Table of Contents
Abstract#
The authoritative 382-page reference establishing that vendor jurisdiction—not data location—determines cloud security risk, with detailed analysis of how US laws enable government access to humanitarian data.
Summary#
This third edition (2024) provides the most thorough publicly available analysis of CLOUD Act, FISA 702, and PATRIOT Act implications for cloud-hosted sensitive data. The handbook documents that there are no humanitarian exemption clauses in these laws, and that organisations may never know their data was accessed due to non-disclosure obligations on providers. Mitigation strategies include encryption, Swiss-jurisdiction providers, and contractual notification requirements.
Key Findings#
On the Stakes#
“They must work as effectively and efficiently as possible to assist individuals faced with persecution or natural disasters, so protecting the processing of their Personal Data can literally be a matter of life and death.” — Foreword to the Third Edition
On the CLOUD Act Problem#
The handbook documents that US authorities can compel disclosure from any provider under US jurisdiction:
“US authorities may compel the disclosure of content and traffic data over which a service provider under US personal jurisdiction has ‘possession, custody or control’: for purposes of certain criminal proceedings; irrespective of where the data are located.”
And critically:
“There is nothing in this first part of the CLOUD Act that exempts Humanitarian Data from its scope of application, nor are there any other limitations within the CLOUD Act that would implicitly exempt such data.”
The Notification Problem#
Organisations may never know their data was accessed:
“The US government can impose a non-disclosure obligation on the service provider under certain circumstances. This means that the service provider may be prohibited from notifying the Humanitarian Organization of the existence of a request for its data.”
A Concrete Example#
The handbook provides this simplified scenario:
A Humanitarian Organization stores dialogue with group G in a public cloud environment. The Cloud Services are provided by a service provider incorporated in New York. Data are stored in Europe. Under the US CLOUD Act, US authorities could have the power to legally oblige the provider to disclose such data… The provider might be prohibited from informing the organization of this request.
Cloud Risks Identified#
The handbook categorises cloud risks into two main areas:
- Lack of control over data
- Absence of transparency about processing operations
Specific risks include:
- Possible access by government and law enforcement authorities
- Long data processing chains of subcontractors out of effective control
- The interception of sensitive information
- Unauthorised international data sharing
- Data theft from the provider
Mitigation Strategies#
Technical Measures#
“While encryption per se cannot mitigate the risk of disclosure of data, it can make it more difficult to use the disclosed data, as such data would not be legible. This is of particular relevance in the context of legal frameworks that do not contain any obligations to furnish decrypted data, such as the CLOUD Act.”
Vendor Selection#
“Humanitarian Organizations might wish to only choose service providers under the jurisdiction of States which have granted privileges and immunities to the organization, and/or that have in place effective blocking statutes.”
The handbook cites Swiss law (Article 271 of the Criminal Code) as an example of a blocking statute that may prevent Swiss providers from assisting foreign authorities without authorisation.
Contractual Measures#
“Negotiate in their contracts with service providers… that, in case of a request, the service providers should at least inform authorities of the fact that the data sought may be subject to privileges and immunities.”
The 17 Chapters#
The handbook covers:
- Introduction — Data protection as integral to protecting life, integrity, and dignity
- Basic Principles — Core data protection concepts adapted for emergencies
- Legal Bases — Grounds for processing personal data in humanitarian contexts
- International Data Sharing — Cross-border data transfer frameworks
- Data Protection Impact Assessments — Risk evaluation frameworks
- Designing for Data Protection — Privacy by design principles
- Drones — Surveillance and imagery collection issues
- Biometrics — Fingerprints, iris scans, and identification systems
- Cash and Voucher Assistance — Digital payment data protection
- Cloud Services — Vendor selection, contracts, and security measures
- Cloud and Government Access — CLOUD Act, FISA, and surveillance law analysis
- Mobile Messaging Apps — Metadata risks and platform selection
- Digital Identity — Identity management and function creep risks
- Social Media — Data collection from public platforms
- Blockchain — Immutability vs. the right to erasure
- Connectivity as Aid — Network provision and associated data risks
- Artificial Intelligence — Algorithmic decision-making in humanitarian contexts
Why This Matters Beyond Humanitarian Work#
The handbook’s analysis of jurisdiction risks applies to any organisation with sensitive data using US-headquartered cloud providers:
- Healthcare organisations processing patient data
- Educational institutions with student records
- Government agencies with citizen data
- NGOs working with vulnerable populations
- Legal firms with privileged communications
The core finding — that vendor jurisdiction trumps data location — is documented with legal precision rarely found in public sources.
Access#
Read the Full Handbook (Open Access PDF) →
Individual chapters can be downloaded separately.
Key Chapter#
Chapter 11: Cloud and Government Access → — The standalone chapter on jurisdiction risks, CLOUD Act analysis, and mitigation strategies.
Related Resources#
- The ICRC and Data Protection — Overview of the ICRC’s data protection framework and office
- ICRC Rules on Personal Data Protection — The ICRC’s internal data protection rules
- ICRC Biometrics Policy — The ICRC’s public policy on biometric data
- Brussels Privacy Hub — Academic partner and co-publisher of earlier editions