Engage customers first. Governments should seek data directly from enterprise customers as opposed to cloud service providers other than in exceptional circumstances.
Right to notice. When governments seek to access customer data directly from a cloud service provider, customers of the provider should have a right to advance notice of government access to their data, which only can be delayed in exceptional circumstances.
Cloud providers should have a way to protect their customers. The industry should develop a clear process for cloud service providers to challenge government access requests for customer data, including notifying relevant data protection authorities.
Governments should address potential legal conflicts. Governments should create ways to raise and resolve conflicts with each other so that a cloud service provider’s legal compliance in one country does not amount to a violation of law in another.
Support for cross-border data flows. Governments should support the cross-border flow of data as an engine of innovation, efficiency, and security, and avoid data residency requirements.