Hem Knowledge base The CLOUD ACT of the American legislation versus the European charter of fundamental rights


knowledge base

The CLOUD ACT of the American legislation versus the European charter of fundamental rights

The CLOUD Act addresses all providers of electronic communication and remote computing service providers that operate under the U.S. legislation both domestic and abroad. 

The U.S. law enforcement suffered for many years from outdated laws that regulate how data is accessed if stored overseas. These laws have become inapplicable as operators with the introduction of the cloud technology store their electronic data used for communication issues without consideration to territorial borders. For the United States the situation had become unsustainable as no one could ever be sure where electronic evidence possibly was stored from time to time. United States judiciary was faced with new facts and substantial challenges as criminal evidence had become global.

When the CLOUD Act was enacted in March 2018 what became new was that U.S law enforcement was enabled to obtain customer data directly from cloud providers under U.S. jurisdiction, without the approval of U.S. congress or the knowledge of U.S. courts. And vice versa, through commitment with each country U.S.-based global cloud service providers obtained the possibility to respond directly to foreign legal processes and legislations. The second big thing about CLOUD Act, United States was endorsed to introduce bilateral agreements with foreign countries jurisdictions to get hold of electronic evidence.

Fact is, like anterior to CLOUD Act, that most countries require data to be revealed wherever it is stored, according to the Convention on Cybercrime ("Budapest Convention"). In other words, this fact is nothing new, hence it has been object for substantial misunderstandings as the CLOUD Act has been taken into practice.

CLOUD Act in combination with the FISA 702 are conflicting with the European charter of fundamental rights article 8 which asserts that:

  • "Everyone has the right to the protection of personal data concerning him or her."
  • "Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified."
  • "Compliance with these rules shall be subject to control by an independent authority."

According to European Data Protection Board there are only in very special occasions that disclosure of personal data according to CLOUD Act is compatible with the EU legislation.

The text written below highlights there are fundamental differences in the American legislation compared to what is stated in the article 8 of the European charter of fundamental rights.


Why the CLOUD Act was born

Global communications providers have customers all worldwide and accordingly company offices and facilities where they store customer data. As they are international they are subject to other countries' laws. Potentially there are legal conflicts regarding data to be revealed according to the laws of the motherland and the countries in which they operate. Performing criminal investigations require electronic evidence to be at hand in the right time and most probably they are hindered if such legal conflicts exist. If electronic evidence belonging to a Cloud Service Provider (CSP) is stored in different countries the CSP might be ambivalent in the choice of which country's law to follow knowing that another country's law possibly could be disobeyed. 

What was the main problem before CLOUD Act, was that every single crime investigation requiring electronic evidence from such communications had to use the MLAT-process (Mutual Legal Assistance Treaty). The MLAT system makes it possible to a country's law enforcement to ask some other country's correspondent for help to get hold of data. It is a procedure containing many steps and based upon the extent and complexity it often takes a lot of time.  Using the MLAT process all evidence seeking concerns had to be dealt with through U.S. courts administrations which created an unmanageable workload for these administrations. As cloud providers can transmit criminal evidence data directly to law enforcements, the agreement made using CLOUD Act purposes to reduce the burden on the MLAT system.

What the CLOUD Act is

Essentially, the CLOUD Act considers the location of three variables:

  • The data
  • The person searched
  • The Cloud Service Provider

Main pillars of the CLOUD Act

  • In crime investigations requiring electronic data from Cloud Service Providers (CSPs) as evidence, the CLOUD Act remove possible restrictions of law between countries concerned. International CSPs would be allowed to act directly in answer to foreign processes subject to crime investigations.
  • The MLAT-system has been subject to complaints internationally for being time consuming caused by a heavy administration workload it creates. The inflow of cases to MLAT will be reduced through a realization of the CLOUD Act.
  • CLOUD Act does not mean CSPs are due to assist if the data they provide is encrypted, in other words CLOUD Act is "encryption-neutral".
  • Data concerned relates to electronic communication. Business related concerns are not covered and the purpose is not at all intended to gain insight into business data. Nevertheless, it has to be emphasized that the CLOUD Act involves only data transfers for law enforcement purposes. Nor can state operated intelligence services take advantage of CLOUD Act agreements.
  • The disclosure of data applies wherever it might be stored. Hence, this is nothing new but accordant to the Convention on Cybercrime ("Budapest Convention").

