2 min

The CLOUD Act, the latest American law that speaks volumes (by Olivier Iteanu, Lawyer)

Digital transition - May 31, 2018

On 23 March 2018, US President Donald Trump promulgated an Act passed expressly, and almost by surprise, by Congress in Washington DC. The title of the law is the ‘CLOUD Act’. The acronym stands for Clarifying Lawful Overseas Use of Data. A play on words around the well-known technology of cloud computing, something not everyone is likely to appreciate. It’s a disturbing coincidence that this act was passed almost two months to the day before the entry into force of the General Data Protection Regulation[1] (GDPR), designed to regulate the use of European residents’ data. Was the CLOUD Act passed as an anticipated response to the GDPR? If we recall the stated purpose of the GDPR, namely to allow EU residents to regain control of their data, the title of the American law is worrying in itself. This title bears witness to a reality now accepted and considered normal by the United States government. Digital providers must collaborate with the US administration, playing a subsidiary role in the surveillance of populations, even those living outside the country, for example European residents. The CLOUD Act thus adds the following provision to US positive law: “A provider of electronic communication service or remote computing service shall comply with the obligations [of this Act] (…) to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” The text is indeed clear here. It refers to “any record” and the contents are expressly covered. This therefore goes far beyond metadata alone. For Europe, the equation is now simple. We are the area of the world most permeable to digital services made in the USA. These companies, which are often very large, with GAFAM at the top of the list, have built a virtual monopoly on European territory. As the rules of the game are now being announced with great clarity, will our public authorities ask for guarantees from these companies on behalf of their citizens? Or from the United States government? Will we put in place a public policy to promote the emergence of alternative European solutions? Clearly, the Snowden revelations of June 2013 haven’t done anything to alter this slow drift observed over the past 15 years. The same could be said of the latest Cambridge Analytica scandal involving Facebook. We’ll talk about all this on 5 June at the Ecole Militaire de Paris during the 4th edition of the ‘Cloud Independence Day’, a name that has never felt so apt. With the support of CESIN, CIGREF, CLUSIF, FIC2019, the Atena Forum and MEDEF, we have put together a no-nonsense, straight-talking day focusing on the theme of “digital sovereignty: is this the future of the digital world?”. In its own way, the American Congress has just answered in the affirmative, for its own interests. And what about ours?


Olivier Iteanu


Head of the ‘Cloud Independence Day’ Steering Committee

[1] EU Regulation 2016/679 of 27 April 2016 is set to enter into force on 25 May 2018 (Article 99)

Send this to a friend