The European Union, with its new data protection and privacy regulation known popularly as the GDPR, has been dominating compliance news in the past month as commercial establishments the world over struggle to comprehend its requirements and implement new operational procedures. In the entire bustle, a very important American legislation has been obscured.
On the 22nd of March, 2018, as part of the trillion-dollar spending bill passed by the United States Congress, the Clarifying Lawful Overseas Use of Data (CLOUD) Act also came into existence. It has been described as a ‘necessary overhaul’ of American digital privacy and security legislation, long accused to becoming obsolete.
The CLOUD Act essentially enables law enforcement agencies in the United States to access information and data owned or controlled by American companies, irrespective of where that information is stored or located, without being subject to ‘red tape’ in the form of Congressional oversight or judicial review.
Although this legislation has been claimed as much needed to supplement the evidentiary and discovery process of judicial proceedings, there is immense criticism for the legislation from privacy activists who believe that it facilitates a “significant erosion” of freedoms making it essentially a consumer “privacy upending” framework.
The debate rages ever more vehemently because of the global impact of the GDPR and its privacy protecting requirements.
How it came into existence
The CLOUD Act was a long-time coming mostly because the digital information legislative framework has become obsolete and was in grave need of amendment. The push came after a major case instituted by the Federal Government of the United States against Microsoft Corporation. In this case, the Department of Justice while pursuing an investigation and trial against a drug dealer, needed access to his personal data such as communications and emails. This information was stored at Microsoft’s Irish offices, which hosted their servers in Dublin.
While the Justice Department argued that the emails were controlled by Microsoft Corporation, an American company and the drug dealer was also an American citizen, giving the government authority to access his emails; Microsoft argued that the concerned email account was made when the suspect was travelling outside the US, and as the emails were hosted on the Dublin servers, American laws did not apply.
This case presented the first ambiguities in law enforcement access to personal data where it is remotely located and stored
What the Act says
In order to contextualize the current debate, it is important to have a brief idea of what the legislation provides for that could impact the privacy of data subjects and how it might overlap with the GDPR.
The Act has a direct impact on the processing and access to personal data stored in remote servers though cloud computing services offered by American firms such as Microsoft, Google, and Amazon. The act allows for five main functions
- Foreign law enforcement can have access to personal data collected by American companies without a Warrant or notice
- Other countries, meeting qualifications, can demand access to personal data stored by American countries without judicial review of the request
- Bilateral executive agreements between US and other countries allowing foreign nations to seize data stored by American companies while circumventing privacy laws and the MLAT structure
- Foreign nations can collect personal information within US without US privacy law compliance
- Authorizes American law enforcement to access any personal information of any person stored at any location around the world, in control of an American company
Comporting with the GDPR
Both the CLOUD Act and the GDPR are long-arm legislations that enforce their provisions and requirements outside their national territories. The issue arises when their areas of reach overlap such that the personal information being allowed access to under the CLOUD Act is also being protected under the GDPR.
The conflict between the CLOUD Act and GDPR comes with the basis and extent of access (to EU data subjects’ information) given to US law enforcement authorities. American providers and companies such as Microsoft and Amazon are not only compelled to give access to personal data they store but are also prevented from giving notice of such access to the data subjects. One the one hand, they face subpoenas and warrants for information access in the US, and on the other they have to justify giving this access to European Data Protection Authorities or be penalized a hefty sum for breach of compliance.
The interpretation given to Legitimate Interests through the various guidelines and case laws before the European Unions’ Court of Justice further adds to the conundrum. The current understanding is that complying with data access requests by foreign government and foreign law enforcement authorities is not a legal obligation, nor is it a necessarily justifiable legitimate interest. Thus, American companies would not have a legal recourse under the GDPR to harmonize its compliance requirements with that of the CLOUD Act.
Another concern is the conflict between the CLOUD Act, the assurances of the Privacy Shield and the obligations for data privacy under the GDPR. The Privacy Shield is a bilateral framework based on a data sharing agreement between the US and the EU. The executive agreements under the CLOUD Act allow US and foreign law enforcement agencies to bypass this system’s safeguards. Once evoked, this executive agreement would significantly undermine the adequacy standards of the Privacy Shield framework.
The best course of action for US-based data controllers currently is to initiate quash proceedings under the CLOUD Act wherein they challenge the access warrant in court on the grounds that it runs in conflict with GDPR obligations. Simultaneously, controllers should also review and modify their data sharing agreements to curtail contractual liability. Clauses expressly prohibiting data transfer to foreign governments can help demonstrate compliance with the GDPR, even though it may not supersede a CLOUD warrant.
The resolution to this conflict between two long-arm laws with extraterritorial reach will happen once the matter is presented for interpretation before the American Courts. Till such time, it would be prudent for controllers to constantly review their internal data management policies and keep a sharp eye on further developments in the enforcement of both regulations.
Co-founder & CEO, CyberImmersions Solutions
The ideas, view and opinions expressed above are those of the author and do not necessarily reflect the opinions or official position of any agency, organization, employer, or company. The views expressed are for informational purposes only. They are not intended to constitute legal advice. For legal reliance on GDPR or The Cloud Act compliance, please consult your attorney.