The Clarifying Lawful Overseas Use of Data (“CLOUD”) Act was enacted into law on March 23, 2018. The Act provides that U.S. law-enforcement orders issued under the Stored Communications Act (SCA) may reach certain data located in other countries – a key question in United States v. Microsoft Corporation, No. 17-2, a case argued before the Supreme Court on February 27. Both the government and Microsoft recently agreed that the closely watched case is now moot following the CLOUD Act. READ MORE
The United States Department of Defense (“DoD”) recently published two new rules that impose broader obligations to safeguard information that falls within specified categories of sensitive data and to report cyber incidents to the government. These rules generally apply to companies that have been awarded new DoD procurement contracts, that hold subcontracts under such DoD contracts, or, in some cases, that have been awarded other types of agreements with DoD. The rules:
- expand contractors’ and subcontractors’ safeguarding responsibilities and obligations to report and investigate cyber threats;
- modify the scope of data that contractors and subcontractors must safeguard and the universe of contractors and subcontractors to which the requirements apply;
- establish requirements for contractors and subcontractors using cloud computing to provide information technology services to DoD, including requiring such contractors to keep government data within the United States, implement DoD-approved safeguards, and limit disclosure of and access to government data;
- expand and make mandatory DoD’s previously voluntary cyber incident reporting system for defense industrial base (“DIB”) agreement holders; and
- open DoD’s voluntary cybersecurity information sharing program up to a greater range of agreement holders.
The new rules reflect DoD’s intensified focus on treatment of export controlled technology and other categories of sensitive data. Awardees of DoD procurement contracts, subcontracts, and other types of instruments such as cooperative agreements are well-advised to make their data-security and export control compliance programs comport with these new requirements.
Yesterday, German federal and state (Länder) data protection authorities (“DPAs”) issued a Position Paper following the recent Court of Justice of the European Union (“CJEU”) ruling that struck down the EU-US Safe Harbor Framework. Read an unofficial translation of the German Position Paper here.
Unfortunately, the Position Paper does little to relieve the pressure many organisations are now facing in relation to their cross-Atlantic data transfer mechanisms, particularly those used to transfer data from Germany to the United States. READ MORE