The US has streamlined its processes for data requests from cloud services providers now embedded into almost every part of the UK economy
Although the channel won't likely have much to fear from corporate espionage, the US Clarifying Lawful Overseas Use of Data (CLOUD) Act may yet increase costs and complexity, especially in the face of post-Brexit GDPR reform.
Nigel Seddon, vice president of EMEA West at IT services management vendor Ivanti, says the act will probably increase complexity in relationships and global supply chains already struggling with different data handling regimes from the EU to Singapore and beyond.
"You've got the dynamics of the UK now being separate from Europe, and here is yet another country, creating its own specific rules and regulations," Seddon points out.
Seddon notes that computer records are already increasing "tenfold" because electronic evidence is now required from online services providers in a majority of criminal investigations. Some 85% of European criminal investigations require such evidence.
Additional data storage means extra cost, and the "number two expense" is the need for B2B services providers to learn how to handle related legislative queries with the correct levels of impartiality, authority and accuracy.
Another edge for the larger players
If you get the feeling this will disadvantage SMBs and sharpen the edge of large services providers with extensive legal and intellectual resources to devote to such tasks, Seddon agrees.
"More due diligence is going to be needed to understand the organisations and data you're working with to work out whether it's worth taking on a project – with potential implications to cost and brand if you mess up," Seddon notes.
The CLOUD Act was created under president Donald Trump in March 2018 to help US agencies chase down criminal activity by helping them request data held by service providers in other jurisdictions.
The UK indicated cooperation with this law by passing the Crime (Overseas SCA orders) Act in 2019 – but while under the EU's GDPR Act, it wasn't clear if UK providers would be subject to such requests.
John Story, general counsel and chief data ethics officer at cloud platform provider Acoustic, notes the CLOUD Act conflicts with GDPR, giving US law enforcement powers to request data stored by US companies on servers outside the US.
"This extra-territorial compulsion has raised concerns about the safety of information in the cloud and potential conflicts with EU and UK data laws, including GDPR," he says.
"Under US law, the service provider has to accept the request. But under European and UK regulations, there must be a lawful basis for processing that data."
All still to play for with GDPR reform
Michael Queenan, chief executive of cloud services brokerage Nephos Technologies, thinks nothing will change in the short term due to the CLOUD Act.
However, the UK can now diverge from GDPR, having announced in August that it will reform data protection law.
"It might mean UK data needs to reside in the UK in the future. That would be a large change," Queenan says.
Christina Walker, global channel sales and programmes director at data erasure software vendor Blancco, says most of Blancco's UK channel have reported that they're data managers only – not data owners – and therefore don't expect "a tonne" of legal complexity.