Data Sovereignty: Digital Implications
US Congress passed the Clarifying Lawful Use of Overseas Data (CLOUD) Act back in March 2018. The law regulates how US law enforcement officials can access data stored overseas. Previously, US can only access data stored overseas through mutual legal assistance treaties (MLATs). Basically, MLAT is a treaty between two nations that spells out exactly how much data they will share with each other, and the US Senate must pass each MLAT with 67% approval.
US CLOUD Act short-circuits all that. First, any US law enforcement, from local police to Federal agents, can "request" any tech companies with a presence in the US to turn over user data, even if the data was stored on a foreign server. Second, US CLOUD Act also eliminated the US Senate approval, authorizing the Whitehouse to enter into "executive agreements" to mutually exchange user data with another nation, bypassing any hosting nation's privacy laws. And the foreign government can similarly request data from American companies. This represents a significant shift in data sovereignty. Many enterprises host their data within their home country to protect the privacy of their customers, or to protect their own sensitive information. It's crucial to take advantage of cloud hosting in your home country, with the necessary security and compliance infrastructure.
If the Trudeau government signs the electronic data-sharing agreement with the Trump Whitehouse, RCMP will be able to directly contact Google, Facebook, or any other tech company in the US and request "relevant" data, instead of sending requests through the US Department of Justice.
Supporters of the CLOUD act claimed that due to an average wait of about 10 months to fulfil an MLAT request, the process must be shortened, else the data would be useless by the time it was received.
Critics of the CLOUD act said this is again trading privacy for security, and get neither. Furthermore, this sets up a dangerous precedent. Not all countries share the same data privacy laws and attempts to erode those privacies are a slippery slope to Big Brother surveillance, all in the name of security. Critics also said the slowness in MLAT request fulfilment came from lack of expertise in foreign data privacy laws, not from the actual laws. The solution is better education and resources, not tossing away the legal safeguards already in place. In fact, many of the resources already exist - our hosting partners have implemented the resources for any enterprise to easily comply with government regulations surrounding data sovereignty.
The European Union is thinking about passing something similar to the US CLOUD act but they are far more cautious about it. EU proposals include a regulation as well as a directive would affect large internet firms such as Google, Facebook, and Twitter, even if they are not in the EU, with the proposal specifying that enforcement orders must be fulfilled in 10 days, and CRITICAL enforcement orders within 6 hours. EFF warns that the proposals also provide immunity from liability should a company complying with these data requests ended up compromising data privacy laws, as long as they are done in "good faith". For example, it is possible for a Europol data request to violate Canadian law such as Personal Information Protection and Electronic Documents Act (PIPEDA), and a Canadian company complying with such a request may be immune from the Canadian law. Due to these regulations, companies face costly compliance challenges and a constantly changing regulatory landscape. Compliance can be messy, and most enterprises don't have the resources or the expertise to manage it themselves.
EFF recommends actually enhancing judicial cooperation, instead of passing laws that essentially privatize law enforcement work. However, so far, Trudeau government has yet to indicate which way it is leaning on this matter, as of late August 2018. Until then, enterprises are left in limbo. Should you be ready to modify your hosting infrastructure and policies? Whose regulations should you adhere to? Where should you host your data?
One of the advantages of working with an experienced cloud hosting partner is that you have access to a wealth of expertise. OPIN's hosting partners are on top of the regulatory changes, allowing organizations to lean on them for guidance around best practices, infrastructure and policies. Complying with data privacy laws is complicated, so don't do it alone.