The Tug-of-War Over Your Data: How the CLOUD and SHIELD Acts Pit Security vs. Privacy

The Tug-of-War Over Your Data: How the CLOUD and SHIELD Acts Pit Security vs. Privacy

The United States government has enacted two major laws regarding how technology companies handle government requests for users’ data – the CLOUD Act and the SHIELD Act. On the surface, these laws seem to have contradictory aims, but understanding the nuance in each law is key.

The CLOUD Act, passed in 2018, enables US law enforcement to more easily compel tech companies to provide requested data, even if that data is stored abroad. Meanwhile, the proposed SHIELD Act would limit tech companies’ ability to comply with foreign governments’ requests for data, unless the US government reviews it first.

What Data Compliance Standards Matter?

Read Now

This article dives deep into the origins, impacts, strengths and weaknesses of each act, and argues why the US needs both laws to balance security, privacy and international cooperation.

The CLOUD Act: Expanding Law Enforcement’s Reach

The Clarifying Lawful Overseas Use of Data (CLOUD) Act was passed by Congress and signed into law in March 2018 as part of a large omnibus spending bill. The CLOUD Act clarifies that US tech companies must comply with warranted requests for data from US law enforcement, even if that data is stored on servers located outside of the US.

This resolved a legal gray area that formed as more user data began being stored remotely by tech companies (“in the cloud”). Previously, tech companies claimed they could not access overseas data, and US authorities had to go through cumbersome and slow mutual legal assistance treaties to request foreign-stored data.

The CLOUD Act makes clear that US tech companies must comply with valid domestic search warrants regardless of data location. It also empowers the US to enter into bilateral agreements with other nations to more easily exchange data requests directly.

Supporters argued the CLOUD Act was necessary for law enforcement to effectively investigate crimes in the digital era. However, critics expressed concern it could undermine privacy laws in other countries and encourage authoritarian regimes to breach citizens’ data. Human rights groups also argued it did not provide enough protections against abuse of the new direct data sharing agreements.

On balance, the CLOUD Act allows more seamless access to data across borders, but raises sovereignty and human rights concerns. US tech companies now clearly must comply with US warrants globally, reducing legal uncertainties but also weakening other nations’ autonomy over data within their borders. The law’s impacts are still developing as bilateral deals are negotiated.

2023 Kiteworks Sensitive Content Communications Privacy and Compliance Report

The SHIELD Act: Protecting Data from Foreign Access

In contrast to the CLOUD Act expanding law enforcement power, the Safeguarding Americans’ Private Records Act (SHIELD Act) aims to limit foreign governments’ access to US citizens’ data stored by tech companies. The SHIELD Act was introduced but not passed in Congress in 2020. It prohibits companies subject to US jurisdiction from complying with foreign governments’ requests for US user data, unless those requests are reviewed and deemed permissible by the US Department of Justice.

Supporters of the SHIELD Act argue it is needed to protect US citizens’ data from exploitation by adversary nations like China and Russia. The bill’s backers say current US law does not prevent tech companies from handing over private data to foreign governments, and this undermines American rights.

Requiring US government review of foreign requests adds an important layer of oversight. Critics counter that the SHIELD Act could encourage other nations to adopt similar restrictive laws, Balkanizing internet access and fracturing the worldwide web. If other countries reciprocally restrict data flows, tech companies could face conflicting legal obligations.

While not yet law, the principles of the SHIELD Act reflect an increasingly nationalist and protective approach of the US government regarding control over citizens’ data. It aims to reassert American authority over tech companies’ data sharing practices regarding US persons’ information. However, the global interconnectedness of internet systems and multinational nature of tech companies complicate purely domestic regulation.

US Cloud Act vs. SHIELD Act: Similarities, Differences, and Ironies

Despite their contrasting aims, the CLOUD and SHIELD Acts share the underlying premise that the US government should control when US tech companies share US citizens’ data. The CLOUD Act expands US law enforcement access, while the SHIELD Act restricts foreign governments’ access. Both assert American jurisdictional authority and aim to preserve US citizens’ rights relative to foreign entities’ data requests.

