The CLOUD Act gives U.S. law enforcement authorities the power to request data stored by most major cloud providers, even if it is outside the United States. This extra-territorial compulsion has raised concerns about the safety of the information in the cloud and potential conflicts with the EU General Data Protection Regulation (GDPR). We consider the recent opinion from European data protection regulators and the various safeguards in the Act, to see if these fears are merited.
What does the CLOUD Act do?
The U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act) was passed in 2018, mooting the then pending U.S. Supreme Court case – United States. v. Microsoft (Ireland) – in which Microsoft challenged a warrant from the U.S. federal government requiring it to produce emails stored electronically in Ireland. The Act has two main provisions:
- It amended the U.S. Stored Communications Act (SCA) to expressly allow U.S. law enforcement through a warrant, subpoena or court order to access electronically-stored communications data located outside the United States provided that the information sought is relevant and material to an ongoing criminal investigation. These powers apply to any provider of an electronic communication service or remote computing service who is subject to U.S. jurisdiction, which includes all major U.S. cloud companies. This extra-territorial application of the SCA rendered the Microsoft Ireland case moot.
- It creates a framework under which the United States can enter into bilateral (or executive) agreements with foreign states. Those agreements would allow law enforcement authorities in the United States and the foreign state to make requests directly to local law enforcement and service providers located in the other jurisdiction. In other words, a foreign government could directly contact a service provider or local U.S. law enforcement to request information stored in the United States, and likewise the U.S. government could directly contact a foreign service provider or local law enforcement to request information stored in the foreign country. No such agreements have been passed yet, but the UK has passed the Crime (Overseas Production Orders) Act 2019 in anticipation of these bilateral arrangements.
While companies may have some concerns about U.S. law enforcement’s extra-territorial powers to obtain data stored in other jurisdictions under the CLOUD Act, the Act does not impose new obligations on U.S. or foreign communications service providers. First, the CLOUD Act does not create U.S. jurisdiction where there was none before, and second, bilateral agreements entered into under the CLOUD Act will only streamline and expedite the information-sharing process between foreign law enforcement agencies, instead of relying on traditionally slower Mutual Legal Assistance Treaty (MLAT) requests.
Moreover, the CLOUD Act is balanced by a number of safeguards intended to prevent abuse. For example, an SCA order seeking the stored contents of communications must be for specific data – it will only be granted where the government can establish “probable cause” that a particular criminal offence has been committed and there is “reasonable belief” or justification that the information sought is “relevant and material” to that ongoing criminal investigation. In the Microsoft Ireland case, a judge had issued an SCA warrant after finding “probable cause” to believe the electronic communications sought were related to the commission of a drug-trafficking offence. It thus does not allow mass and indiscriminate collection of communications data. In addition, service providers have the right to challenge these SCA orders where they conflict with local law. This is discussed below.
Where is your data?
The starting point to assess the impact of the CLOUD Act is to determine where your data is stored. If that data is stored in the United States, the Act makes no difference. That data is potentially subject to production to U.S. authorities in much the same way as it was prior to the passing of the Act, subject to any protection from Standard Contractual Clauses or the EU-U.S. Privacy Shield.
In contrast, if your data is stored in the EU (or another non-U.S. jurisdiction) the CLOUD Act is more significant and makes it clear that data stored outside the United States might be subject to an SCA order.
Does this conflict with GDPR?
No major cloud provider will welcome such an order. Where personal data is stored in the EU it is also not clear if they can respond to it.
This is because the cloud provider is likely subject to the GDPR. While most cloud providers act as a processor under the GDPR and are subject to only more limited obligations, they are still subject to the restrictions on the transferring of personal data to third countries, such as the United States.
The European Data Protection Board (the representative body of EU data protection regulators) and the European Data Protection Supervisor considered the interaction between the CLOUD Act recently (the Opinion) and concluded that only in very limited cases would a cloud provider be able to respond to an SCA order.
This is because Article 48 of the GDPR expressly states that a foreign court order or decision of an administrative authority, including an SCA order, will not be automatically recognised and enforced in the EU, unless made under MLATs.
Instead, the transfer is subject to the normal rules and can only be made where there is a lawful basis under Article 6 and one of the derogations in Article 49 of the GDPR applies. Establishing a lawful basis is particularly challenging. The Opinion addresses the following options:
- Legal obligation – An SCA order will not provide a legal basis for the purpose of the GDPR as the obligation does not arise under EU or Member State law (Article 6(1)(c)).
