New Privacy Regulations – Understanding the CLOUD Act and GDPR
Two new regulatory frameworks have been in the news recently, and both promise significant implications for security and privacy around the globe. But America’s CLOUD Act and Europe’s General Data Protection Regulation (GDPR) are quite different. It’s worth understanding the background, requirements, and reactions to these laws.
First, the GDPR. The European Union’s General Data Protection Regulation was passed into law by the EU Parliament in 2016. The law is intended to protect the personal data of EU citizens and to improve and replace the EU’s previous privacy directive which is over twenty years old and was less legally binding. A major impact of the GDPR, when it comes into force in May of this year, will be to impose strict data protection guidelines on non-EU companies who process the data of EU citizens. The law is designed to make these rules and requirements more standardized and easier to implement, but at the same time, the GDPR imposes severe penalties on companies who fail to adhere to the law’s provisions.
The Clarifying Lawful Overseas Use of Data (CLOUD) Act, on the other hand, was passed by the U.S. Congress as part the 2018 omnibus spending bill and went into effect in March. As with the GDPR, one purpose of the CLOUD Act was to update existing U.S. privacy and surveillance laws that were decades old. A particular area of focus was to help make it easier for law enforcement agencies to get access to data stored online (“the cloud”) as part of warrants and subpoenas. In recent years, numerous cases have arisen where agencies like the FBI had trouble getting access to data that were stored on computers in other countries. The CLOUD Act requires American companies to provide access to such data no matter what country the company stores it in.
Both laws have implications for company data protection practices, and both have generated a lot of feedback, concern, and even criticism.
In the case of GDPR, the new rules for data protection promise to force companies who process data on EU citizens to be much more careful with that data. Among other things, GDPR requires:
- Companies must prove they have a lawful basis for processing personal data
- Some companies must appoint a dedicated Data Protection Officer
- Companies must have defined business processes and policies addressing data protection
- Companies must get explicit consent before processing personal data
- Organizations must protect data using technologies like encryption
- Companies must report data breaches within 72 hours of discovering them
Penalties for violating GDPR can be severe, as much as 20 million euros or 4% of a company’s annual revenue. This has caused many companies concern as they are challenged to get everything set up before the May deadline. But in an age of regular large-scale data breaches, the benefits to be derived from GDPR are worth it.
The CLOUD Act has drawn equal measures of praise and criticism. In some ways, the new law is like a mirror image of GDPR: focused on the same things, but reversed. The CLOUD Act is about getting access to data that may be hidden around the world in the cloud, taking advantage of different jurisdictions and laws. For supporters, the CLOUD Act simply helps the law catch up with today’s technology. Critics of the CLOUD Act feel it’s an increase in surveillance and an erosion of privacy. Both the Electronic Frontier Foundation and the ACLU have criticized the new law. Some even feel that CLOUD Act will directly undermine GDPR.
Regardless of how you feel about either of these new laws, there is a good chance you will be impacted by their passage, or at least hear about them. For organizations that store data outside of their own IT systems (which is almost everyone these days) or who do business with the EU, it is important to understand these new regulations and be sure you are ready to meet their compliance requirements.
About the Author:
Dr. Lance Hayden’s career spans over twenty-five years in the security and privacy fields, with roles spanning the public, private, and academic sectors. As ePatientFinder’s Chief Privacy and Security Officer, Lance is the executive owner of enterprise information governance and data protection for the company. Before ePatientFinder, Lance was a Managing Director with the Berkeley Research Group, a global strategy consulting firm, and helped clients develop robust security cultures and programs. Prior to BRG, Lance ran Cisco’s IT