The Tug-of-War Over Your Data: How the CLOUD and SHIELD Acts Pit Security vs. Privacy
The United States government has enacted two major laws regarding how technology companies handle government requests for users’ data – the CLOUD Act and the SHIELD Act. On the surface, these laws seem to have contradictory aims, but understanding the nuance in each law is key.
The CLOUD Act, passed in 2018, enables US law enforcement to more easily compel tech companies to provide requested data, even if that data is stored abroad. Meanwhile, the proposed SHIELD Act would limit tech companies’ ability to comply with foreign governments’ requests for data, unless the US government reviews it first.
What Data Compliance Standards Matter?
This article dives deep into the origins, impacts, strengths and weaknesses of each act, and argues why the US needs both laws to balance security, privacy and international cooperation.
The CLOUD Act: Expanding Law Enforcement’s Reach
The Clarifying Lawful Overseas Use of Data (CLOUD) Act was passed by Congress and signed into law in March 2018 as part of a large omnibus spending bill. The CLOUD Act clarifies that US tech companies must comply with warranted requests for data from US law enforcement, even if that data is stored on servers located outside of the US.
This resolved a legal gray area that formed as more user data began being stored remotely by tech companies (“in the cloud”). Previously, tech companies claimed they could not access overseas data, and US authorities had to go through cumbersome and slow mutual legal assistance treaties to request foreign-stored data.
The CLOUD Act makes clear that US tech companies must comply with valid domestic search warrants regardless of data location. It also empowers the US to enter into bilateral agreements with other nations to more easily exchange data requests directly.
Supporters argued the CLOUD Act was necessary for law enforcement to effectively investigate crimes in the digital era. However, critics expressed concern it could undermine privacy laws in other countries and encourage authoritarian regimes to breach citizens’ data. Human rights groups also argued it did not provide enough protections against abuse of the new direct data sharing agreements.
On balance, the CLOUD Act allows more seamless access to data across borders, but raises sovereignty and human rights concerns. US tech companies now clearly must comply with US warrants globally, reducing legal uncertainties but also weakening other nations’ autonomy over data within their borders. The law’s impacts are still developing as bilateral deals are negotiated.
The SHIELD Act: Protecting Data from Foreign Access
In contrast to the CLOUD Act expanding law enforcement power, the Safeguarding Americans’ Private Records Act (SHIELD Act) aims to limit foreign governments’ access to US citizens’ data stored by tech companies. The SHIELD Act was introduced but not passed in Congress in 2020. It prohibits companies subject to US jurisdiction from complying with foreign governments’ requests for US user data, unless those requests are reviewed and deemed permissible by the US Department of Justice.
Supporters of the SHIELD Act argue it is needed to protect US citizens’ data from exploitation by adversary nations like China and Russia. The bill’s backers say current US law does not prevent tech companies from handing over private data to foreign governments, and this undermines American rights.
Requiring US government review of foreign requests adds an important layer of oversight. Critics counter that the SHIELD Act could encourage other nations to adopt similar restrictive laws, Balkanizing internet access and fracturing the worldwide web. If other countries reciprocally restrict data flows, tech companies could face conflicting legal obligations.
While not yet law, the principles of the SHIELD Act reflect an increasingly nationalist and protective approach of the US government regarding control over citizens’ data. It aims to reassert American authority over tech companies’ data sharing practices regarding US persons’ information. However, the global interconnectedness of internet systems and multinational nature of tech companies complicate purely domestic regulation.
US Cloud Act vs. SHIELD Act: Similarities, Differences, and Ironies
Despite their contrasting aims, the CLOUD and SHIELD Acts share the underlying premise that the US government should control when US tech companies share US citizens’ data. The CLOUD Act expands US law enforcement access, while the SHIELD Act restricts foreign governments’ access. Both assert American jurisdictional authority and aim to preserve US citizens’ rights relative to foreign entities’ data requests.
The two laws, however, take nearly opposite stances on extending jurisdictional reach beyond national borders. The CLOUD Act claims US warrant power over data anywhere in the world. The SHIELD Act, by contrast, tries to fence off foreign access to US data abroad unless permitted by the US government. This contradiction highlights the complexities of data regulation in an interconnected world. America cannot fully have it both ways—seamlessly accessing data globally while blocking other nations from accessing data across US borders.
