How to build and implement an eQMS: efficiency, compliance and data integrity – Register to webinar


Cloud Act and Extraterritorial Laws a Threat to European Companie’s Data

Visual representing a cloud in which is an American flag and the words cloud act

What does the Cloud Act contain?

The Cloud Act is an American law passed on 23 March 2018. The Cloud Act provides that any US company as defined by US law and its subsidiaries, regardless of their location, must disclose to the US authorities the data they control regardless of where their data is stored. The Cloud Act offers the possibility for the US government to sign bilateral agreements with foreign governments without going through Congress, unlike MLAT, which is designed to provide a more fluid and rapid framework for requests for communications than traditional international mutual legal assistance (MLAT).

No bilateral agreements have been signed to date.

The Cloud Act explicitly provides that the service provider from whom the data is requested has the possibility to object if such communication involves a violation of the law of a foreign country.

This possibility is only valid if a bilateral agreement exists, but to date no such agreement exists, so there is no recourse or possibility of refusal on the part of the provider.

In the case of a bilateral agreement, the request for opposition must be made within 14 days, and the Court must exercise a balance of interests according to criteria set out in the Cloud Act such as the interest of the United States, the importance of the means deployed in the investigations, the link of the person concerned with the United States, etc. In the absence of a bilateral agreement, the judges will also have to balance the interests of the United States and other countries, but without criteria defined by the law, on the sole principle of international comity, which is less protective.

On the other hand, it provides that, in return, foreign authorities could directly compel American companies to provide them with data if their country of origin has concluded an Executive Agreement with the United States.

Does the Cloud Act comply with European laws?

The Cloud Act is not compatible with European regulations, namely the GDPR (General Data Protection Regulation), just as was the case with the texts that preceded the Cloud Act. Indeed, for example, the widely used FISA makes it possible to set up surveillance on data of foreigners (in the US), even if it is hosted outside the US. There is no requirement that this be justified by an ongoing investigation. The purpose of the surveillance may be purely political and/or commercial. At this level, there is therefore no change: US legislation was already and remains incompatible with European law.

Consequently, the US legislation is not recognised as providing an adequate level of protection compared to European data protection legislation. In order to transfer data to the USA, it is therefore necessary to demonstrate that appropriate safeguards are in place (standard contractual clauses, Binding Corporate Rules, etc.). A mechanism of appropriate guarantees, the “Privacy Shield” (also called “Protection Shield”), has been set up specifically for data exchanges with the USA: the companies receiving the data register with the US administration and undertake to comply with a certain number of principles. In practice, this is not serious, as it is a self-certification mechanism (the previous version, the Safe Harbour, has been invalidated), but it is necessary to be able to exchange data with the USA.

Case of economic intelligence: the takeover of Alstom by GE, the legal leverage at work

In the context of the GE takeover of Alstom, a court precedent led Alstom to negotiate an out-of-court settlement, and then obtained a delay in the payment of this settlement pending the sale of Alstom to the GE group. Strong suspicions remain about a coordination of the legal proceedings in order to achieve the results of the sale of Alstom to GE as presented in this article and video from France Inter. In this case, suspicions of corruption were used to put pressure on management and the company. After 4 years of investigation, the FBI had sufficient evidence to initiate a lawsuit. Faced with the inherent risks, Alstom preferred to negotiate an out-of-court settlement to stop the dispute, but Alstom did not have the cash to honour this settlement. The company was therefore forced to look for a buyer for part of its activities in order to have the necessary liquidity.

One question: is this case transposable with the Cloud Act?

As this article from France Culture shows, the United States has a heavy liability for using its legal arsenal for economic warfare purposes.

Indeed, the Cloud Act can be considered the data version of the FCPA, which has already proven its profitability for the United States. The imbalances brought by the Cloud Act therefore reinforce this existing legal arsenal by covering the new gold: data.

Franck Decloquement, an expert in economic and strategic intelligence, in the video of his speech at the conference “American extraterritorial sanctions and state independence” at the French National Assembly, summarises the stakes of this law and its exploitation as part of a broader strategy of the United States’ conquest of the digital space.

A case of fictitious exploitation

Similarly to the story of the takeover of Alstom by the GE group, one could imagine the following story:

A French life sciences company uses information systems available in SaaS subscribed to or using American service providers.

The company is developing in a competitive and internationalized environment and markets its products on several continents. A competitor in the United States files a complaint with a prosecutor to denounce problems with the quality, reliability or side effects of products marketed in the United States or in other countries. Through various sources, the competitor learns that the company’s data is managed by American players. The competitor then asks the prosecutor to obtain the company’s data from American hosting or SaaS providers or their subsidiaries.

The in-depth analysis of the data makes it possible to identify sufficient breaches to consider a lawsuit. The company then prefers to avoid the bad press of a lawsuit that would irreparably damage its sales and reputation. It then enters into negotiations for a fine. The amount of the fine and the announcement of its award weakens the market position of the company, which is forced to consider new partnerships or to sell some of its activities.

GxpManager: a responsible choice

Aware of the possibilities of exploiting our clients’ data and the associated legal and financial risks, GxpManager has chosen to retain a European player, not subject to extraterritorial legislation.

Our SaaS solution is therefore hosted by a French player. Find out more about our Cloud.

GxpManager is a software publisher specialising in the compliant processing of critical data for players in the Life Sciences and other regulated sectors as well.

Other news

GxpManager attends VivaTechnology 2024 in Paris

Our team will present our data management software and our latest advancements in digitalizing business processes, ensuring full compliance.

Learn more
GxpManager will be at the Swiss Biotech Day 2024 in Basel

GxpManager will be participating in the Swiss Biotech Day exhibition, which will take place on April 22nd and 23rd in Basel, Switzerland. Visit booth 70 to learn more about how our compliance-focused digitalization solutions revolutionize the biotechnology sector. Marc and Farida will be there to welcome you.

Learn more
Barriers to digitalization: regulatory constraints

Regulatory standards represent a significant obstacle to adopting new technologies; however, digitization of business processes are becoming essential to ensure regulatory compliance for companies subject to stringent regulations.

Learn more
GxpManager, a leader in the digitalization of critical data, is participating in Medi’Nov 2024!

Whether you are a SME, a startup, a laboratory, a research and development center... our team is here to support you in transitioning.

Learn more
GxpManager at Forum Labo Lyon 2024: An Alliance for Laboratory Excellence

GxpManager platform offers a comprehensive solution to address laboratories' complex regulatory compliance challenges.

Learn more
Overcoming Financial Barriers: Investing in Digital Transformation

A significant obstacle often hinders companies' digitalization : the costs associated with implementing compliant digital solutions

Learn more
2024 upcoming exhibition

GxpManager will participate at many exhibitions in 2024

Learn more
Barriers to Digitalization: Fear of Change.

The digital transformation of companies faces a number of obstacles that are slowing down its adoption, despite its benefits.

Learn more
GxpManager Joins PMT Innovation, a Catalyst for Innovation and Growth

This membership marks a significant step in our commitment to innovation and the development of our company.

Learn more