Managing global regulated data in the age of the CLOUD act
It’s common knowledge that the US government, with a subpoena or warrant, can compel companies to disclose data about companies and individuals. All governments have some type of legal capability to request data from information providers.
What is surprising to many, even those of us in IT, is that with the 2018 CLOUD Act, the US government can compel a US company that is hosting data in another country to comply with such information requests. For example, if a Malaysian company is hosting data in Amazon Web Service’s Singapore region, Amazon will have to comply with US subpoenas and warrants to disclose the data.
The CLOUD Act was passed to amend the Stored Communication Act of 1986, after Microsoft took a case all the way to the US Supreme Court to not disclose a data that was stored on a Microsoft server in Ireland. There are also similar laws in other countries such as Australia that go beyond the CLOUD Act as they can be executed without disclosure.
We at InCountry specialize in storing highly regulated data like financial, health, and employee data worldwide. In many of our discussions with prospects globally, we are specifically asked about the CLOUD Act. Banks, health care providers, and other large companies are highly concerned about the US government having access to their data outside of their own countries’ legal process for accessing data.
If your company is storing German data and the German government can legally request the data, this should of course always be complied with and be expected by your German customer. If your company is storing Kuwaiti data in Canada, the Kuwaiti customer will be very concerned if the Australian government can access that data without following either Kuwaiti or Canadian laws and processes.
So how can a US-based company that is storing regulated data globally alleviate these customer concerns?
1. Disclose government access possibilities to prospects and customers
First off, when selling to international customers, be proactive in describing the jurisdictional controls that would apply to their data. It is better to address these issues head-on and upfront rather than when your software deal hits legal and compliance. Being proactive will save both your prospect and you wasted time and effort in case they are not willing to have their data disclosed to the US government outside of their country’s legal procedures.
2. Restrict where data is hosted and which staff can access data
One option is to avoid US cloud vendors and evaluate foreign clouds such as OVHcloud are actively promoting themselves as hosting solutions beyond the reach of the CLOUD Act. It’s also important to have controls in place that restrict access to data. Specifically, for technology companies, engineers should never have access to production data. Do you think the frontend engineer that works on your bank’s website should make their debugging job easier with access to your personal bank records? Absolutely not. Every company needs to have strict data controls. For example, at InCountry, we have operational staff in the Russian Federation that can access Russian data in conjunction with our network operations teams in a different country, and are looking to expand staff in other key countries such as China and the UAE where data jurisdiction is critical to our business.
3. Move your US-based company to a data friendly jurisdiction
If storing regulated data is a company’s primary business, consider moving your company’s headquarters to a data friendly jurisdiction. Countries like Singapore and free trade zones like Abu Dhabi General Market (ADGM) are increasingly attracting high tech companies that need to instill customer trust in data storage. In countries where data disclosure of foreign data can be compelled, employees should work for a distinct subsidiary with absolutely no access to data or the right to direct employees in other countries to access data. For example, a company that is headquartered in the UAE would have subsidiaries in the US and Europe. The US subsidiary would comply with US government subpoenas and warrants for US data but would not be able to comply with US government subpoenas and warrants for Russian data.
As the world’s data laws become increasingly fragmented, companies that store and manage regulated data need to seriously consider exactly under which jurisdictions they are storing data. International customers are making this part of their selection criteria.