April 22nd  2021 - Guides

Cloud Act, Patriot Act, RGPD: What law are your data subject to?

When you choose a web host, you also choose to which legislation your data will be subject. However, all too often, this reflection on data processing is not as complete as it should be and the temptation is great to opt for solutions proposed by large foreign cloud players. For several years, the notion of data security has been paramount. It is therefore crucial to choose the right hosting solution.

When you choose a web host, you also choose to which legislation your data will be subject. However, all too often, this reflection on data processing is not as complete as it should be and the temptation is great to opt for solutions proposed by large foreign cloud players. For several years, the notion of data security has been paramount. It is therefore crucial to choose the right hosting solution.

If you entrust your personal data to an American service provider or to a European service provider who hosts your data in the United States, you may be directly confronted with American laws (Cloud Act and Patriot Act). Only a French or European company that does not host your data in the United States can guarantee a very high level of protection for the confidentiality of the personal data of your customers, members or administrators that you process through its offers. And this, even indirectly via an entity legally and operationally distinct from the parent company. To enlighten you on the real stakes of the choice of a hosting solution, we called upon Maître Alexandre Archambault, lawyer at the Paris bar and fine connoisseur of digital technology.

If you entrust your personal data to an American service provider or to a European service provider who hosts your data in the United States, you may be directly confronted with American laws (Cloud Act and Patriot Act). Only a French or European company that does not host your data in the United States can guarantee a very high level of protection for the confidentiality of the personal data of your customers, members or administrators that you process through its offers. And this, even indirectly via an entity legally and operationally distinct from the parent company. To enlighten you on the real stakes of the choice of a hosting solution, we called upon Maître Alexandre Archambault, lawyer at the Paris bar and fine connoisseur of digital technology.

Interview

What is the Patriot Act and how does it affect data protection?

« Adopted in the aftermath of the September 11, 2001 attacks, the USA Patriot Act (for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) is a central text for the fight of the American federal authorities against terrorism. Originally designed to last only a few years, it has been made permanent since 2005. The Patriot Act allows American federal agencies (the FBI, the CIA, the NSA, the army, the tax authorities, etc.) to obtain information in the context of an investigation into acts of terrorism, by means of injunctions intended to remain secret given the sensitivity of the subject. This is also the case for the requests formulated on this subject by the French authorities who have a legislative arsenal in this sense via the provisions of the Code of Internal Security. »

« Adopted in the aftermath of the September 11, 2001 attacks, the USA Patriot Act (for Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) is a central text for the fight of the American federal authorities against terrorism. Originally designed to last only a few years, it has been made permanent since 2005. The Patriot Act allows American federal agencies (the FBI, the CIA, the NSA, the army, the tax authorities, etc.) to obtain information in the context of an investigation into acts of terrorism, by means of injunctions intended to remain secret given the sensitivity of the subject. This is also the case for the requests formulated on this subject by the French authorities who have a legislative arsenal in this sense via the provisions of the Code of Internal Security. »

What is the Cloud Act?

« Some have presented the Cloud Act as the application of the Patriot Act to the Cloud. It is a federal law dating from 2018 which is above all a procedural law, which does not specifically target Cloud actors (here Cloud is understood by Clarifying Lawful Overseas Use of Data Act). Criticized by many privacy associations, but also by Members of Parliament, this Act allows US authorities to request a person's data *, after judicial authorization from service providers subject to US laws.»

« Some have presented the Cloud Act as the application of the Patriot Act to the Cloud. It is a federal law dating from 2018 which is above all a procedural law, which does not specifically target Cloud actors (here Cloud is understood by Clarifying Lawful Overseas Use of Data Act). Criticized by many privacy associations, but also by Members of Parliament, this Act allows US authorities to request a person's data *, after judicial authorization from service providers subject to US laws.»

*Whether the person is a natural or legal person and regardless of where the data is stored. Without the person in question being informed, as well as his or her country of residence, or even the country where the data is stored.

*Whether the person is a natural or legal person and regardless of where the data is stored. Without the person in question being informed, as well as his or her country of residence, or even the country where the data is stored.

Why was the Cloud Act created?

« The Cloud Act is the response of the U.S. federal authorities to certain U.S. digital actors who had challenged, and won, in federal courts requests for personal data made by the U.S. authorities. In particular in the context of lawsuits initiated in the United States, targeting non-US citizens whose data is hosted in Europe by US actors.»

« The Cloud Act is the response of the U.S. federal authorities to certain U.S. digital actors who had challenged, and won, in federal courts requests for personal data made by the U.S. authorities. In particular in the context of lawsuits initiated in the United States, targeting non-US citizens whose data is hosted in Europe by US actors.»

What does this law mean in concrete terms?

« The Cloud Act is articulated around two axes:

« The Cloud Act is articulated around two axes:

  • It provides that any U.S. corporation within the meaning of U.S. law (i.e., a corporation incorporated in the United States, regardless of the nationality of the shareholders or parent company, as well as companies controlled by it) must disclose to U.S. authorities, upon request and after authorization by a U.S. judge, communications data under its control regardless of where the data is stored. This may therefore conflict with the legal sovereignty of other countries** due to the location of the data;
  • It also provides for the possibility for the U.S. government to sign international agreements with foreign governments. These allow the respective authorities of each country to request directly from the communication service providers the processing and electronic storage of communication data of interest. This is done without having to go through the much more complex procedures of international letters rogatory.»

