Clarifying Lawful Overseas Use of Data (CLOUD) Act

Overview

• What is "new" about the CLOUD Act?

  The CLOUD Act it is an update to United States law that clarifies the geographic scope for United States law enforcement requests and provides new means for services providers to challenge requests that conflict with another country's laws or national interests. Where we need to act to protect customers, we'll continue to do so. We have a history of challenging government requests for customer information that we believe are overbroad or otherwise inappropriate.
  

• Does the CLOUD Act change how law enforcement can request customer content?

  No. The CLOUD Act does not change the process or requirements for law enforcement requests for data as part of a criminal investigation. The CLOUD Act does not give United States law enforcement unlimited or unfettered access to data. United States Law enforcement may seek content from service providers in only two circumstances: (1) with the customer’s consent or (2) with a warrant issued by a United States court in accordance with United States criminal procedures. For a warrant to be issued, a United States court must be convinced that there is probable cause to believe a crime has occurred and that evidence sought under the warrant is directly related to that crime. The CLOUD Act also creates additional safeguards for cloud content, recognizing the right of cloud service providers to challenge requests that conflict with another country’s laws or national interests.
  

• How does the CLOUD Act impact AWS?

  The CLOUD Act does not impact AWS services or how we operate our business. Historically, we have received very few United States law enforcement requests, and we are transparent about the number of requests that we receive. We are always vigilant about customer privacy and security, and we are committed to providing our customers with industry-leading privacy and security protections when using our products and services. When we receive a request for content from law enforcement, we carefully examine it to authenticate accuracy and to verify that it complies with applicable law. Where we need to act to protect customers, we’ll continue to do so. We have a history of challenging government requests for customer information that we believe are overbroad or otherwise inappropriate. If we are required to disclose customer content, we will continue to notify customers before disclosure to provide them the opportunity to seek protection from disclosure, unless prohibited by law.
  

• How does the CLOUD Act impact how customers/partners can use AWS?

  The CLOUD Act does not impact how customers/partners can use AWS services.
  

• Are there additional steps that customers should take to protect their data?

  We believe customers should maintain control of their own data, and we provide a number of advanced encryption and key management services that customers can use to protect their content. Customers can also choose from a number of supported third-party encryption solutions when using AWS services. Encrypted content is useless without the applicable decryption keys.
  

• Is the CLOUD Act only applicable to cloud service providers?

  No. The CLOUD Act applies to all electronic communication service or remote computing service providers that operate in the U.S. (such as email and cloud service providers), whether those providers are established in the United States or another country.
  

• Does the CLOUD Act take precedence over another country’s local law?

  No. The CLOUD Act does not change another country's local laws. In fact, the CLOUD Act recognizes the right for service providers to challenge requests that conflict with another country's laws or national interests.
  

CLOUD Act Resources