IBM says the US government has “no jurisdiction” to demand data from its Europe-based entities, claiming it has not provided any client data to American law enforcement under the CLOUD Act since it came into force in March 2018.
Since that date the US multinational technology company has received just one request for client content – a term for data that isn’t basic subscriber information – from US law enforcement. IBM said it declined to provide this data, belonging to a customer based in Europe, because it was “inconsistent” with its terms for providing access to governments.
Under the CLOUD Act, US authorities investigating serious crimes can compel American technology companies to hand over data stored on their servers located on foreign soil. The request must meet certain criteria, such as for specific data rather than bulk collection, to obtain a court order.
IBM said its subsidiaries and other related entities operating in Europe are mandated by EU data protection laws – as is the case for any European company – and so it is able to turn down requests made under the CLOUD Act.
“The US government has no jurisdiction over IBM European entities to demand data entrusted to us by our enterprise and public sector clients merely because these entities have a parent company based in the US,” said Martin Jetter, IBM chairman of Europe, Middle-East and Africa in a blog post published Wednesday. “Neither the US CLOUD Act nor any other similar law changes that.”
He added: “IBM European entities will contest any demands they receive beyond the lawful jurisdiction of the requesting government.”
A recent probe launched by Europe’s data regulator has thrown the role that cloud providers play in EU-US data transfers into the spotlight. Last week the European Data Protections Supervisor (EDPS) said it is investigating whether agencies and institutions in the bloc using Amazon Web Services and Microsoft Azure cloud services are sufficiently protecting EU citizens’ data.
However, this investigation is not focusing on the CLOUD Act and is instead taking a broader look at safeguards for European citizens’ data under Cloud II contracts. This investigation is in the context of the landmark “Schrems II” judgement, which found the Privacy Shield mechanism for transferring data between the EU and US did not protect EU citizens from bulk surveillance by the US government.
In October 2019 the US and the UK signed the first CLOUD Act agreement to allow American and British law enforcement agencies to demand electronic data from tech companies based in the other country “without legal barriers.”
IBM said its position as an enterprise company rather than a consumer-facing tech firm – such as Facebook, Amazon or Google – was a key reason why it had received so few requests under the CLOUD Act.
“IBM instead deals primarily with business data that would provide little use for national security intelligence purposes, and generally is not the target of third-country authorities’ requests,” said Jetter.
Outside of the CLOUD Act mechanism, IBM says in 2020 it was on one occasion asked to provide client subscriber information so that the authorities could “contact the customer directly.” This request did not involve the US or the EU, IBM said, and was “resolved in full compliance with local law.”
According to Big Blue’s annual transparency report, the company received a total of 81 law enforcement requests globally in 2020.
Verdict has contacted AWS, Microsoft Azure and Google Cloud to ask whether they have handed over data to law enforcement via the CLOUD Act.
Each of the three companies publishes annual or biannual transparency reports detailing the number of law enforcement requests. However, these are not always broken down by their cloud subsidiaries and none specify how many requests were made under the CLOUD Act.
AWS, the largest cloud provider globally, complied with law enforcement requests for content on 15 occasions from 1 July to 31 December 2020, which it says amounts to 3% of overall requests being granted.
Amazon, excluding AWS, handed over information in 27,612 non-content requests and 52 content requests over the same period. These content requests include subpoenas, search warrants, court orders and those under the CLOUD Act, but are not broken down as such.
Separately, Amazon complied with between 0 and 249 national security requests for data (Amazon is permitted to give a range rather than a specific number).
“Amazon continues to object to overbroad or otherwise inappropriate requests as a matter of course regardless of where data is located,” the company says in its biannual transparency report.
Microsoft’s latest transparency report, covering July to December 2020, received 24,798 legal requests globally. It does not separate requests made under the CLOUD Act.
From January to June 2020, Google received 398 “requests for disclosure of Enterprise Cloud customer information.” Of these, it provided partial data 39% of the time. Once again, Google’s transparency report does not break down requests made under the CLOUD Act.