Cloud Services is, without doubt, the cheapest solution, but do you know where your data really is and do you know who has access to it and what they might be doing with it. This is such a wide subject and so many moving parts I wanted to give a perspective of the risks you need to consider if you want to use the cloud in any of your business activities.
The CLOUD Act
On October 3, 2019, the United States and the United Kingdom signed an agreement on cross-border law enforcement demands for data from service providers (“Agreement”). The Agreement is the first bilateral agreement to be entered under the Clarifying Lawful Overseas Use of Data (CLOUD) Act. It obligates each Party to remove barriers in their domestic laws so that U.S. and U.K. national security and law enforcement agencies may obtain certain electronic data directly from Communications Service Providers (“CSPs”) located in the jurisdiction of the other Party.
Rather worryingly, if you replace the word law enforcement agency with the words HMRC, then read the paragraph again. The CLOUD Act amends U.S. law to make clear that law enforcement may compel U.S.-based services providers to disclose data that is in their “possession, custody, or control” regardless of where the data is located.
So potentially HMRC now has access to, Google, Microsoft, and AWS (Amazon) cloud services. AWS is estimated to host up to a staggering 40% of the world's internet-facing content.
Again it is not the risk of access, TIEA's provide reasonably simple access, and permits a chance to defend the request. It is the point that they can take all of your data without limitation, check, control or balance.
The risk is not a question of hiding wrongdoing, it is the risks and reputational costs of an investigation because of suspicion, or supposition that an investigator holds. The whole process under the CLOUD act does not follow each countries MLAT's or jurisdiction laws where the data is resident.
On July 10, 2019, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint assessment of the impact of the U.S. Clarifying Overseas Use of Data Act (“CLOUD Act”) on the legal framework for the protection of personal data in the EU.
The institutions point out that Article 48 of the GDPR requires that any order from a non-EU authority requiring the transfer of personal data outside the EU must be recognized by an international agreement – such as a mutual legal assistance treaty (“MLAT”) – to be valid. Therefore, according to the institutions, “EU companies should generally refuse direct requests and refer the requesting third country authority to an existing mutual legal assistance treaty or agreement.”
Data Sovereignty has been a key point in deciding how and what platform that Amberisk will use.
If you are a small business it might be the only simple choice and Microsoft and Google are happy to slog it out for your business, do you know what you are consenting to?