U.S. CLOUD Act vs. GDPR: Catch 22 for your company?

It is now more than a year since the United States CLOUD Act (Clarifying Lawful Overseas Use of Data Act). This law gives the US authorities the authority to request data from US service providers, wherever in the world this data is stored.

The CLOUD Act amends the former Stored Communications Act, which did not explicitly provide for this option. This gave rise, among other things, to proceedings against Microsoft for data stored in Ireland. As the transfer of personal data by Microsoft from the EU to the US would be covered by EU data protection rules, the Commission considered it in the interest of the EU to ensure as amicus curiae that EU data protection rules would be correctly understood and that the US Supreme Court would take this into account. Through the intervention of the U.S. Cloud Act this procedure never came to a final conclusion.

It should be immediately clear that the CLOUD Act forces the European Union to take appropriate measures. Data subjects are not sufficiently protected by the GDPR and European companies are currently forced to an impossible situation.

US Cloud Act

What does the CLOUD Act provide?

The powers of national investigative authorities are limited to national borders, while there is an increasing importance to regulate cross-border access to electronic evidence through the development of international data storage in the digital world. The detection and combating of cybercrime and the digitization of evidence for other forms of crime lead to a greater need for rapid access to electronic evidence. The current arrangement under traditional international mutual legal assistance does not appear to be efficient enough for this.

The CLOUD Act provides a new framework for the US Authorities to collect data that is managed by US companies that offer electronic communications services or “remote computing services” such as Cloud services wherever this data is stored around the world. Due to this wide scope of application, this may result in the release of data from US citizens as well as from European citizens, while these data are stored on European territory. In addition, these are mainly American providers who, also in Europe, offer cloud services and therefore have a substantial share of data. This means that with this law the US authorities have de facto access to a lot of personal data that in principle fall under the protection of the GDPR.

The United States, while defending the CLOUD Act, argues that a protection mechanism has been built into this law. If the American order to release data conflicts with the legislation of the third country where the data is stored, the provider in question may file a motion to modify or quash the legal process.

But this resistance appears to be rather limited. The procedure can only be conducted insofar as it concerns data from non-US nationals and insofar as these persons do not reside in the US. Moreover, this procedure is only open to data that is located on the territory of a qualifying foreign government. This is a third country that has concluded a bilateral agreement with the United States under the provisions of the CLOUD Act to facilitate data transfer. In this way the United States forces third countries to conclude separate agreements with them in order to allow the United States to obtain useful data in a simple manner.

Insofar as the provider in question would already start an such a procedure, it is still a matter of waiting to see how an American court will weigh up the interests in the event of conflicting rights.

Conflict with the GDPR

The claim under the CLOUD Act of personal data on European soil will be a violation of the GDPR. In Recital 115, the GDPR literally states that third-country legislation that makes an extraterritorial application with direct data transfer control is contrary to international law and constitutes an obstacle to the protection of individuals guaranteed in the GDPR. The GDPR does provide possibilities for transfer to third countries, but these options have an extremely strict application.

American providers will therefore no longer be compatible with the GDPR in many cases. After all, the CLOUD Act is not a sufficient basis for legally transferring data to the American authorities. There is no international agreement between the US and the EU, nor with a separate European country that allows this transfer.

This means that American providers, as well as European-based companies associated with these American providers, face a stalemate: if, on the one hand, they transfer their data to the American authorities, they violate the GDPR and expose themselves to monster fines. If they refuse to transfer the data to the American authorities, they expose themselves to sanctioning in America. Many European companies that store their data with such an American provider will have to determine that their data is not sufficiently protected according to the guarantees of the GDPR.

The Privacy Shield agreement is also completely on the slope. This agreement should in principle provide sufficient protection measures for the processing of personal data by American companies. Due to (inter alia) the intervention of the CLOUD Act, these guarantees are no longer sufficient. The European Parliament already made a resolution in July 2018 calling on the European Commission to suspend the Privacy Shield agreement, which would mean that companies could no longer use Dropbox, OneDrive, iCLoud, Office 365, MailChimp, etc.

European initiatives

The CLOUD Act provides for the possibility of concluding a bilateral treaty with the United States. In this way, this third country, as a Qualifying Foreign Government, could insert various safeguards for the exchange of personal data. However, this is not possible for European countries since the negotiation of such an international agreement is an exclusive competence of the European Union.

In the meantime, the European Council adopted two recommendations to launch negotiations, among other things, with the United States on cross-border access to electronic evidence to help resolve any conflicting obligations on service providers and enable them to transfer content data directly to law enforcement and authorities in the EU or the United States. The European Data Protection Supervisor has already expressed its vision of these negotiations in its Opinion 2/2019 of 02/04/2019 with a clear emphasis on a robust protection procedure for fundamental rights, such as privacy and data protection.

For the time being, it remains to be seen what the outcome of these future negotiations will be.

Impact for the citizen

The major problem of the CLOUD Act for every citizen is that there is no obligation of transparency in an order to release the data. The citizen in question will not know that his or her data was transferred to the US authorities.

Nor is there a guaranteed check in advance.

Companies that are subject to a release order could make a distinction in their data storage between data of American citizens and those of other (eg European) citizens. But this in turn creates two different privacy and data protection standards that cannot be permitted under European regulations. The GDPR remains applicable to all personal data and the right to privacy remains a fundamental human right that guarantees equal protection without any form of discrimination.

What can you do as a company?

As a company, it is important to determine your strategy in data location and company location.

The CLOUD Act is broad and aims at every American company that owns, stores or checks the data. This includes on the one hand the various American providers that own or store data, but also all European providers that are controlled by an American provider. Control means the extent to which control can be exercised, to what extent these companies act as a whole, whether they have common policies, whether one company has access to the data of the other in the normal economic activity, to what extent is a relationship of representation, etc.

It is therefore important to check where your providers are located and how they are connected to American companies.

Always ask with a critical eye to what extent your providers are in compliance with the GDPR in the context of the CLOUD Act. In doing so, check whether a distinction is made between data files of American citizens and other citizens and to what extent the data of non-American citizens are protected. Also check whether your data is encrypted, so that it remains outside the substantive reach of the US authorities. In that case, check whether you should not adjust the service provider agreements.

If possible, you should also renegotiate existing clauses with provision for a damage claim in the event of disclosure of data under the CLOUD Act. In this way, the company can cover itself financially against fines and possible reputation damage.

Questions about GDPR or the U.S. Cloud Act?

Feel free to contact Roeland Lembrechts:  roeland@siriuslegal.be or 0032/2 721 12 00