Is the U.S. CLOUD Act compatible with the requirements of the EU General Data Protection Regulation (GDPR)? And what does the CLOUD Act mean for European businesses if they rely on U.S. service providers? The following is an overview with specific tips for data protection practice in companies.
What is the CLOUD Act?
On 23 March 2018, two months before the GDPR came into force, the Clarifying Overseas Use of Data Act (better known as the CLOUD Act) entered into force in the United States, to modernize surveillance and privacy laws to reflect the increased use of cloud services.
This was just one month after the U.S. Supreme Court Justices were tasked with the so-called Microsoft Ireland case. One of the questions raised in the Microsoft Ireland case was whether data located outside of the U.S. could be subject to a warrant from the U.S. government. The CLOUD Act responds that service providers must disclose data stored on their servers outside of the U.S. if requested by U.S. law enforcement.
The CLOUD Act determines that U.S. law enforcement authorities may request personal data from US-based technology companies when there is a suspicion of a crime by issuing warrants or court orders, regardless of the data’s location. Accordingly, a service provider shall disclose any information related to a customer within the provider’s possession “regardless of whether such communication, record, or other information is located within or outside of the US”.
Consequently, US authorities could be able to access and process huge quantities of personal data belonging to EU citizens. From an U.S. perspective, the purpose for that is to ensure that U.S. companies comply with U.S. laws, regardless of where they have their servers and whose data is stored, and to expedite data exchanges for law enforcement purposes.
The difficulty lies in the fact that the CLOUD Act simply circumvents foreign data protection rules, leaving businesses in a conflicting situation to ensure personal data protection while complying with U.S. law enforcement requests.
Why does the US CLOUD Act conflict with the GDPR?
The GDPR intends to protect and strengthen the integrity of the individual and to give people power over their data, whereas the CLOUD Act demands data by placing U.S. interests above foreign laws. It introduces strict requirements relating to data transfers to third countries. In principle, for any data transfers, the GDPR requires a legal basis, as envisaged in Art. 6 GDPR.
The CLOUD Act specifically contemplates court orders or warrants requiring the transfer of personal data without a Mutual Legal Assistance Treaty (MLAT). However, the European Data Protection Board (EDPB) concluded that “service providers subject to EU law cannot legally base the disclosure and transfer of personal data to the US on such requests.” As Article 48 GDPR stipulates, court orders requesting the transfer of data outside the EU are only acceptable if grounded on an international agreement, such as a MLAT. Other legal bases are also not acceptable under EU law for such requests.
For instance, the protection of a vital interest of a data subject or another person could generally provide for a sufficient legal basis in specific and established circumstances. Recital 46 GDPR explains, however, that this is only attainable if the processing cannot be based on another legal basis. For the CLOUD Act, the EU-US MLAT would provide that legal basis and should be applied instead.
Furthermore, the GDPR permits data transfers if the legitimate interests of the controller balance out the interests or fundamental rights and freedoms of the data subject. However the European Data Protection Board takes the view that interests or fundamental rights and freedoms of the data subject would override the controller’s interests, such as not to be sanctioned by the US for eventual non-compliance with the request. This again represents an insufficient legal basis from a GDPR point of view.
Therefore, the GDPR and the CLOUD Act clash in particular when it comes to the strict requirements of the GDPR to have a legal basis for data processing. This means that from a GDPR compliance point of view, warrants issued on grounds of the CLOUD Act are only acceptable as long as they are based on the EU-US MLAT.
Is the opportunity to quash or modify a US CLOUD Act warrant relevant for European businesses?
The CLOUD Act provides for a procedure in limited circumstances for service providers to file a motion to quash or modify a warrant and is subject to several conditions. This is the case when the provider reasonably believes that the customer or subscriber is not a US person and does not reside in the US, or that the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government. The decision to modify or quash a legal process is subject to strict conditions and may be quite complicated.
Therefore, it is difficult to predict the extent to which service providers will oppose a warrant, but is unlikely to be successful in many cases. This path is merely an opportunity for US service providers and by no means an obligation. European businesses cannot be ensured that data of EU citizens will not be transferred to the US, thus violating the GDPR.
What are the consequences for European businesses?
Service providers should generally refuse direct requests by third country authorities and refer them to the existing MLAT. Service providers receiving requests from US law enforcement are not able to ensure data protection as efficiently as public authorities are able and obliged to, thus businesses receiving such requests should refuse to hand out personal data and refer the matter to a public authority. The EU-US MLAT contains strong procedural and substantive fundamental rights safeguards and appears to be the most appropriate instrument to ensure the necessary level of protection for EU data subjects and legal certainty for businesses. Unless a CLOUD Act warrant is recognised or made enforceable based on the MLAT and thus recognised as a legal obligation under the GDPR, the lawfulness of such processing cannot be ascertained.
European businesses using US service providers must be aware that safe and GDPR-compliant data processing can no longer be ascertained. Those European businesses that are conscious about the confidentiality and integrity of their sensitive data concerning trade secrets, personal data of clients, and so on, are becoming increasingly concerned about this conflict of laws. Thus, a stronger emphasis is on the location of the registered head office of a cloud provider and for security reasons, EU service providers should be preferred to ensure data protection.
What should European businesses do?
Strictly speaking, European businesses run the risk of a data violation under the GDPR if using U.S. Cloud services. European businesses using U.S. service providers should evaluate the risks of using a U.S. supplier and contemplate if the risks are acceptable. Many of the giants in cloud services and IT, such as Google, Microsoft and Amazon, are US companies with data centres within the EU. To them, both the CLOUD Act and the GDPR apply and there are no legal solutions for these companies as to how to act. Thus, they will have to violate either the CLOUD Act or the GDPR.
It may be beneficial for European businesses to choose a local cloud or hosting provider that follows GDPR. This is especially true for organisations who handle extremely sensitive data, such as authorities, municipalities, banks and health care and insurance companies.