Cloud Act impact on OVH customers

A recent legal development has excited lawyers because of its complexity and its potentially far-reaching consequences: the so-called Cloud Act that was signed into law by President Trump on 23 March 2018. I figured that if I could make the Cloud Act, and its impact for OVH’s clients, understandable even to non-lawyers, then it would prove that the rest is also possible!

So what is the Cloud Act and why should you care about it? This was the question I asked myself when I joined OVH on 14 May 2018. I have spent the last 20 years working in aerospace and defence companies: for me, a cloud is something you fly through in a plane. Apparently it means something else at OVH, so I had to find out more about it. It turns out that that it isn’t even “cloud” but “CLOUD” since it stands for the “Clarifying Lawful Overseas Use of Data” Act. A lawyer would immediately notice two key words: “clarifying”, which implies that this law is not meant to be revolutionary, and “overseas”, which tells us that the American legislature is making a law for something that is happening outside American soil. Indeed, the first context in which we can situate this new piece of law is the balance between ensuring that serious crime can be investigated quickly and efficiently, and protecting the rights of individuals, especially their right to privacy; precisely in the case where data is located outside of the USA.

The Cloud Act makes it clear that it is designed to help law enforcement agencies (LEAs) get timely access to data held by hosting providers, in order to “protect public safety and combat serious crime, including terrorism”. In the rest of this article, we need to remember that the Act limits itself to this quite laudable scope. In the days before the internet, if an LEA wanted evidence, it sent officers into your home to get it and if you were outside the US an American LEA had no right to enter your home. In the era of the cloud, data located outside the US is equally difficult to obtain; LEAs have to rely on mutual assistance agreements between governments, known by lawyers as MLATs. Obtaining an MLAT to access overseas data can take as long as 10 months, which considerably slows down a criminal investigation. So Congress passed the Cloud Act to speed things up.

What does the Cloud Act say and to whom does it apply?

Although we can read in the press that the Act is another example of an American law that is “extraterritorial”, in a strictly technical sense it isn’t: it only applies to a cloud provider that is subject to American law. Let me say it again more clearly: the Cloud Act does not apply to OVH France, for example, it only applies to American companies and to their subsidiaries. And what it says is that an American provider must give an LEA access to a customer’s data **wherever in the world that data is stored**. That’s the extraterritorial part. It means that a US LEA no longer needs to go through the MLAT process: it can require an American cloud provider to deliver data held on a European server, for example. (We should remember that this is not just a discussion between the FBI and the cloud provider: the FBI still needs to go to a judge to obtain a warrant to request the data.)

The Big Question for most of OVH’s clients and potential clients is the following: if I am not an American citizen and I put my data with a European or Canadian subsidiary of an American cloud provider, can an LEA, for example the FBI, access my files? Unfortunately, here I have to give a lawyer’s answer: “maybe yes, but maybe no”. First, it’s clear that the Cloud Act would apply and that it does not matter where in the world your data is stored: the American mother company is subject to the Cloud Act. Second, the FBI would first need to get a warrant from an American judge and so it would need to demonstrate that your data is needed for a serious criminal investigation. (It is interesting to note that this step is actually more protective of your rights than the equivalent in French law, where a judge would not be involved.) Third, your cloud provider would have the possibility to defend your data rights, but this is his choice:

- The cloud provider might decide to tell you about the warrant, so that you are alerted to the issue. Nothing in the Cloud Act prevents him from doing this, but nothing obliges him to either, and in serious cases the warrant given by the judge would require confidentiality.

- The cloud provider could seek a court order modifying or annulling the warrant. This is a rather complicated process because he can either try to do this under the provisions of the Cloud Act, which are precise and clear but only available in respect of countries which have signed a bilateral agreement with the US (see below), or under a traditional legal principle known as “comity” which is not affected by the Cloud Act but is quite complex. You would not be a party to that court application; you would have to rely on your provider getting it right, and on the (American) judge preferring the provider’s argument over the FBI’s.

The main basis on which your provider might object to a warrant is that, if he were to provide the data, he would himself be in breach of the law of another country. This is almost certainly the case if you are European, because your personal data rights are protected under European law. Many other countries have laws to protect their citizens’ data, and the provider would have the possibility to raise them, if he so decides. That’s why it is not possible to be precise about whether your data would be transmitted by the American cloud provider or not. But let’s remember that the whole purpose of the Cloud Act was to remedy the situation where Microsoft refused to transmit data held in Ireland belonging to a non-American person.

How does the Cloud Act affect OVH? As detailed previously on this blog, ([https://www.ovh.com/fr/blog/comment-ovh-resout-lequation-developpement-aux-usa-et-identite-europeenne/]), even before the Cloud Act, OVH designed its structure to give the maximum protection to its customers. The Cloud Act does not apply to OVH France or OVH Canada, since they are not American companies. If an American agency wanted to obtain data held by OVH France or Canada, they would have to go through the MLAT procedure.

The Cloud Act obviously does apply to OVH US, which is an American company. But it is an independent subsidiary of OVH, it has its own governance and its strategy, marketing and operations are independent of the rest of the group. As a subsidiary, it cannot tell its parent, OVH France, what to do. Moreover, OVH US has no access to data hosted by other parts of the OVH group. If an American LEA obtained a warrant requiring OVH US to disclose data held by other group companies, OVH US would not be able to comply because such data would not be in its “possession, custody or control”.

The Cloud Act is new and we don’t yet know how it will play out. The Act envisages foreign governments signing up via bilateral agreements in order to make it work more fluidly. At the moment, no foreign government has done so. It is possible that some kind of framework will be set up between the European Commission and the US but this is currently speculation. Another idea is for Europe to enact its own version of the Cloud Act, and a draft of this is in discussion. We will have to wait and see what happens.

In the meantime, OVH respects its customers’ right to choose where their data is held and, so far as legally possible, what happens to it. You can decide to have your data hosted by OVH US if you wish (although you would have to sign up with OVH US, not OVH France), in which case it would be subject to disclosure under the Cloud Act. Or you can choose to have your data held in Europe or Canada, and you can even choose in which datacenter it is stored. OVH wants its customers to be able to decide, but making informed decisions depends on knowing all the facts. That is why transparency is part of our culture, and why I am writing about this complicated legal issue.