  • The place to be investigated, such as an email account or a social network profile, must indicate that a specific crime has occurred (or even occurring at present time) and presumably contains evidence of that specific crime. As well, data searched must be described with distinctiveness. And for example, an email account can not be searched just to see if evidence exists, meaning no "fishing".
  • Data searched must, as stated above, be narrowed down and well defined. It is not allowed to collect bulk data.
  • To take advantage of the CLOUD Act, a foreign country must present facts that the requisition of proofs held by a U.S. CSP promotes an investigation of crucial and grave crime investigation or even relating terrorism. The requisition is not allowed to deal with U.S. individuals or individuals spotted in the United States.
  • If Cloud Service Providers (CSP) consider there are conflicts of law the CLOUD Act maintains the providers´ right to dispute the requested search warrant in court.

Requirements for member states regarding CLOUD Act agreements

International agreements according to CLOUD Act are uniquely available for countries that fulfill and protect international human rights, which include:

  • Bans against punishment, inhuman treatment and torture.
  • Bans against random arrest and imprisonment.
  • Fair trial rights
  • Freedom of expression 
  • Bans against discrimination derived from race, gender and sexual orientation.
  • Protection from random and illegitimate interference with privacy

Also, countries are obliged to have competent laws on cybercrime and electronic evidence. Orders from partner countries must be properly legitimized, narrowed down to target specific accounts as well as limited to avoidance, discovery and scrutiny of serious crimes.

Reciprocity confusions in a CLOUD Act agreement

Prerequisites to make CLOUD Act work and useful

The intention of the U.S. officials that drafted the CLOUD Act was to enable legal means for law enforcements in partnering countries to legitimately acquire electronic evidence fast. The delays and bureaucracy in such processes had to be reduced significantly in order to provide evidence to time crucial investigations on serious crime. 

However, despite an initially good objective, the below example in section 3.2 shows there can happen reciprocity inequalities hindering the CLOUD Act to be internationally accepted.

onal human rights, which include:

  • Bans against punishment, inhuman treatment and torture.
  • Bans against random arrest and imprisonment.
  • Fair trial rights
  • Freedom of expression 
  • Bans against discrimination derived from race, gender and sexual orientation.
  • Protection from random and illegitimate interference with privacy

Also, countries are obliged to have competent laws on cybercrime and electronic evidence. Orders from partner countries must be properly legitimized, narrowed down to target specific accounts as well as limited to avoidance, discovery and scrutiny of serious crimes.

U.S - UK agreement

CLOUD Act opens up for countries establishing agreements stipulating how the two countries should exchange criminal evidence uniquely. What naturally comes in mind is that such agreements should benefit the two parties as much, in other words be based on reciprocity. Otherwise, questions will be raised regarding for the benefit of whom the law indeed was enacted.

Charts below, illustrate what effectively happens in the agreement made between the United States and the United Kingdom. !Please note, the below example was applicable when U.K. was a EU member state but should not be any different if an agreement with another EU country was made.


Comparing the charts, the legal establishment is not equal when the U.K. needs data about a targeted person compared to when the U.S. does likewise. Astonishing enough, the limitations that apply to the U.K. side are much more extensive. For example, the agreement stops U.S from targeting a U.K. citizen spotted in the U.K. Nevertheless, if that particular U.K. national travels to Spain the person is a permissible target for the U.S. Reasonably, an agreement between two countries should be based on reciprocity. Still, the fact here is that CLOUD Act stays applicable but makes the reciprocity to be nothing but an illusion. 

Schrems-I and -II cases, Privacy Shield

Max Schrems is an Austrian legal adviser and deeply involved in data protection issues. Originally, he raised a dispute in court regarding Facebook Ireland was transferring personal data to its' parent company in the United States. According to a law of the European Union such transfers are not allowed, they are illegal as the United States is considered to be a "third country". There have to be certain conditions fulfilled if such transfers are to be allowed. As this judgment was in favor for the Austrian legal adviser the U.S. authorities tried to make the judgment to be revoked.

The outcome of the juridical case "Schrems I" led to a new appeal from the U.S. side. They adduced a new decision according to article 45, the Privacy Shield, in order to revoke the judgment. Even this case, that later became known as "Schrems II", was rejected by the court of EU. More or less, the judgment became prejudicial and organizations can no longer refer to the Privacy Shield. As for now, the European Commission and the United States are trying to negotiate a successor to Privacy Shield.

