While you were busy with GDPR – the US CLOUD Act was passed, and it has significant impact for European organisations

For the past months everyone has been focusing on the GDPR deadline the 25th of May . In the meantime the passing of another important new privacy and security legislation, with big implications for European businesses using cloud services from US tech giants, went almost totally unnoticed.

On 22 March the so called CLOUD Act (Clarifying Lawful Overseas Use of Data) was passed by the US congress, as part of a 2232-page, $1.3 trillion spending bill.

The microsoft ireland case

Initially born out of a longstanding conflict between Microsoft and the US government over handing out user data, the CLOUD Act has been hailed as a necessary overhaul of the US’ outdated digital privacy and security legislation. As GDPR, the CLOUD Act should definitely be on every European organisation’s mind, as it affects what could happen to personal data placed with US cloud providers like Microsoft, Amazon and Google.

It was the data privacy issues highlighted by United States v. Microsoft Corp. also known as the Microsoft Ireland case – which really paved the way for the CLOUD Act. The case argued that Microsoft had to hand out private user data stored on servers in Dublin. Microsoft initially lost the case in 2013, only to win an appeal in 2016. The US Department of Justice then requerecently the case was declared moot and thrown out.

However the longstanding and very public case, initiated a discussion in Congress about the need for an overhaul of digital privacy legislation. Everyone was in agreement that the laws, which were from the 1980s,  was not fit for purpose. New legislation giving clarity as to which laws apply when it comes to who has the right to access data stored in the cloud, was badly needed.

Read the whole article here in Data Economy.