US CLOUD Act: You have questions and we have answers

In an increasingly digital world, data is everywhere. Often with the help of cloud technology, companies and individuals are storing their data in various parts of the world to meet their latency and data residency needs.

With this global dispersion, data can be subject to more than one country’s law based on its storage or processing location. We understand that our customers want more clarity around who has access to their data based on where they choose to process and store it. At Oracle, we’re deeply committed to the privacy of our customers’ data and look to be an active partner in addressing any privacy concerns, including by providing a comprehensive data processing agreement and privacy and security feature guidance for all our services, being transparent about our global delivery locations, and offering transfer mechanisms, such as Binding Corporate Rules for Processors, designed to address cross-border data flow requirements.

On a related note, customers might seek to understand how the US Clarifying Lawful Overseas Use of Data (CLOUD) Act impacts a cloud service provider (CSP) like Oracle and Oracle Cloud Infrastructure (OCI).

The Stored Communications Act: A precursor to the US CLOUD Act

To understand the US CLOUD Act, you must first look at the Stored Communications Act (SCA). The SCA is effectively the foundation that the US CLOUD Act is built on. Let’s review what the SCA is and why it’s so closely coupled with the US CLOUD Act.

The Fourth Amendment to the US Constitution protects the people’s right to be secure in their persons, houses, papers, and effects against unreasonable searches and seizures. With the advent of digital technologies, the SCA was enacted in 1986 to create Fourth Amendment-like privacy protection for email and other digital communications stored on the internet. The SCA allows US law enforcement to obtain data under limited circumstances.

For example, the law applies only to certain types of service providers subject to US jurisdiction, and it requires probable cause before a judge can issue a warrant for certain stored content. However, a considerable point of ambiguity in the statutory language of the SCA existed around US law enforcement’s ability to reach data stored abroad.

That’s where the US CLOUD Act comes in.

The creation of the US CLOUD Act

To address this ambiguity, the United States Congress passed the US CLOUD Act in March of 2018. The CLOUD Act amends the Stored Communications Act and provides a legal framework for providers of “electronic communication services” and “remote computing services” (including CSPs) that are subject to US jurisdiction. The law specifies under what circumstances CSPs are required to respond to requests from US law enforcement and lays down different avenues for challenging requests. The CLOUD Act serves to clarify US law enforcement’s reach to data stored abroad under the SCA and doesn’t eliminate or modify the procedural safeguards provided for under the SCA.

You can read more about the purpose and scope of the CLOUD Act in this document, published by the U.S. Department of Justice (DOJ).

Addressing concerns and misunderstandings related to the US CLOUD Act

Following passage of the CLOUD Act, Oracle customers and other companies have continued to have discussions about the reach of US law enforcement authorities and their access to data stored in the cloud and in Oracle Cloud services.

Let’s address a few of your most frequently asked questions

Does the CLOUD Act give US law enforcement the ability to randomly access customer data stored on service provider systems?

No. The CLOUD Act doesn’t expand US investigative authority, nor does it allow for law enforcement to indiscriminately access data. In fact, disclosure requests are limited to data that might be responsive to a criminal investigation and are subject to strict legal process requirements and restrictions as well as independent judicial oversight.

Does the CLOUD Act supersede another country’s laws?

No. The CLOUD Act contains procedural safeguards, including safeguards to protect the privacy of individuals and includes an avenue for service providers to challenge disclosure requests that conflict with a foreign (non-US) country’s applicable law.

How does Oracle handle disclosure requests under the CLOUD Act?

Customers have a direct relationship with their users, including data subjects under applicable privacy laws, whose data can be stored in the cloud. Customers are better positioned to identify and access their own user data in response to a law enforcement request. As a service provider, Oracle helps enable our customers to work directly with the relevant authority and provides reasonable assistance and information to respond to these disclosure requests

If Oracle receives a disclosure request from law enforcement, we follow the steps described in its policies, such as the terms of the Oracle Services Privacy Policy and Data Processing Agreement for Oracle Services. Oracle promptly informs the affected customer without responding to the disclosure request, unless Oracle is expressly prohibited under applicable law to notify a customer, such as to preserve the confidentiality of a criminal investigation. We are transparent about the requests submitted to us and periodically publish a law enforcement request report.

In accordance with Oracle’s Binding Corporate Rules for Processors (BCR-p), we also commit to the following practices:

• Assess on a case-by-case basis whether a disclosure request binds Oracle and is valid under applicable laws.

• Challenge any disclosure requests that aren’t binding and valid under applicable laws. As mentioned, the CLOUD Act provides for multiple avenues for service providers to challenge disclosure requests.

Providing customers with ways to further protect their data

Oracle offers cloud services with industry-leading security and privacy controls. We embed these controls in our services and cloud data centers in every region around the world. Services such as OCI Vault allow customers to centrally manage the encryption keys that protect their data and the secret credentials that customers use to access resources securely.

The US Department of Justice has confirmed that the CLOUD Act doesn’t create any requirements compelling service providers to decrypt customer data. This is mentioned in a whitepaper by the US Department of Justice in Section I. "CLOUD Act agreements are encryption-neutral" (page 5) and FAQ Question 29 (page 18).

Oracle privacy policies and cloud service contracts are published online and include clear purpose-limitation restrictions for the use of customer personal information and safeguards around legally required disclosure requests from law enforcement.

We also suggest that you review the data processing agreement for Oracle services and the policies referenced in that document, such as Oracle’s binding corporate rules for processors, which provide transparency about Oracle’s overall approach to the handling of your data.

Oracle’s ongoing commitment to protecting customer privacy

At Oracle, we’re committed to helping customers operate globally in a fast-changing business environment and address the challenges of an increasingly complex regulatory environment.

The passage of the CLOUD Act doesn’t fundamentally change the way that Oracle handles disclosure requests from law enforcement. As a cloud provider, Oracle generally has no insight into the data that customers store and process in OCI or whether that data is personal data that belongs to a particular individual. Customers manage any personal information that they collect, decide how it’s processed, and decide which data regions it’s stored in. Customers can also be confident that Oracle continues to invest in features and services for Oracle Cloud Infrastructure that can help them address their security, compliance, and privacy needs more efficiently.

We welcome you to review our product and services documentation to find out more about the features and services available to you. If you have further questions about Oracle’s privacy and security policies and practices, consult your Oracle Sales representative.