The European Union law, and especially the data protection part (DSF), deals with the transfer of personal data for commercial purposes between commercial tradesmen within the EU member states and a "third country". Even though this personal data possibly may be subject to processing by the authorities of the "third country", for security or defense concerns typically, the European court still consider the data protection part to be applicable.

CLOUD Act in relation to the European Union law and the national laws of the member states is challenging. As above judgment indicates, some member states have a legislation that hinders Cloud Service Providers to reveal data to a "third country".

FISA, Foreign Intelligence Surveillance Act

FISA is an other law that reminds somewhat of CLOUD Act. In its' basic form it is limited to cover domestic conditions while CLOUD Act opens the possibility for U.S. authorities to request data stored outside the territory of USA.

The right to privacy is for U.S. citizens protected by the United States constitution but this protection does not apply to foreign citizens. Here we find yet another basic difference between FISA and the CLOUD Act as according to FISA foreign citizens do not possess binding rights against US authorities and consequently no private persons do not have any rights to effective remedies in the United States. In the light of this absence the EU court declared the Privacy Shield annulled in the Schrems-II judgment.

FISA 702

What is FISA 702

FISA 702 is an amendment, a supplement to FISA covering that the targets being non-U.S. persons located abroad, outside the territorial borders of the USA.

The surveillance target is not required to be an individual suspected to be a terrorist, spy or somebody that might be an agent working for a foreign country. According to the 702 amendment the requirement is only being a non-US person located abroad enough for the purpose to obtain surveillance and intelligence information.

Focusing on which person to target is the responsibility of the National Security Agency (NSA) with influences from the CIA and the FBI, in other words "who to catch".

FISA 702 allows the Attorney General and the Director of National Intelligence to approve retrieval of intelligence information concerning non-US individuals which is unlikely to be in the United States as well as retrieve intelligence information concerning other countries. 
To be clear, everything that has to do with Sweden and Swedish citizens is also covered by FISA 702.

Comparison of FISA 702 to Swedish intelligence

In Sweden decisions of retrieval of foreign intelligence information are made ultimately by the Government however under the inspection by SIUN (Statens Inspektion för FörsvarsUnderrättelseverksamheten, The Swedish Inspectorate for Defense Intelligence Operations). The order of performing intelligence operations in Sweden targeting foreign conditions and targets located outside Sweden is delegated to MUST (Militära Underrättelse och Säkerhetstjänsten, Military Intelligence and Security Service) which is an authority under the Swedish Armed Forces. 

Likewise FISA 702 the general focus of defense intelligence specialization applies for one year at a time and as well the narrowed targeting process is performed by the executing authority MUST, in USA it is NSA mainly.

However, an important difference is that the Swedish Armed Forces does NOT have the right to order a private company or any other state authority to execute such espionage and intelligence information retrieval. 

Aspects covered in FISA 702 not dealt with in CLOUD Act

The CLOUD Act is neither intended for state intelligence purposes surveillance or any retrieval of intelligence information nor aimed to benefit U.S. concerning business intelligence.
However, if for any reason needed,  the FISA 702 covers the purpose to also get such information making the combination CLOUD Act and FISA 702 to supply a more complete intelligence information record of a targeted object. In other words, objects such as non-U.S. persons located or residing outside the United States. That information can be retrieved through a communication provider under U.S. jurisdiction.

This applies also to any company under U.S jurisdiction operating abroad meaning these companies are, in practice, an extended arm of the US intelligence services.

A request according to FISA 702 is subject to a duty of confidentiality, which means that any targeted object, that as well is a customer to the company holding the information records, will not be informed by the company that information has been disclosed to the US intelligence services.

Conclusion FISA 702 versus CLOUD Act

To be clear, one big difference between the CLOUD Act and FISA 702 is that CLOUD Act aims for electronic evidence dealt with by law enforcement agencies such as the police. As mentioned, FISA 702 deals with intelligence information aimed for intelligence authorities such as the NSA. Seen in the light of combining FISA 702 and the CLOUD Act, things are not very good looking for a targeted individual.