What is the purpose of this law?

« The objective is to keep up with the digital time scale, where what used to take several months is no longer acceptable at a time when everything is connected on a global scale. Note that this objective is shared by the european and french authorities in the context of their requests to remove content in a few hours, and that a European version of Cloud Act is in the pipeline (E-evidence).»

« The objective is to keep up with the digital time scale, where what used to take several months is no longer acceptable at a time when everything is connected on a global scale. Note that this objective is shared by the european and french authorities in the context of their requests to remove content in a few hours, and that a European version of Cloud Act is in the pipeline (E-evidence).»

Is it true that with the Cloud Act the data is no longer secure?

« Contrary to what one may have read here or there, the Cloud Act is not synonymous with open-bar for the American authorities. First of all, the authorities still have to obtain authorization from an American judge to make such requests. Secondly, the requested provider has the ability to challenge in court the order to disclose personal data entrusted to it to the US authorities.

« Contrary to what one may have read here or there, the Cloud Act is not synonymous with open-bar for the American authorities. First of all, the authorities still have to obtain authorization from an American judge to make such requests. Secondly, the requested provider has the ability to challenge in court the order to disclose personal data entrusted to it to the US authorities.

Then, it is to forget that in Europe we have the RGPD, a pioneer text and founder of data sovereignty in Europe since the scope of application does not depend on the provider, but on the person whose personal data is collected, processed or stored. If the person is a European citizen, whether a natural or legal person, the RGPD applies, regardless of where the controller is established or where the data is stored.

Then, it is to forget that in Europe we have the RGPD, a pioneer text and founder of data sovereignty in Europe since the scope of application does not depend on the provider, but on the person whose personal data is collected, processed or stored. If the person is a European citizen, whether a natural or legal person, the RGPD applies, regardless of where the controller is established or where the data is stored.

Furthermore, the GDPR has thus foreseen the situation where personal data can be transferred to third countries or to international organizations, strictly regulating them.

Furthermore, the GDPR has thus foreseen the situation where personal data can be transferred to third countries or to international organizations, strictly regulating them.

Through several rulings (the last one dates from last month), the european courts have reminded us of the necessary reconciliation between the fight against terrorism, serious crime and the protection of personal data, as well as the fact that we cannot impose intrusive obligations on digital actors for their customers without serious guarantees. Moreover, very recently, the Conseil d'Etat was asked to rule on the conformity of the French national framework.

Through several rulings (the last one dates from last month), the european courts have reminded us of the necessary reconciliation between the fight against terrorism, serious crime and the protection of personal data, as well as the fact that we cannot impose intrusive obligations on digital actors for their customers without serious guarantees. Moreover, very recently, the Conseil d'Etat was asked to rule on the conformity of the French national framework.

However, the reconciliation between the Patriot Act, the Cloud Act on the one hand and the RGPD and ePrivacy (which is still in draft form, so that for digital data it is the RGPD that applies) on the other hand, remains a complex matter for American companies, so that to date there is no consensus that can be reached: recently heard by the Parliament, IBM's representatives believe that the Cloud Act does not apply, while Amazon's representatives believe that they are bound by the Cloud Act for their French activities.»

However, the reconciliation between the Patriot Act, the Cloud Act on the one hand and the RGPD and ePrivacy (which is still in draft form, so that for digital data it is the RGPD that applies) on the other hand, remains a complex matter for American companies, so that to date there is no consensus that can be reached: recently heard by the Parliament, IBM's representatives believe that the Cloud Act does not apply, while Amazon's representatives believe that they are bound by the Cloud Act for their French activities.»

Is there a law in Europe similar to the Cloud Act?

« A draft European E-evidence regulation, with the same purpose as the Cloud Act, has been under discussion for several years. This project would allow authorities to obtain the disclosure of data hosted by digital actors of interest to them in the context of their investigations. Discussions are still ongoing and are stumbling on the adaptations to be made to take into account the principles recalled by the European court decisions.»

« A draft European E-evidence regulation, with the same purpose as the Cloud Act, has been under discussion for several years. This project would allow authorities to obtain the disclosure of data hosted by digital actors of interest to them in the context of their investigations. Discussions are still ongoing and are stumbling on the adaptations to be made to take into account the principles recalled by the European court decisions.»

For a European economic actor, what are the consequences of the choice of its host for the confidentiality of its data?

