SoylentNews is people
SoylentNews
Original URL: US state legal supremos show lots of love for proposed CLOUD Act (a law to snoop on citizens' info stored abroad)
The attorneys general of 35 US states on Wednesday signed an open letter calling for the quick passage of the Clarify Lawful Overseas Use of Data (CLOUD) Act – with some qualifications.
[...] In effect, it means the FBI can ask, say, a California court for a subpoena to obtain files from a San Francisco upstart's servers hosted in France, sidestepping French privacy laws and legal system. The act's wording also does not limit the Feds to serving orders for communications on US companies and entities – agents would be able to demand information from whomever they wished, if a US judge approved.
The draft law also allows foreign governments to ask for non-US-citizens' personal data stored in America, under new sharing agreements that would be worked out by the White House.
The CLOUD Act was drawn up in part as a result of the ongoing court battle between Microsoft and US law enforcement: Uncle Sam wants a Microsoft customer's email messages stored on a Microsoft-run server in Ireland. The Feds went to a judge in New York for the information, but Redmond wants prosecutors to go to Ireland and ask an Irish judge for permission.
Microsoft, essentially, is arguing that, because the data in question is stored on servers in Ireland, the g-men's request – made under the 1986 US Stored Communications Act – is invalid. The US Supreme Court will consider the case this year.
[...] "The Act also creates incentives for our foreign partners to enter into bilateral agreements that will facilitate cross-border criminal investigations, while ensuring that privacy and civil liberties are respected."
(Score: 2) by fritsd on Monday February 26 2018, @04:44PM (4 children)
On 28 May, the GDPR [europa.eu] directive of the EU comes in operation.
If I read it correctly that means, that if the French server operator allows this transfer of information, they lose the right to process personal data, AND they face a fine of up to € 20 000 000 or 4% of total annual worldwide turnover, whichever is *more*.
I think it probably took the EU this long to work through the repercussions of our post-Snowden world. But I suspect they took it rather seriously.
(Score: 3, Insightful) by frojack on Monday February 26 2018, @05:15PM (2 children)
All well and good, but unenforceable.
You buy an app to store your smartphone pictures in the cloud from some US company. Your photos go to France Cloud company because that is the cloud provider hired by App company. (Exactly as TFS says).
Tin Star sheriff gets a subpoena and demands photos. App Company dutifully hands them over, by pulling your photos (which they stored for you) from French Servers (which they paid for), and delivers them to tin star. French server will never know about the subpoena, only that the bulk purchaser of cloud storage retrieved data, just like every other day.
YOU never had a contract with French Cloud. They don't know you exist, even though there is a numbered sub directory with your pictures in it.
Even if French Cloud knew who you were in records provided by App Company, there is nothing that says they can't return data to who ever is paying for the storage, and who therefore owns the data.
You seem to suggest that French Company will get in between each request for data and arbitrate who can or can not get that data?
Are ye daft mon?
No, you are mistaken. I've always had this sig.
(Score: 2) by bob_super on Monday February 26 2018, @05:22PM
If Tin Star Sheriff gets a subpoena against a European, they can argue that their data is stored in Europe (per the app's legalese to avoid trouble with the personal data export directive).
If the data is released, it would be easy to attack it in court (though US courts tend to be sympathetic to US requests), and the hosting company would get kicked in the nuts.
"How did you get that incriminating data?" is a pretty basic question to ask.
Obviously, the protection of US citizens' data stored in Europe is a bigger can of worms (see MS case)
(Score: 2) by fritsd on Monday February 26 2018, @07:36PM
No, not in between each request for data. But maybe before French Cloud even signs the contract with App Company:
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-rules-apply-if-my-organisation-transfers-data-outside-eu_en [europa.eu]
for example if App Company signs:
which they probably can't promise if they're in a US jurisdiction.
I'm still not sure about the fine print, but I think companies incorporated in the EU have to write down how they process personal data (if they do), and if they are planning to share that data with third countries. But probably only if they process "high risk" personal details. I don't know if photos fall under that category.
In a brochure on the GDPR, it said that data on race, religion and sexual preference were mentioned as examples of "high risk".
(Score: 0) by Anonymous Coward on Monday February 26 2018, @05:16PM
I'll take it seriously when they start enforcing the law against their American overlords, rather than stitching up a deal giving the US everything they ask for, with nothing in return.