An interesting article by Caitlin Potratz Metcalf and Peter Church from Linklaters looking at The CLOUD Act and specifically what it means for European businesses holding data in the Cloud with an American provider.
There is no doubt now that there is a legal right where U.S. authorities can use their extraterritorial powers to access data stored in the Cloud even if it is not physically stored in the U.S. However, as the article sets out, there are controls in place and the act itself does not provide any new powers, it simply expedites the process and clears some prior hurdles.
You should also not forget GDPR and how companies must balance the two potentially conflicting demands. Unless things change this is something that will need to be assessed on a case by case basis with no ‘easy win’.
From an eDiscovery perspective, where data is unavoidably collected, processed and stored, this also needs to be considered - especially as in certain cases data could be of great interest to the authorities. Therefore consideration does need to be given to how and where data is stored in these situations as well as in the normal course of business, especially given the different options available, including mobile solutions that can be deployed on premise if needed.
I am definitely not saying the Cloud is not therefore a suitable storage location in these cases, as the authors state: "...given the combination of the safeguards within that [CLOUD] Act and the GDPR there are good reasons to believe that legitimate businesses storing data in the EU should not be unduly concerned." But there are a number of different options available for situations where this (or other factors) is a concern, ones we regularly successfully deploy all over the world...
The CLOUD Act puts beyond doubt the right of U.S. authorities to issue SCA orders against most major cloud providers in respect of data stored outside the United States. However, given the combination of the safeguards within that Act and the GDPR there are good reasons to believe that legitimate businesses storing data in the EU should not be unduly concerned.