Europeans are struggling with how best to respond to a new US law known as the Cloud Act that permits American law enforcement officials to demand that online companies turn over data stored on computer servers outside the United States.
The Cloud Act, which stands for Clarifying Lawful Overseas Use of Data Act, was passed by the US congress and signed into law last month after Microsoft refused to turn over information stored overseas to the Federal Bureau of Investigation.
Civil libertarians criticized the prospect of US law enforcement being able to comb through records on Facebook and Twitter stored in overseas databases. The law stands in stark contrast to the European Union’s new General Data Protection Regulation (GDPR), which takes effect May 1. The GDPR essentially gives everyone in the European Union control of their personal data, even when stored in the US, and gives them the right to demand information about them be deleted.
“The Cloud Act comes at the expense of privacy”
Johannes Caspar, the city of Hamburg’s commissioner for data protection and freedom of information, attacked the US legislation as a breach of European rules. The Cloud Act “is a law at the expense of privacy and the fundamental right to data protection, with potentially global proportions,” Mr. Caspar said.
Authorities in Brussels have also responded by proposing their own version of the CLOUD Act, which is called the E-Evidence Directive, requiring overseas companies like Facebook to appoint a legal representative in the EU who can be served with papers in criminal and terrorism investigations to provide access to data stored outside the EU.
The business community has adopted a cautious response to the Cloud Act. “Companies are trying to figure out the new regulations,” said Susanne Dehmel, member of the executive board for law and security at German computer industry association Bitcom. She said it is important to balance privacy with legitimate security interests.
So far, the German government hasn’t expressed an opinion on either the Cloud Act or the E-Evidence rules. But Manuel Höferlin, digital policy spokesman for the libertarian Free Democratic Party, said passivity toward the Cloud Act is unacceptable. “The European Commission should not allow these access options and act against it,” he said. “The federal government must act more strongly than before.”
German security sources told Handelsblatt that criminal and terrorism investigations need to take precedence over data protection concerns in the EU. If data is stored worldwide, a prosecutor should be able to access that information, they said.
Dana Heide is a Berlin-based correspondent for Handelsblatt who covers the Ministry of Economic Affairs, Moritz Koch is a correspondnet in Berlin, and Dietmar Neuerer is the politics correspondent for Handelsblatt Online. To contact the authors: firstname.lastname@example.org, email@example.com and firstname.lastname@example.org