- Vital interests – It may be possible for the cloud provider to transfer personal data in an emergency situation where there is a threat to life or physical harm. However, these situations will be rare and even then the Opinion still suggests that these transfers should be made under an MLAT (Article 6(d)).
- Performance of a task in the public interest – This will not apply as it only captures the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller, under EU or Member State law (Article 6(1)(e)).
- Legitimate interests – The assessment of whether the disclosing of personal data under an SCA order is in the legitimate interests of the cloud provider and U.S. authority, and is not outweighed by the interests of the individual, will inevitably require a subjective assessment based on the facts. However, in many cases, these facts will be confidential and sensitive and U.S. authorities will not want to disclose all the background to the cloud provider to make that assessment. Even then, these requests take place outside an international framework so the Opinion suggests this basis will be rarely satisfied: “the EDPB and the EDPS take the view that the interests or fundamental rights and freedoms of the data subject would override the controller interest such as not to be sanctioned by the US for eventual non-compliance with the request” (Article 6(1)(f).
This means that any cloud provider responding to an SCA order runs a real risk of breaching the GDPR. This in turn raises the prospect of fines of up to €20 million or 4% of annual worldwide turnover. Given the sensitivity of this issue and the desire to protect the EU’s “data sovereignty”, the prospect of very significant sanctions is quite plausible.
Added to this is the risk that the cloud provider will be in breach of contract. Under Article 28(3)(a) of the GDPR, the cloud provider must have a contract with their customer that commits them to only disclose personal data in response to a legal request if that request arises under EU or Member State law. Disclosing data under an SCA order risks breaching that contractual obligation.
Does that leave cloud providers between a rock and hard place?
This potentially forces cloud providers to be stuck between a rock and a hard place. However, the CLOUD Act provides an escape route allowing the cloud provider to challenge an SCA order on the basis of:
- common law comity analysis – This will involve a range of factors including the importance of the information, the specificity of the request, whether the information originated in the United States, the availability of alternative means to obtain the information and the U.S. and foreign interests at stake. However, this challenge is not possible where the data is located in a country that has signed a bi-lateral agreement with the United States (though, importantly, none have to date); and
- material risk of violating foreign laws – A request can be challenged where the disclosure would create a material risk of violating foreign laws, though this is subject to various limitations, including that the customer is not a U.S. person.
Given the potential for significant sanctions for breach of the GDPR and breach of contract, and the cloud provider’s likely commercial desire to be seen a safe and respectful custodian of its customers’ data, there are good reasons to believe that cloud providers would want to challenge an SCA order in many situations.
What will happen in practice and can technology help?
A final question is what will happen if an SCA order is issued for data stored in an EU cloud by a legitimate business.
In Microsoft Ireland, the email account was alleged to have been used for drug-trafficking and the emails stored in Ireland initially evaded U.S. law enforcement because it was unclear whether SCA orders applied extra-territorially at the time. The U.S. authorities could have ordered the account holder to hand over the emails, but that would have alerted the alleged drug-trafficker to the investigation and may have been ignored.
In contrast, where the cloud is used by a legitimate business subject to U.S. jurisdiction, it will often be much easier for U.S. authorities to ask that business directly for the data. The business may be less likely to challenge such a request and more likely to find and disclose the information actually sought (rather than U.S. authorities having to trawl through masses of cloud data to find the relevant information).
There are further technical measures that businesses can use to protect themselves, for example by encrypting the data they store in the cloud. The extent to which this will absolutely prevent the cloud provider from disclosing that information in unencrypted form will depend on the service being provided and the technical means to encrypt the data. However, at the least, it will make that data harder to access and increase the attractiveness of the U.S. authorities approaching a business directly.
What about non-personal data and other laws?
The focus of this article so far has been on personal data. The position would be different if the U.S. authorities were seeking non-personal data, such as financial information, which falls outside the protection of the GDPR.
However, few orders will solely encompass non-personal data – in most cases non-personal data will be mixed up with personal data. The cloud provider must also consider national laws within the EU that might potentially prevent the disclosure of that data to U.S. authorities, such as the French Blocking Statute.
The CLOUD Act puts beyond doubt the right of U.S. authorities to issue SCA orders against most major cloud providers in respect of data stored outside the United States.
However, given the combination of the safeguards within that Act and the GDPR there are good reasons to believe that legitimate businesses storing data in the EU should not be unduly concerned.