US CLOUD Act vs. EU GDPR: What you need to know
US CLOUD Act: The U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was passed in 2018, mooting the then pending U.S. Supreme Court case – United States. v. Microsoft (Ireland) – in which Microsoft challenged a warrant from the U.S. federal government requiring it to produce emails stored electronically in Ireland. The Act has two main provisions:
- It amended the U.S. Stored Communications Act (SCA) to expressly allow U.S. law enforcement through a warrant, subpoena or court order to access electronically-stored communications data located outside the United States
- It creates a framework under which the United States can enter into bilateral (or executive) agreements with foreign states.
In effect, the CLOUD Act demands data by placing U.S. interests above foreign laws.
EU GDPR: The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU), the European Economic Area (EEA) and after Brexit UK organisations will still need to comply with it. It also addresses the transfer of personal data outside the EU/EEA areas.
The GDPR intends to protect and strengthen the integrity of the individual and to give people power over their data. It also simplifies the regulatory environment for international business by unifying the regulation within the EU.
UK-US CLOUD Act Agreement: Cloud Act Agreements, also known as executive agreements (§ 2523 of the Cloud Act), appear to be bilateral agreements between the President of the United States and a “qualifying foreign government”. The first such foreign government to sign is the UK. This has created other issues.
What are the issues?
There are many, but to simplify we have grouped these:
EU Regulator Review
On July 10, 2019, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published a joint legal assessment on the Cloud Act and the EU legal framework for data protection. The EDPB and EDPS stated that the Cloud Act does not contain a sufficient legal basis under GDPR to justify personal data transfers to the US.
Service Provider implications
Any bilateral agreements entered into under the CLOUD Act will streamline and expedite the information-sharing process between law enforcement agencies, instead of relying on traditionally slower Mutual Legal Assistance Treaty (MLAT) requests. It does not allow indiscriminate data collection and service providers have the right to challenge these amended US SCA orders where they conflict with local law. However no major cloud provider will welcome such an order.
Where personal data is stored in the EU it is also not clear if they can respond to it. This is because the cloud provider is likely subject to the GDPR. While most cloud providers act as a processor under the GDPR and are subject to only more limited obligations, they are still subject to the restrictions on the transferring of personal data to third countries, such as the United States.
This means that any cloud provider responding to an SCA order runs a real risk of breaching the GDPR. This in turn raises the prospect of fines of up to €20 million or 4% of annual worldwide turnover. Given the sensitivity of this issue and the desire to protect the EU’s “data sovereignty”, the prospect of very significant sanctions is quite plausible.
Added to this is the risk that the cloud provider will be in breach of contract. Under Article 28(3)(a) of the GDPR, the cloud provider must have a contract with their customer that commits them to only disclose personal data in response to a legal request if that request arises under EU or Member State law. Disclosing data under an SCA order risks breaching that contractual obligation.
What about non-personal data?
The focus of this article is on personal data. The position would be different if the U.S. authorities were seeking non-personal data, such as financial information, which falls outside the protection of the GDPR. However, few orders will solely encompass non-personal data – in most cases non-personal data will be mixed up with personal data.
What should EU/UK businesses using online IT Services do?
UK and European businesses using external providers of electronic communication or remote computing services want certainty of GDPR compliance, either for internal assurance or client warranties. The safest approach is to:
(a) solely use cloud Services Providers (SP’s) located entirely within EU, and/or
(b) to use SP software/service capabilities running on their internally controlled infrastructure.
Either approach (EU SP or On-Premise/hybrid Cloud) should also be fully branded at all service levels, with not just organisational look and feel but also promotion of appropriate certifications. [The best providers offer these options as standard]
To do otherwise, obliges an organisation to conduct a full risk review including Legal, Information Security and Risk/Compliance Departments. A Review can delay change projects for months. The results will be inconclusive due to inherent US CLOUD Act and EU GDPR conflicts until Governments change the legislation. There may also be hidden costs from designing new process workarounds to avoid the worst data exposures.
We have seen in organisations handing financial or sensitive data, that the costs of such a risk review will often outweigh the entire cost of service for many years. It is often simpler, cheaper and more complaint to procure from an efficient local provider.
Fuller discussion of background and issues is discussed by Data Protection legal specialists activeMind1 here: US CLOUD Act vs. EU GDPR
Contact us for practical solutions.
1. activeMind.legal is an independent law firm, based in London and Germany, that advises companies from all over the world on UK and European data protection law and international data transfer.