ServerBase Blog
CLOUD Act – are we sitting in the glasshouse, too?

« Back to the Blog

Norwin Metzger
Von Norwin Metzger
Tuesday, 12. February 2019

With the signing of the Cloud Act by US President Trump last spring, the world of data storage and retrieval seems to be reorganizing. But what exactly does the CLOUD Act mean and what are the advantages and disadvantages of this agreement for Switzerland or each one of us?

What exactly is it?

The Clarifying Lawful Overseas Use of Data Act, CLOUD Act, is designed to allow US authorities to collect information from users of American Internet companies or IT service providers, even if not stored in the United States, but overseas, for example in Switzerland , This law was created because of the often very powerless US authorities in the non-American area. Here, the data release was often denied, as a legal basis was missing outside the US. Now the US security agencies are trying to back it up with a legal back door – the introduction of the CLOUD Act.

However, this new regulation does not automatically apply worldwide. A bilateral treaty must be concluded between the US and the respective country. This contract facilitates data querying on both sides. In short, you sit as a user in the glasshouse. And often does not even know about it.

Secure server location Switzerland?

For Switzerland such an agreement would be exciting. It would create a legal basis on which Swiss authorities would ensure access to American companies such as Google or Twitter. A data query would be easy. In return, of course, the US wants to see and use their part or, in other words, highly sensitive data from cloud providers based here.

However, much more needs to be clarified in such an agreement. For example, as of when a ‘US reference’ exists, which commits to the exchange of data. Clara-Ann Gordon, a specialist in technology and data protection law, said at the end of last year that a conflict with the Swiss legal system had to be avoided. Our law expressly punishes carrying out acts on Swiss territory without authorization for a foreign state. In addition, even a lawyer can not guarantee that various Swiss companies have no US connection. So there is still a lot to clarify.

But not only here it gets tricky. Due to their attractiveness, the Swiss data centers are particularly explosive, especially with foreign companies. The high standard and the entrepreneur-friendly data protection rules are especially popular with banks and insurance companies from home and abroad. The CLOUD Act also carries an economic risk here.

Microsoft Azure focuses on transparency for the user and against CLOUD Act

Microsoft’s own cloud platform Azure now focuses on more transparency and privacy for its users. With specifically defined six principles Microsoft even wants to limit the accessibility of US companies and argues that each provider should independently control the data of its users and not be controlled. While z.b. With its platform AWS and others to say little about it and with euphemistic phrases in the bright light, Microsoft is trying to set new standards with its principles.

Is our data secure?

After GDPR and now also the entry into force of the CLOUD Act in the US, we are increasingly under the microscope, are screened and have the feeling of sitting with the US authorities at the breakfast table, whether we have something to hide or not. How much information is now flowing overseas depends a lot on Switzerland’s negotiating skills and on the extent to which national law is superior to international law.

This also determines how we have to deal with sensitive data in the future. Until a bilateral contract is concluded – if it exists at all – ServerBase, including all data centers, will be governed exclusively by Swiss law and, as a result, highest data security. And if a bilateral agreement is to be concluded in the future, the data source will be restricted to ‘US-related’ data. Although this relationship is very broad, it is unlikely to affect the majority of our customers. In any case, ServerBase advocates that all customer systems are protected as far as possible from legal interference and remain independent of any legal changes.