« Some examples:

« Some examples:

  • Hosting of data on American territory by an American or foreign actor, but held by a company under American law: no doubt, Patriot Act and Cloud Act apply fully. Even if the data concerns a French company, an association or a local authority.
  • Hosting of data on American territory by a structure under American law held by a company under European law: no doubt, Patriot Act and Cloud Act are fully applicable. Even if the data concerns a French company, an association or a local authority.
  • Hosting of data in Europe by a US player, or foreign player, but owned by a US company: it's complicated. The American authorities will tell you that the Patriot Act and the Cloud Act apply, the European authorities will tell you that the RGPD takes precedence, the hosting company being placed between the hammer and the anvil.
  • Hosting of data on European territory by a structure under European law, held by a company under European law: no doubt, the RGPD takes precedence. Any failure to comply with the RGPD is likely to lead to a penalty of up to 4% of the turnover made worldwide.»

What type of hosting solution should I choose?

« Generally speaking, as far as IT security is concerned: there is no such thing as zero risk! On the other hand, with a good reflection beforehand (if necessary, do not hesitate to ask your advisor) and by knowing how to rely on the right service providers, you have the means to contain the risk and limit its impact for your customers, your members, your constituents.

« Generally speaking, as far as IT security is concerned: there is no such thing as zero risk! On the other hand, with a good reflection beforehand (if necessary, do not hesitate to ask your advisor) and by knowing how to rely on the right service providers, you have the means to contain the risk and limit its impact for your customers, your members, your constituents.

It is better to choose a provider with a flexible organization with reactive procedures to minimize the impact, to promote rapid interventions to correct breaches, to draw all the lessons to improve its procedures and gain resilience.

It is better to choose a provider with a flexible organization with reactive procedures to minimize the impact, to promote rapid interventions to correct breaches, to draw all the lessons to improve its procedures and gain resilience.

For example, by giving preference to a structure located in France, whose shareholders are known, stable and composed of entrepreneurs involved in the French and European digital industry on a daily basis. And there is no shortage of players, from large national players to smaller ones located in the Ile-de-France or in the regions. Whatever their size or location, they all have one thing in common: they are entrepreneurs who are passionate about digital technology, with a real understanding of the issues at stake and solid technical skills. Most of them master their own infrastructure, meeting the most demanding standards.»

For example, by giving preference to a structure located in France, whose shareholders are known, stable and composed of entrepreneurs involved in the French and European digital industry on a daily basis. And there is no shortage of players, from large national players to smaller ones located in the Ile-de-France or in the regions. Whatever their size or location, they all have one thing in common: they are entrepreneurs who are passionate about digital technology, with a real understanding of the issues at stake and solid technical skills. Most of them master their own infrastructure, meeting the most demanding standards.»

Thus, Aqua Ray perfectly meets the selection criteria mentioned by Mr. Archambault:

Thus, Aqua Ray perfectly meets the selection criteria mentioned by Mr. Archambault:

  • Aqua Ray is a French structure located in France, whose stable shareholder base is composed of passionate entrepreneurs with a solid experience in the construction and operation of digital infrastructures;
  • Our company controls its infrastructure, both physical and logical, since Aqua Ray has its own data center, recently certified by the Uptime Institute, located in the Paris region where technicians can intervene 24/7 ;
  • Aqua Ray favors the use of Open Source software bricks integrated by a team of competent developers. Therefore, no subcontracting to service providers based in low-cost countries or with little awareness of computer security issues, the guarantee of seeing security patches applied as soon as possible.

Contact us

Contact us

Any question ? A doubt ? A particular request ? Do not hesitate to contact us by clicking on this button below, we will answer you as quickly as possible.

Any question ? A doubt ? A particular request ? Do not hesitate to contact us by clicking on this button below, we will answer you as quickly as possible.

Did you like this article? You might also like

Aug
2021

Tutorial: Connection to a remote server

Guides

Have you ever tried to connect remotely to your managed server? During the manipulation, it is possible that the server refuses the connection. Discover in this tutorial article some indications to understand the source of the error.

Continue
July
2021

Tutorial: How to generate an SSH key?

Guides

Secure Shell or SSH gives the possibility to connect remotely, via a terminal, on a server. How to connect with an SSH key? In this simplified tutorial article, you will find all the necessary steps to generate a key.

Continue
Aug
2021

Tutorial: Connection to a remote server

Guides

Have you ever tried to connect remotely to your managed server? During the manipulation, it is possible that the server refuses the connection. Discover in this tutorial article some indications to understand the source of the error.

Continue
July
2021

Tutorial: How to generate an SSH key?

Guides

Secure Shell or SSH gives the possibility to connect remotely, via a terminal, on a server. How to connect with an SSH key? In this simplified tutorial article, you will find all the necessary steps to generate a key.

Continue
Aug
2021

Tutorial: Connection to a remote server

Guides

Have you ever tried to connect remotely to your managed server? During the manipulation, it is possible that the server refuses the connection. Discover in this tutorial article some indications to understand the source of the error.

Continue
July
2021

Tutorial: How to generate an SSH key?

Guides

Secure Shell or SSH gives the possibility to connect remotely, via a terminal, on a server. How to connect with an SSH key? In this simplified tutorial article, you will find all the necessary steps to generate a key.

Continue
Need assistance? Call us now!
Call us now! 01 84 04 04 05
Call us now! 01 84 04 04 05
AWS Certified
DC Tier IV