Organizations around the world are embracing cloud technology to drive innovation, improve security, and remain competitive in the new digital economy. As cloud service providers, we support these organizations, which include businesses of all sizes, public sector entities, and non-profits, by operating services and infrastructure that are utilized across borders.

As companies that provide services around the world, we also recognize the right to privacy under international human rights law. Governments have a legitimate and important interest in protecting the safety and security of their people. Yet in some instances they seek to gain access to data under laws that do not adequately protect human rights and the rule of law, and conflict with laws of other countries. As cloud service providers, we are committed to protecting the privacy and security of our customers’ data in all jurisdictions through policy and technology. All governments must recognize certain baseline protections as they enact laws for the cloud era.

The Trusted Cloud Initiative seeks to partner with governments around the world to resolve international conflicts of law that impede innovation, security, and privacy, and to establish and ensure basic protections for organizations that store and process data in the cloud. Through this initiative, we commit to working with governments to ensure the free flow of data, to promote public safety, and to protect privacy and data security in the cloud.

This initiative builds on pre-existing commitments that each of our companies has made in this area, including by undertaking internal human rights impact assessments. It serves as a baseline to which our companies are committed.

As cloud service providers we:

  • Recognize the interest of governments around the world in protecting the safety, security, privacy, and economic vitality of individuals and organizations that use global cloud services;
  • Recognize that international human rights law enshrines a right to privacy;
  • Recognize the importance of customer trust and customers’ control and security of their data, which entails both safeguarding the data customers own in the cloud, and creating products and policies that establish, maintain, and enhance that trust;
  • Support laws that allow governments to request data through a transparent process that abides by internationally-recognized rule of law and human rights standards.
  • Support international legal frameworks to resolve conflicting laws related to data access, privacy, and sovereignty;
  • Support improved rules and regulations at the national and international levels that protect the safety, privacy, and security of cloud customers and their ownership of data;
  • Recognize the importance of publishing, on a regular basis, transparency reports detailing aggregate statistics regarding government data requests.

To achieve our objectives, we commit to working with the tech sector, public interest groups, and policymakers around the world, particularly in the countries where we operate or plan to operate data centers and cloud infrastructure, to ensure that laws and policies are substantially in line with the following principles:

  1. Governments Should Engage Customers First, with Only Narrow Exceptions. Governments should seek data directly from enterprise customers rather than cloud service providers, other than in exceptional circumstances. 
  2. Customers Should Have a Right to Notice. Where governments seek to access customer data directly from cloud service providers, customers of those cloud service providers should have a right to advance notice of government access to their data, which only can be delayed in exceptional circumstances;
  3. Cloud Providers Should Have a Right to Protect Customers’ Interests. There should be a clear process for cloud service providers to challenge government access requests for customers’ data, including notifying relevant data protection authorities; 
  4. Governments Should Address Conflicts of Law. Governments should create mechanisms to raise and resolve conflicts with each other such that cloud service providers’ legal compliance in one country does not amount to a violation of law in another; and
  5. Governments Should Support Cross-Border Data Flows. Governments should support the cross-border flow of data as an engine of innovation, efficiency, and security, and avoid data residency requirements.