'Cloud Act' Creates Threat of U.S. Espionage, Say EU Lawmakers

According to a Bloomberg report, multiple members of the European Union (EU) are worried that the United States will start to abuse the recently passed “Cloud Act” to spy on EU citizens. The U.S. law is also said to be clashing with EU’s General Data Protection Regulation (GDPR), which is supposed to protect EU citizens’ data against illegal data mining by foreigners.

EU Is Waking Up to U.S. Spying

The governments of Belgium, France, and Netherlands have been encouraging all of EU's member states to jointly pass regulations that would prevent the U.S. government from abusing the powers it gave itself last year with the passing of the Cloud Act law.

The Cloud Act is supposed to be used for investigations, but it wouldn’t be the first time the U.S. government has abused laws that were meant to be used only against terrorists, for instance, or national security issues.

Microsoft had previously warned that secret orders enabled by National Security Letters were becoming the norm in the tech industry. Microsoft initially opposed the U.S. government on this, but eventually, it ended up supporting the Cloud Act.

With the U.S. government permitting itself to go after data hosted in the EU and elsewhere with a simple request to big tech companies, and considering that most of the big tech companies now support these actions, EU lawmakers have rightfully started to worry about abuses.

U.S. tech companies currently dominate the public cloud services within the EU, but EU-native companies such as OVH have begun to exploit the Cloud Act and other revelations of U.S. espionage to their own advantage.

Last October, Founder and CEO Octave Klaba told reporters the following:

“We can guarantee our customers the sovereignty of their data, which is more than Amazon or other rivals can offer.”

Cloud Act - A Tool for Espionage?

The U.S. government has called China’s own National Intelligence Law, which passed in 2017, a “tool for espionage” when giving reasons for the necessity to ban Huawei hardware from U.S. networks.

Laure de la Raudiere, a French lawmaker, drew parallels between and the U.S. Cloud Act, saying the two laws are more similar than not, even if they are not the same:

“I don’t mean to compare U.S. and Chinese laws, because obviously, they aren’t the same, but what we see is that on both sides, Chinese and American, there is clearly a push to have extraterritorial access to data. This must be a wakeup call for Europe to accelerate its own, sovereign offer in the data sector.”

The U.S. Congress passed the Cloud Act, with support from Microsoft and other big companies, because a few years earlier the government was not able to force tech companies to provide data hosted abroad.

The Cloud Act was meant to “solve” this, giving the U.S. government the power to compel companies to provide whatever data it was seeking, no matter where it was hosted. Furthermore, the Cloud Act mostly bypassed the need for U.S. law enforcement to seek approval from a given country before American companies could provide the U.S. government with data hosted in that specific country.

It’s now up to other countries to convince the U.S. President or Attorney General that they need to establish "executive agreements" before data hosted in those countries is transferred to the United States. The EU now hopes to use this provision to take back some control in this one-sided relationship, but it likely won’t be easy.

Unbalanced Data Sharing Deals

Over the past couple of decades, the EU has made multiple concessions to the United States in the form of agreeing to share all the data of its citizens in certain situations (such as airline passenger data, as one example), without expecting much in return.

The ever-expansive U.S. mass surveillance activities against EU citizens, as they were revealed by national security whistle-blower Edward Snowden, eventually led to the termination of the EU-U.S. Safe Harbor data agreement.

However, the new European Commission once again compromised on some aspects, such as not actually requiring the U.S. to have similar privacy laws before a new deal was in place, called the Privacy Shield. This requirement was made clear by EU’s Court of Justice of the European Union (CJEU) when it invalidated Safe Harbor.

The lack of this requirement, as well as other flaws in the new data agreement,  could put the new deal at risk of being invalidated by the CJEU later this year, too. The European Parliament has also previously threatened the U.S. with the termination of the deal unless changes are made to its mass surveillance operations in the EU.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.