Reading this, it seems like, as an American, this doesn’t effect me very much. But what it does is makes any non-american who uses american services, much more vulnerable, as their own governments have carte-blanche to request their data with no checks and balances.
Actually it does affect Americans as it gives signed-up governments access to their citizens’ data held in the US, and by extension data on any US citizens they are connected with. I’m sure both sides have been doing this for a while anyway but the CLOUD Act puts it all on a legal footing.
So is it that the companies HAVE to give over the data, or that are ALLOWED to give over the data?
And/Or do they need a USA warrant or not?
The example I’ve read about is the Microsoft vs US DoJ case where Microsoft has been holding out against providing the US Gov data on a server in Ireland. As I understand it, the new law would compel Microsoft to hand it over. Interestingly, Microsoft is in favour of the new law, presumably because they see it as giving the incumbent an advantage.
As far as govs rights in demanding access to US company’s servers I’m not sure. I’ve only read articles written from a US perspective so far, and not much official reaction from the EU. I would guess there are deals to be done.
The reason then is actually baser than that.
Microsoft is holding out to appear to want to protect customer data (which they harvest but don’t tell the public) and it costs them time and money for this public relations stunt to be appearing to protect customer data. But now they can save themselves time and money so they can say that they by law have to hand it over.
I’d like to know if it still requires a USA warrant so that the request is vetted to ensure its a valid one. I cannot see the USA government allowing all requests to be “HAVE TO” without some vetting to ensure they are valid.
Imagine all the USA security issues with data on spies being requested off non-government servers. Want to find out if a person is a USA agent or not. Then reqest all the google data on them and see their (& family) movements for tell tale signs. Untold wealth of information on potential gov agents that overseas governments can get without vetting simply for the asking.
How is the company supposed to know if person A is a USA citizen? Unless they have their social security number then the person has to be considered non-USA. IE most of the data google holds would be available simply because the request from o/s government says the person is their citizen on extended stay in USA.
I agree. Microsoft are among the worst offenders in this regard as an ex employee Casper Bowden pointed out.
As I understand it, if the (non US) government has been approved by US presidential decree then no further vetting is necessary (doesn’t need to be checked by Congress). So journalists in US-approved dictatorships like Saudi and Turkey who use Gmail had better watch out.
I expect the practical implementation will turn out to be be as one-sided as usual. As I said, there are deals to be done.