What does the Cloud Act contain?
The Cloud Act is an American law passed on 23 March 2018. The Cloud Act provides that any US company as defined by US law and its subsidiaries, regardless of their location, must disclose to the US authorities the data they control regardless of where their data is stored. The Cloud Act offers the possibility for the US government to sign bilateral agreements with foreign governments without going through Congress, unlike MLAT, which is designed to provide a more fluid and rapid framework for requests for communications than traditional international mutual legal assistance (MLAT).
No bilateral agreements have been signed to date.
The Cloud Act explicitly provides that the service provider from whom the data is requested has the possibility to object if such communication involves a violation of the law of a foreign country.
This possibility is only valid if a bilateral agreement exists, but to date no such agreement exists, so there is no recourse or possibility of refusal on the part of the provider.
In the case of a bilateral agreement, the request for opposition must be made within 14 days, and the Court must exercise a balance of interests according to criteria set out in the Cloud Act such as the interest of the United States, the importance of the means deployed in the investigations, the link of the person concerned with the United States, etc. In the absence of a bilateral agreement, the judges will also have to balance the interests of the United States and other countries, but without criteria defined by the law, on the sole principle of international comity, which is less protective.
On the other hand, it provides that, in return, foreign authorities could directly compel American companies to provide them with data if their country of origin has concluded an Executive Agreement with the United States.
Does the Cloud Act comply with European laws?
The Cloud Act is not compatible with European regulations, namely the GDPR (General Data Protection Regulation), just as was the case with the texts that preceded the Cloud Act. Indeed, for example, the widely used FISA makes it possible to set up surveillance on data of foreigners (in the US), even if it is hosted outside the US. There is no requirement that this be justified by an ongoing investigation. The purpose of the surveillance may be purely political and/or commercial. At this level, there is therefore no change: US legislation was already and remains incompatible with European law.
Consequently, the US legislation is not recognised as providing an adequate level of protection compared to European data protection legislation. In order to transfer data to the USA, it is therefore necessary to demonstrate that appropriate safeguards are in place (standard contractual clauses, Binding Corporate Rules, etc.). A mechanism of appropriate guarantees, the “Privacy Shield” (also called “Protection Shield”), has been set up specifically for data exchanges with the USA: the companies receiving the data register with the US administration and undertake to comply with a certain number of principles. In practice, this is not serious, as it is a self-certification mechanism (the previous version, the Safe Harbour, has been invalidated), but it is necessary to be able to exchange data with the USA.
Case of economic intelligence: the takeover of Alstom by GE, the legal leverage at work
In the context of the GE takeover of Alstom, a court precedent led Alstom to negotiate an out-of-court settlement, and then obtained a delay in the payment of this settlement pending the sale of Alstom to the GE group. Strong suspicions remain about a coordination of the legal proceedings in order to achieve the results of the sale of Alstom to GE as presented in this article and video from France Inter. In this case, suspicions of corruption were used to put pressure on management and the company. After 4 years of investigation, the FBI had sufficient evidence to initiate a lawsuit. Faced with the inherent risks, Alstom preferred to negotiate an out-of-court settlement to stop the dispute, but Alstom did not have the cash to honour this settlement. The company was therefore forced to look for a buyer for part of its activities in order to have the necessary liquidity.
One question: is this case transposable with the Cloud Act?
As this article from France Culture shows, the United States has a heavy liability for using its legal arsenal for economic warfare purposes.
Indeed, the Cloud Act can be considered the data version of the FCPA, which has already proven its profitability for the United States. The imbalances brought by the Cloud Act therefore reinforce this existing legal arsenal by covering the new gold: data.
Franck Decloquement, an expert in economic and strategic intelligence, in the video of his speech at the conference “American extraterritorial sanctions and state independence” at the French National Assembly, summarises the stakes of this law and its exploitation as part of a broader strategy of the United States’ conquest of the digital space.
A case of fictitious exploitation
Similarly to the story of the takeover of Alstom by the GE group, one could imagine the following story:
A French life sciences company uses information systems available in SaaS subscribed to or using American service providers.
The company is developing in a competitive and internationalized environment and markets its products on several continents. A competitor in the United States files a complaint with a prosecutor to denounce problems with the quality, reliability or side effects of products marketed in the United States or in other countries. Through various sources, the competitor learns that the company’s data is managed by American players. The competitor then asks the prosecutor to obtain the company’s data from American hosting or SaaS providers or their subsidiaries.
The in-depth analysis of the data makes it possible to identify sufficient breaches to consider a lawsuit. The company then prefers to avoid the bad press of a lawsuit that would irreparably damage its sales and reputation. It then enters into negotiations for a fine. The amount of the fine and the announcement of its award weakens the market position of the company, which is forced to consider new partnerships or to sell some of its activities.
GxpManager: a responsible choice
Aware of the possibilities of exploiting our clients’ data and the associated legal and financial risks, GxpManager has chosen to retain a European player, not subject to extraterritorial legislation.
Our SaaS solution is therefore hosted by a French player. Find out more about our Cloud.
GxpManager is a software publisher specialising in the compliant processing of critical data for players in the Life Sciences and other regulated sectors as well.