Misconceptions about CLOUD Act

Clarifying facts according to U.S. officials

U.S. state officials firmly claim that the main driving force for the CLOUD Act came from abroad. The foreign law enforcements seeking evidence held by CSPs in the U.S. required the process to be speeded up and facilitated. The MLAT-process used traditionally was too complicated and slow causing criminal investigations being obstructed. Hence, not only designed to provide the needs of the United States. Without it, continuing addressing all matters it concerns, the United States would not have continued to be compliant with its' international treaty obligations agreed to.

United States Cloud Service Providers serve under the U.S. jurisdiction and of course they are obliged to supply data, within their control, to U.S. courts. And as already stated, the place where the data is stored does not matter. Thus, this is nothing new. The CLOUD Act legislation is meant to establish a foundation for mutual agreements with other countries to remove possible differences of law. Consequently, all nations committed to such an agreement must remove legal obstacles making it possible for CSPs to abide by other countries' requests for electronic evidence concerning a serious crime. And to achieve this directly, without having to use the MLAT process. Still, U.S officials claim, the obligations for a CSP are deduced from the requesting countries' laws alone.

Thus, an important limitation: 
The targeted person can not be a U.S. individual spotted in the United States.

Foreign companies are solely subject to the law of the home country, not the U.S jurisdiction.

A theoretical example

Consider, if a fictitious person, using the email address mister.special@thetopguy.com in a European country becomes the subject of or gets involved in a criminal investigation in the U.S, what would happen? Would a criminal investigator in the U.S try to get in touch directly with the national police of that particular country and the domain owner to "thetopguy.com"? Or should the criminal investigator take for granted that the domain "thetopguy.com" are using Windows and approach Microsoft and challenge the whole bunch of their legal experts to get hold of electronic evidence? 

The U.S. Department Of Justice clearly states that a prosecutor must address the customer directly ("thetopguy.com") if there are no particular reasons hindering it. A company like Microsoft does not disclose data to authorities, unless obliged to according to law. An American criminal investigator, or the police, must for very specific reasons clearly clarify that it is not possible to directly address the customer, for not being obliged to do so.

A company that are to reveal personal data concerning a particular customer, is bound to notify the customer before the data is disclosed, if not hindered by the law. To NOT disclose requested data for the customer, is subject to very high legal requirements as it violates the U.S. constitutionally protected freedom of speech.

Swedish authorities aim to run IT-operations themselves

Swedish authorities claim the basic and obvious requirement for digital systems to be safe and protect privacy. Commonly is that they have a growing need for secure and user-friendly digital services. Consequently a lot of questions arose about the appropriateness of using public cloud services from private providers. For this reason, Swedish authorities will not use Cloud Service Providers covered by the CLOUD Act for storage of business-critical data. Instead, the goal is a common state-run IT operation.

Of course there are a number of positive effects for Swedish authorities to use the services of CSPs. However, the positive effects must not mean that Swedish authorities use the public cloud services without first assessing the consequences from a societal perspective and for the personal integrity of individuals.

According to Swedish principles it is not considered to be consistent with the basic rules of publicity and the Secrecy act (offentlighets- och sekretesslagen) for service providers to reveal data to to the authorities of another country. This is one weighty argument for a common state-run IT operation, among several others.

Obstacles that Swedish authorities might meet

The eSam, government collaboration for digital development, claimed some time ago that a common state-run IT operation was unlikely to meet significant problems if it was outsourced and operated by foreign Cloud Service Providers. After enacting the CLOUD Act, the common view has turned to the opposite.
Yet, Swedish municipalities also have as a principle to use the most economically efficient solution available, which of course also can include cloud services. The future labour supply of skilled IT staff is not sufficient to enable a setup and run of local cloud services. Maybe it requires a solution where the legal situation needs to be simplified, but for sure, no more governmental organizations and authorities should make a security interpretation of their own.

SecMaker Live iD, the solution

SecMaker enables a cloud based delivery form of a product package named SecMaker Live iD. It provides a fast installation and start-up. Investing in expensive and time-consuming operations can be avoided and a security platform equal to the one that Swedens' largest authorities already use is delivered.
Relating to what was previously written regarding labour supply of skilled IT staff, SecMaker Live iD solves that problem. It delivers a significant better and stronger security platform that companies or authorities are enabled to develop and pay by themselves. It is just as obvious as not building your own mobile phone network to be able to talk to your customers and employees.

And probably most important of all, SecMaker Live iD is a service that is NOT affected by CLOUD Act and FISA 702.

Kontakta oss

Har du fler frågor? Tveka inte på att kontakta oss så berättar vi mer.