The U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was passed in 2018, mooting the then pending U.S. Supreme Court case – United States. v. Microsoft (Ireland)[1] – in which Microsoft challenged a warrant from the U.S. federal government requiring it to produce emails stored electronically in Ireland. The Act has two main provisions:
While companies may have some concerns about U.S. law enforcement’s extra-territorial powers to obtain data stored in other jurisdictions under the CLOUD Act, the Act does not impose new obligations on U.S. or foreign communications service providers. First, the CLOUD Act does not create U.S. jurisdiction where there was none before, and second, bilateral agreements entered into under the CLOUD Act will only streamline and expedite the information-sharing process between foreign law enforcement agencies, instead of relying on traditionally slower Mutual Legal Assistance Treaty (MLAT) requests.[3]
Moreover, the CLOUD Act is balanced by a number of safeguards intended to prevent abuse. For example, an SCA order seeking the stored contents of communications must be for specific data – it will only be granted where the government can establish “probable cause” that a particular criminal offence has been committed and there is “reasonable belief” or justification that the information sought is “relevant and material” to that ongoing criminal investigation. In the Microsoft Ireland case, a judge had issued an SCA warrant after finding “probable cause” to believe the electronic communications sought were related to the commission of a drug-trafficking offence. It thus does not allow mass and indiscriminate collection of communications data. In addition, service providers have the right to challenge these SCA orders where they conflict with local law. This is discussed below.
The starting point to assess the impact of the CLOUD Act is to determine where your data is stored. If that data is stored in the United States, the Act makes no difference. That data is potentially subject to production to U.S. authorities in much the same way as it was prior to the passing of the Act, subject to any protection from Standard Contractual Clauses or the EU-U.S. Privacy Shield.
In contrast, if your data is stored in the EU (or another non-U.S. jurisdiction) the CLOUD Act is more significant and makes it clear that data stored outside the United States might be subject to an SCA order.
No major cloud provider will welcome such an order. Where personal data is stored in the EU it is also not clear if they can respond to it.
This is because the cloud provider is likely subject to the GDPR. While most cloud providers act as a processor under the GDPR and are subject to only more limited obligations, they are still subject to the restrictions on the transferring of personal data to third countries, such as the United States.
The European Data Protection Board (the representative body of EU data protection regulators) and the European Data Protection Supervisor considered the interaction between the CLOUD Act recently (the Opinion)[4] and concluded that only in very limited cases would a cloud provider be able to respond to an SCA order.
This is because Article 48 of the GDPR expressly states that a foreign court order or decision of an administrative authority, including an SCA order, will not be automatically recognised and enforced in the EU, unless made under MLATs.
Instead, the transfer is subject to the normal rules and can only be made where there is a lawful basis under Article 6 and one of the derogations in Article 49 of the GDPR applies. Establishing a lawful basis is particularly challenging. The Opinion addresses the following options:
This means that any cloud provider responding to an SCA order runs a real risk of breaching the GDPR. This in turn raises the prospect of fines of up to €20 million or 4% of annual worldwide turnover. Given the sensitivity of this issue and the desire to protect the EU’s “data sovereignty”, the prospect of very significant sanctions is quite plausible.
Added to this is the risk that the cloud provider will be in breach of contract. Under Article 28(3)(a) of the GDPR, the cloud provider must have a contract with their customer that commits them to only disclose personal data in response to a legal request if that request arises under EU or Member State law. Disclosing data under an SCA order risks breaching that contractual obligation.
This potentially forces cloud providers to be stuck between a rock and a hard place. However, the CLOUD Act provides an escape route allowing the cloud provider to challenge an SCA order on the basis of:
Given the potential for significant sanctions for breach of the GDPR and breach of contract, and the cloud provider’s likely commercial desire to be seen a safe and respectful custodian of its customers’ data, there are good reasons to believe that cloud providers would want to challenge an SCA order in many situations.
A final question is what will happen if an SCA order is issued for data stored in an EU cloud by a legitimate business.
In Microsoft Ireland, the email account was alleged to have been used for drug-trafficking and the emails stored in Ireland initially evaded U.S. law enforcement because it was unclear whether SCA orders applied extra-territorially at the time. The U.S. authorities could have ordered the account holder to hand over the emails, but that would have alerted the alleged drug-trafficker to the investigation and may have been ignored.
In contrast, where the cloud is used by a legitimate business subject to U.S. jurisdiction, it will often be much easier for U.S. authorities to ask that business directly for the data. The business may be less likely to challenge such a request and more likely to find and disclose the information actually sought (rather than U.S. authorities having to trawl through masses of cloud data to find the relevant information).
There are further technical measures that businesses can use to protect themselves, for example by encrypting the data they store in the cloud. The extent to which this will absolutely prevent the cloud provider from disclosing that information in unencrypted form will depend on the service being provided and the technical means to encrypt the data. However, at the least, it will make that data harder to access and increase the attractiveness of the U.S. authorities approaching a business directly.
The focus of this article so far has been on personal data. The position would be different if the U.S. authorities were seeking non-personal data, such as financial information, which falls outside the protection of the GDPR.
However, few orders will solely encompass non-personal data – in most cases non-personal data will be mixed up with personal data. The cloud provider must also consider national laws within the EU that might potentially prevent the disclosure of that data to U.S. authorities, such as the French Blocking Statute.
The CLOUD Act puts beyond doubt the right of U.S. authorities to issue SCA orders against most major cloud providers in respect of data stored outside the United States.
However, given the combination of the safeguards within that Act and the GDPR there are good reasons to believe that legitimate businesses storing data in the EU should not be unduly concerned.