The CLOUD Act, signed into law by President Trump in 2018, stands for “Clarifying Lawful Overseas Use of Data”, and is worth taking a closer look at when it comes to the privacy of your signature documents.
The CLOUD Act clarifies the right of US government agencies to access data by US providers stored abroad, potentially including data that would otherwise be protected. There is clear potential to negatively impact the privacy of your electronically signed documents, no matter where they’re stored.
The CLOUD Act consists of two parts: Firstly, it allows US law enforcement to gain access to certain data stored by US providers in other countries: no matter where. Secondly, it allows for bilateral agreements between the US and other governments, facilitating the ongoing exchange of data going either way.
Let’s take a closer look at what these things mean for the privacy of your signature documents.
Here’s How the CLOUD Act Affects Data Privacy of eSignatures
Your signature puts you under legal obligation to another party. Any change in regulation that has the potential to erode the privacy of your digitally signed documents should therefore be analyzed closely. The following 5 areas are the main effects of the CLOUD Act on the privacy of your eSignature documents.
| The CLOUD Act… | Impact on eSignature Data Privacy |
| …forces any US-based provider to hand over user data when legally requested to do so. | If your eSignature provider is an American business, your signature documents are an open book. |
| …may limit your provider’s expansion into the US. | If your eSignature provider opens up an office in the US, your documents become subject to the CLOUD Act. |
| …can force providers from certain countries to hand over your data, even if there are no operations in the US. | If headquartered in a country that signed an Executive Agreement, your eSignature provider has to legally hand over your documents to the US when requested to do so. |
| …forces your provider to closely monitor their governments’ agreements going forward. | An Executive Agreement could be signed between the US and any other friendly nation, making it even more important to pick an eSignature provider based in a country known for its strict privacy laws. |
| …sets an example for yet another level of exchange of user data between governments, which could also be adopted outside the US. | The government where your eSignature provider is located could agree with anyone at any given time, placing the privacy of your most sensitive documents at risk. |
The CLOUD Act is often portrayed as a mere clarification of existing law, but its primary and secondary effects on the privacy of eSignatures cannot be underestimated.
Let’s take a closer look at the five most obvious effects of the CLOUD Act of 2018.
The CLOUD Act puts all data of US-based providers in reach of the US government
All data by any US-based provider is now within reach of the US government, regardless of where that data is physically stored. The geographic location of data (where the actual servers are) used to be the primary concern when it comes to privacy, with many locations assumed to be secure and private. With the CLOUD Act, the responsibility of providing access to data is shifted to the provider, no matter where they store the data: For a US-based provider, there are no “safe havens” anymore.
This means that unencrypted eSignature documents stored by any US provider anywhere in the world are now fair game (by the way: even if the document is encrypted, it’s still vulnerable if the provider also stores the keys). If you’ve chosen your eSignature provider based on “secure” server locations, you might have to rethink that decision. If they’re a US company, data privacy is a thing of the past, regardless of where they store your signature documents.
Any data provider has to question expanding to the US in light of the CLOUD Act
Expanding operations to the US now not only brings 300 million new potential customers but also the attention of the US government. The United States with its large population and business-friendly environment is still regarded as a desirable market to break into for many businesses. However, even establishing a branch office in the US subjects a company to the CLOUD Act, no matter where the headquarters are located.
For any user of a non-US eSignature provider, that means they have to keep an eye on the expansion plans of their provider to ensure the privacy of their documents. Your local eSignature provider is bound to domestic laws only as long as they don’t set up an office in the United States. As soon as that’s the case, your unencrypted eSignature documents are an open book to the US government, no matter whether your provider is headquartered in Berlin, Hong Kong, or Mumbai.
The CLOUD Act forces providers from certain countries to hand over data
With Executive Agreements, countries can bypass a long legal process and effectively hand over the data of any user to a requesting US authority. Designed to facilitate the flow of (legally requested) information, this part of the CLOUD Act removes another hurdle to the free exchange of information (a.k.a. user data) between two governments. While not making your private data a free-for-all, as there are still legal procedures and rules to be followed, it speeds up the process of a US authority asking and quickly receiving all your data in question.
If your eSignature provider’s home country has an Executive Agreement with the US, your unencrypted eSignature documents are openly available and readable to a requesting government entity at a moment’s notice. Even if you’re a resident of Great Britain, your eSignature provider is British, and has no US office, your private documents just became a lot less private – unless they’re encrypted by default. Luckily, there are still privacy-focused countries like Switzerland, for example, which are unlikely to enter into an Executive Agreement in the foreseeable future.
Providers need to stay informed about their government’s agreements with the US going forward
The US is expanding its list of “partners”: when is it your country’s turn? Great Britain was the first to sign an Executive Agreement, Australia followed shortly after. Likely, the US won’t stop there and keep adding more strategically important “partners” to that list. This means your provider — and by extension, you as a user — have to keep an eye on regulations to stay informed about the latest requirements regarding the sharing of private user data.
Your eSignatures will only stay private as long as the home country of your provider does not enter an Executive Agreement with the US government. And while some assumptions can be made by looking at existing partnerships regarding data exchange, you’ll never know when it’s your turn. Once that happens, your unencrypted eSignature documents are up for grabs. It’s wise to minimize your exposure early on by opting for an eSignature provider based in a neutral, privacy-conscious country like Switzerland.
The CLOUD Act paved the way for similar agreements between any two governments
The CLOUD Act could very well set a precedent for similar agreements between any number of countries. The US is already considered the standard for all things technology, so what’s stopping your government from entering into any number of Executive Agreements with any other government? This could open up Pandora’s box and slowly erode whatever privacy citizens of a nation currently enjoy online.
Depending on your government’s international relations, your unencrypted eSignature documents could soon be visible to a host of agencies from any number of countries. While it’s safe to assume that the country where your provider is located would not just randomly start sharing your sensitive documents with anyone. The fact that there is no obligation to report any agreement to you, the end-user, makes this the equivalent of a digital sword of Damocles for your privacy. Don’t risk any exposure: Opt for proper End-to-end encryption from the beginning.
The Bottom Line
The CLOUD Act establishes clear guidelines for obtaining user data from US providers anywhere in the world, as well as a framework for ongoing data exchange called Executive Agreements.
While there is nothing inherently wrong with establishing clear rules, the CLOUD Act does present some issues from a privacy perspective: Any document stored anywhere in the world is now at risk of being legally obtained by US government agencies, be that because the hosting entity is US-based, or it is located in a country with an Executive Agreement in place.
It’s worth mentioning that there still is no “free” and especially unsupervised exchange of data: US authorities need a valid reason to ask for data of any kind. Also, the CLOUD Act specifically outlines how businesses can challenge its execution if they deem an unsuitable infringement on the privacy of their users. It also specifically addresses civil liberty and privacy concerns by imposing limits on what can be requested and by whom.
When it’s all said and done, and even with GDPR in place (which in itself presents a potential legal conflict to any Executive Agreement with the US). There is no way for any user to know with 100% certainty that their eSignature documents are kept private, no matter who the provider is, or where that provider stores the actual documents. This leaves users with only one way to ensure privacy: To use end-to-end encryption. Because once properly encrypted, access to any document all of a sudden matters a lot less.