The two laws, however, take nearly opposite stances on extending jurisdictional reach beyond national borders. The CLOUD Act claims US warrant power over data anywhere in the world. The SHIELD Act, by contrast, tries to fence off foreign access to US data abroad unless permitted by the US government. This contradiction highlights the complexities of data regulation in an interconnected world. America cannot fully have it both ways—seamlessly accessing data globally while blocking other nations from accessing data across US borders.

Yet, in a way both laws share an ironic skepticism of other nations’ intentions regarding US citizen data, seeking to protect American privacy against foreign exploitation. The US affirms its own right to access citizens’ data worldwide through the CLOUD Act, while denying reciprocal foreign access to data via SHIELD.

However, democratic accountability and rights protections should not be assumed to be exclusively American. Ultimately, both privacy and security require international cooperation and agreement on shared data protection principles.

Why Security Best Practices Aren\'t Enough in the Era of Data Privacy

US Cloud Act vs. SHIELD Act: Why We Need Both Laws

In this phase of the information age, in which massive amounts of sensitive data is generated, processed, and stored online every day, both the CLOUD and SHIELD Acts respond to valid concerns about protecting citizens’ rights. Law enforcement needs effective access to digital evidence to uphold justice—the motivation behind the CLOUD Act. Simultaneously, citizens’ personal data deserves protection from foreign mass surveillance or repression—the motivation behind SHIELD. Both principles of privacy and justice are important, despite the tension between these laws.

Ideally, nuanced agreements can uphold both aims. Bilateral CLOUD Act agreements could ensure law enforcement data access while also setting baseline civil liberties protections. SHIELD Act reviews of foreign requests could allow justified cases while limiting indiscriminate data seizures. No single country can unilaterally regulate the global internet. However, the US is right to assert its interests through both streams of policy – seeking security through CLOUD while preserving privacy through SHIELD. If combined carefully, these two laws can form a holistic American data policy for the digital age.

Kiteworks Helps US Organizations Keep Their Confidential Content Private From Government Snooping

The CLOUD and SHIELD Acts embody difficult tradeoffs underlying data regulation. In an interconnected world, governments must balance law enforcement access, privacy rights, and international cooperation. Rather than contradictory, these US laws represent legitimate parallel interests—facilitating domestic investigations while protecting citizens from foreign overreach. Wise implementation of both policies could uphold security and liberty. However, this will require nuance and negotiation to shape sustainable international norms balancing key principles of justice and privacy.

The Kiteworks Private Content Network, a FIPS 140-2 Level validated secure file sharing and file transfer platform, consolidates email, file sharing, web forms, SFTP and managed file transfer, so organizations control, protect, and track every file as it enters and exits the organization.

Kiteworks allows organizations to control who can access sensitive information, with whom they can share it, and how third parties can interact with (and for how long) the sensitive content they receive. Together, these advanced DRM capabilities mitigate the risk of unauthorized access and data breaches.

These access controls, as well as Kiteworks’ enterprise-grade secure transmission encryption features also enable organizations to comply with strict data sovereigntyrequirements.

In addition, Kiteworks customers manage their own encryption keys. As a result, Kiteworks does not have access to any customer data, ensuring the privacy and security of the customer’s information. By contrast, other services such as Microsoft Office 365 that manage or co-manage a customer’s encryption keys, can (and will) surrender a customer’s data in response to government subpoenas and warrants. With Kiteworks, the customer has complete control over their data and encryption keys, ensuring a high level of privacy and security.

Kiteworks deployment options include on-premises, hosted, private, hybrid, and FedRAMP virtual private cloud. With Kiteworks: control access to sensitive content; protect it when it’s shared externally using automated end-to-end encryption, multi-factor authentication, and security infrastructure integrations; see, track, and report all file activity, namely who sends what to whom, when, and how. Finally demonstrate compliance with regulations and standards like GDPR, ANSSI, HIPAA, CMMC, Cyber Essentials Plus, IRAP, DPA, and many more.

To learn more about Kiteworks, schedule a custom demo today.

Additional Resources

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.

Lancez-vous.

Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Comienza ahora.

Es fácil empezar a asegurar el cumplimiento normativo y gestionar los riesgos de manera efectiva con Kiteworks. Únete a las miles de organizaciones que confían en su plataforma de comunicación de contenidos hoy mismo. Selecciona una opción a continuación.

Table of Content
Share
Tweet
Share
Explore Kiteworks