Cloud Act and Patriot Act: how do you protect your organization?
Today, data confidentiality and security have become major challenges for all organizations. The problem is that today, despite the General Data Protection Regulation (RGPD) valid in Europe, the data of French companies is not protected if they are entrusted to an American service provider or if they are hosted on American soil.
In question? The extraterritoriality of American law favored by The Cloud Act and the USA Patriot Act. Indeed, these two laws allow American authorities to force service providers and American companies to provide the data of a user or a company, regardless of their nationality and the location of the data.
What are the Cloud Act and the Patriot Act?
The Cloud Act
Adopted on March 23, 2018, the Clarifying Lawful Overseas Use of Data Act or CLOUD Act is an American federal law that concerns access to personal data. It allows United States judicial authorities (federal, local, even municipal) to force service providers located in the United States to provide data relating to the electronic communications of American citizens and residents, stored on servers, whether located in the United States or abroad.
The Cloud Act came about after Microsoft opposed the American government, which wanted to access the communications of an alleged drug dealer, stored by Microsoft on servers in Ireland.
One of the main problems with this law is that American courts can request access to an individual's personal communications without informing the individual, his country of residence, or the country where the data is stored. This is why the Cloud Act is strongly criticized by several privacy associations and civil rights groups such as Electronic Frontier Foundation (EFF), American Civil Liberties Union, Amnesty International, Amnesty International and Human Rights Watch.
The Patriot Act
Signed on October 26, 2001 by President George W. Bush, the USA Patriot Act was a direct consequence of the terrorist attacks of September 11, 2001. Passed urgently, this law was only supposed to last four years, but it was renewed several times by Congress, and is still in force today.
The USA Patriot Act is an acronym that stands for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism.” This law makes it possible to strengthen the surveillance power of American authorities such as the CIA, the FBI, the NSA and the American Army, and to simplify the procedures for fighting terrorism at the expense of individual freedoms.
What are the consequences for businesses?
Dropbox, Google, Amazon, Microsoft, etc., a large part of online service providers and leaders in the cloud market are mostly American, and most French companies trust them with their data without asking too many questions.
If this is your case, know that the private data of your customers as well as your strategic information can be consulted and analyzed without limit by the American authorities without your being informed, and without any possible recourse.
In addition to their obligation to comply with the law under pain of heavy sanctions, some of these American firms have malicious practices exposed by the numerous scandals that have broken out around the world. This is the case of the Facebook-Cambridge Analytica scandal, revealed in March 2018, where the personal data of 87 million Facebook users was collected by the Cambridge Analytica company and used to influence the voting intentions in favor of certain politicians.
Since all data is searchable, the business models, budgets, strategic data and other industrial secrets of European companies are no longer safe. The Cloud Act thus legalizes industrial espionage, intellectual property theft and therefore unfair competition.
Today, the technological advance of GAFAM (the web giants that are Google, Apple, Facebook, Amazon and Microsoft) is considerable and difficult to catch up for France and Europe. And the options to dethrone American web leaders and protect themselves from the Cloud Act are not very numerous.
How do you protect yourself from it?
Today, French companies are facing the challenge of complying with the RGPD to protect their data while they continue to use GAFAM services.
However, there are a few ways to protect yourself from the Patriot Act and the Cloud Act, and avoid having your data entered by American authorities.
One of the best solutions is to prioritize data sovereignty by using French service providers whose data is hosted on servers located on French territory. This is the case of Wimi, a French company that entrusts the hosting of its data to another French company: Scaleway SAS (Group Illiad). Your data is therefore protected by the GDPR and is beyond the reach of the Cloud Act and the Patriot Act.
The end-to-end encryption is the other possible bulwark against attacks on individual freedoms and privacy. It is the most secure encryption method that exists today. End-to-end encryption was designed to encrypt all sorts of information and data: messages, photos, videos, audio files, and various documents. The security is such that businesses using end-to-end encryption are unable to provide messages and other documents to authorities because they are impossible to decipher.
This method has been specially developed to combat cybercrime, industrial espionage as well as the surveillance of abusive authorities.
Now you know what you need to do to protect your organization and ensure that your data is out of the control of the Cloud Act and Patriot Act.
