS to dismiss pending case against Microsoft
- 1986 era regulations and Stored Communications Act
- Microsoft Azure Cloud regions
- Data Protection Recovery Life Post World Backup Day Pre-GDPR
- Additional perspectives via Microsoft Brad Smith on his blog along with a video.
- March 2018 Server StorageIO Data Infrastructure Update Newsletter
- Application Data Value Characteristics Everything Is Not the Same (five-part mini-series)
- Application Data Availability 4 3 2 1 Data Protection (part of the mini-series)
- Data Protection Diaries (Archive, Backup/Restore, BC, BR, DR, HA, Replication, Security)
- Veeam GDPR preparedness experiences Webinar walking the talk
- Data Infrastructure Server Storage I/O related Tradecraft Overview
- Data Infrastructure Overview, Its What’s Inside of Data Centers
- Garbage data in, garbage information out, big data or big garbage?
- GDPR (General Data Protection Regulation) Resources Are You Ready?
- Data Infrastructure server storage I/O network Recommended Reading
- Object Storage Center resources (www.objectstoragecenter.com)
- The SSD Place (SSD, NVM, PM, SCM, Flash, NVMe, 3D XPoint, MRAM and related topics)
- The NVMe Place (NVMe related topics, trends, tools, technologies, tip resources
Additional learning experiences along with common questions (and answers), as well as tips can be found in Software Defined Data Infrastructure Essentials book.
What This All Means and Wrapping Up
Is the new CLOUD Act data regulation unique to Microsoft Azure Cloud?
No, it also applies to Amazon Web Services (AWS), Google, IBM Softlayer Cloud, Facebook, LinkedIn, Twitter, and the long list of other service providers.
What about the GDPR?
Keep in mind that the new Global Data Protection Regulations (GDPR) go into effect May 25, 2018, and that, while based out of the European Union (EU), they have global applicability across organizations of all sizes, scopes, and type. Learn more about the GDPR, Data Protection, and its global impact here.
Thus, if you have not heard about the new CLOUD Act data regulation, now is the time to become aware of it.
Ok, nuff said, for now.
Published at DZone with permission of Greg Schulz , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.