Yet, in a way both laws share an ironic skepticism of other nations’ intentions regarding US citizen data, seeking to protect American privacy against foreign exploitation. The US affirms its own right to access citizens’ data worldwide through the CLOUD Act, while denying reciprocal foreign access to data via SHIELD.
However, democratic accountability and rights protections should not be assumed to be exclusively American. Ultimately, both privacy and security require international cooperation and agreement on shared data protection principles.
US Cloud Act vs. SHIELD Act: Why We Need Both Laws
In this phase of the information age, in which massive amounts of sensitive data is generated, processed, and stored online every day, both the CLOUD and SHIELD Acts respond to valid concerns about protecting citizens’ rights. Law enforcement needs effective access to digital evidence to uphold justice—the motivation behind the CLOUD Act. Simultaneously, citizens’ personal data deserves protection from foreign mass surveillance or repression—the motivation behind SHIELD. Both principles of privacy and justice are important, despite the tension between these laws.
Ideally, nuanced agreements can uphold both aims. Bilateral CLOUD Act agreements could ensure law enforcement data access while also setting baseline civil liberties protections. SHIELD Act reviews of foreign requests could allow justified cases while limiting indiscriminate data seizures. No single country can unilaterally regulate the global internet. However, the US is right to assert its interests through both streams of policy – seeking security through CLOUD while preserving privacy through SHIELD. If combined carefully, these two laws can form a holistic American data policy for the digital age.
Kiteworks Helps US Organizations Keep Their Confidential Content Private From Government Snooping
The CLOUD and SHIELD Acts embody difficult tradeoffs underlying data regulation. In an interconnected world, governments must balance law enforcement access, privacy rights, and international cooperation. Rather than contradictory, these US laws represent legitimate parallel interests—facilitating domestic investigations while protecting citizens from foreign overreach. Wise implementation of both policies could uphold security and liberty. However, this will require nuance and negotiation to shape sustainable international norms balancing key principles of justice and privacy.
The Kiteworks Private Content Network, a FIPS 140-2 Level validated secure file sharing and file transfer platform, consolidates email, file sharing, web forms, SFTP and managed file transfer, so organizations control, protect, and track every file as it enters and exits the organization.
Kiteworks allows organizations to control who can access sensitive information, with whom they can share it, and how third parties can interact with (and for how long) the sensitive content they receive. Together, these advanced DRM capabilities mitigate the risk of unauthorized access and data breaches.
These access controls, as well as Kiteworks’ enterprise-grade secure transmission encryption features also enable organizations to comply with strict data sovereigntyrequirements.
In addition, Kiteworks customers manage their own encryption keys. As a result, Kiteworks does not have access to any customer data, ensuring the privacy and security of the customer’s information. By contrast, other services such as Microsoft Office 365 that manage or co-manage a customer’s encryption keys, can (and will) surrender a customer’s data in response to government subpoenas and warrants. With Kiteworks, the customer has complete control over their data and encryption keys, ensuring a high level of privacy and security.
Kiteworks deployment options include on-premises, hosted, private, hybrid, and FedRAMP virtual private cloud. With Kiteworks: control access to sensitive content; protect it when it’s shared externally using automated end-to-end encryption, multi-factor authentication, and security infrastructure integrations; see, track, and report all file activity, namely who sends what to whom, when, and how. Finally demonstrate compliance with regulations and standards like GDPR, ANSSI, HIPAA, CMMC, Cyber Essentials Plus, IRAP, DPA, and many more.
To learn more about Kiteworks, schedule a custom demo today.
Additional Resources
- Blog Post Data Privacy Risk Guides Sensitive Content Communications
- Blog Post Over 60% of GAO Data Privacy Recommendations Have Not Been Implemented Across 24 US Federal Agencies
- Brief Navigating the American Data Privacy and Protection Act With Kiteworks’ Support
- Blog Post Understand and Achieve GDPR Compliance
- Blog Post NIST Privacy Framework for Protecting Sensitive Data