For domestic criminal investigations, law enforcement often wants to gain access to data that is stored beyond its borders. The problem is that data access across borders is sometimes not in harmony with international human rights agreements and the data protection rules of specific nations.
To allow criminal law enforcement operations to access communication data that lies beyond US borders, the Clarifying Lawful Overseas Use of Data (CLOUD) Act was signed by President Donald Trump in March 2018. The core reason that this Act was advanced is because of a US Supreme Court case, United States v. Microsoft.
The case had to do with data that was being stored in Ireland by Microsoft. The EU’s General Data Protection Regulation (GDPR) safeguards personal data, and the transfer of the data to the United States would have to meet its rules. The European Commission wanted to ensure that the US Supreme Court would be aware of the guidelines of the GDPR and would treat the situation accordingly. The case drew to a conclusion, though, when the US CLOUD Act was passed.
The European Union must now take steps so that they know GDPR protections will be upheld. Corporations in the US and Europe are both in an extraordinarily tricky situation, and the GDPR’s mandates are not able to adequately protect data subjects.
Amending the ECPA
The CLOUD Act updates the Electronic Communications Privacy Act (ECPA), a 1986 series of laws that created rules for trans-border data access by US law enforcement. Prior to the CLOUD Act, the US had to have a mutual legal-assistance treaty (MLAT) in place with another nation in order to access data. An MLAT is an agreement between two or more countries that establishes how they are each going to assist in investigations by law enforcement. A two-thirds-approval vote by the Senate is required to enact an MLAT.
The CLOUD Act allows all law enforcement investigators, whether they are at a federal agency or local police department, to get communications data stored in any location from a tech firm.
CLOUD also makes it possible for the executive branch to sign agreements with other nations to get access to data stored outside US borders, regardless of the privacy laws within those countries. No congressional approval is required for these executive agreements.
Again, it was the Microsoft case that made the issue of trans-border access more prominent. The Microsoft vs. US case involved a 2013 warrant that the FBI issued to Microsoft in order to access data that was stored in Ireland. Microsoft did not comply with the warrant because they claimed that the data center was not within US jurisdiction. The CLOUD Act effectively decided the Microsoft case in the United States’ favor by rendering the case moot.
The handling of data privacy across borders was changed significantly by CLOUD. Regardless of where data is stored, the United States will be able to collect it from US companies. Plus, once foreign nations have agreements with the US, they will be able to access data that US companies are storing within their borders.
The Cloud Act was specifically an amendment to the Stored Communications Act of 1986 (Title II of the ECPA). The SCA had created privacy protections for communications data that was retained by Internet service providers. The CLOUD Act mandates that no matter where data is stored, organizations have to meet the demands of search warrants described within the SCA.
Use cases – when does the CLOUD Act apply?
A US law enforcement agency may issue a subpoena or warrant to a US remote computing services or electronic communication services corporation related to data that is being stored in a subsidiary of the corporation that is within the European Union. That data might include the data of EU individuals, so does it have to be produced? Of critical importance is the way that the company is organized – how the overseas companies are related to the parent corporation. The CLOUD Act would require that the data be disclosed if the US corporation has control over, custody, or possession of the information.
Here are a couple of use cases that might be helpful:
Use case 1: Disaster recovery solutions with limited access to US corporate parent data, or 24/7 worldwide vendor solutions
Sometimes a data recovery service will generally store data beyond US boundaries, except for cases when a backup instance located in the United States is needed. There are also services that provide services via different jurisdictions throughout the day. How does the CLOUD Act apply to these types of services?
The key concern with these types of setups is whether the US parent corporation can access the data at a specific time on a daily basis. Assuming it does, it is simply a matter of the government waiting for the access to be in place.
Use case 2: No data access from a US corporate parent for data stored with an EU-based subsidiary
The CLOUD Act would likely not apply to data under these conditions:
- It is impossible technically for the US-based parent to access data from the subsidiary remotely.
- The corporate parent’s IT network and that of the affiliate are completely distinct and segmented from one another.
- The affiliate’s operations are 100% independent from the parents, it does not do business in the United States, and its offices are all within the EU.
CLOUD Act compliance & GDPR compliance
Claiming personal data that is within EU countries violates the GDPR. The GDPR’s safeguards for individuals are in conflict with any legislation by an outside nation that allows for control of data transfer via an extraterritorial application, per the GDPR’s Recital 115. Applications are very limited for the data transfer to outside nations that is permitted by the GDPR.
Because that is the case, US-based countries will now not be able to follow the GDPR. The transfer of data to US law enforcement that is described within the CLOUD Act is simply insufficient as a legal basis. The transfer of data is not backed by agreements between the US and any European nation, or between the US and the EU as a whole.
Companies that are based in Europe and affiliated with US providers, as well as US providers themselves, are in a very difficult legal position. If these organizations decide not to comply with CLOUD warrants, they will run afoul of US law. On the other hand, if they do comply with the data transfer requests, they could face huge fines for violating the GDPR. For cases in which a US provider is used for data storage by a company in an EU nation, they will find that the GDPR protection mandates are no longer being met in those settings.
An organization that complies with a US-based warrant under CLOUD could be violating the GDPR, whether the organization is a processor in the US that is storing within its own cloud or is a controller that is using a service provider in the US.
A service provider based in the US could try to quash the warrant using the process that is described within the CLOUD Act. Principles of comity could be used by a provider to challenge a CLOUD warrant or non-compliance contempt order, even in instances in which the data is within a nation that has signed an executive agreement with the US.
To reduce liability, data sharing agreements with cloud customers and providers may need to be adjusted by controllers that are in relationships with providers based in the United States. It may also make sense for a controller to place a provision that objects to transfers based on government requests or made to other nations within their data processing agreements. In this way, the controller can make it clear to regulators that they were not responsible for noncompliant data processing related to EU residents, even if the provider complies with a CLOUD warrant and discloses the data.
The CLOUD Act also problematizes the Privacy Shield agreement. Personal data processing by US-based firms should be safeguarded by Privacy Shield, in theory. However, its stipulations no longer carry the same weight with the CLOUD Act in place. Suspension of the Privacy Shield agreement was resolved by the European Parliament in July 2018. Office 365, OneDrive, iCloud, Dropbox, MailChimp, and similar services could no longer be used under this resolution, which called on the European Commission to suspend the agreement.
EDPS and EDPB determinations related to CLOUD compliance
The European Data Protection Supervisor (EDPS) and European Data Protection Board (EDPB) released a legal analysis of the CLOUD Act related to the GDPR on July 10, 2019. The findings were essentially that the privacy protections within CLOUD are “too soft.”
The European regulators determined that compliance with EU law, including the GDPR, was at odds with CLOUD Act compliance. In their assessment, the EU bodies found that an MLAT or other international agreement would be necessary is order for the needs of Article 48 of the GDPR (which covers disclosures and transfers that are unauthorized by EU law) to be met.
The regulators determined that service providers that had to meet the parameters of the GDPR would not be in compliance if they transferred data in the absence of an MLAT. The regulators proceeded to evaluate whether organizations might be able to comply with CLOUD warrants if the data processing had a legal basis (GDPR Article 6) and if it would comply with Chapter V’s provisions (GDPR Article 49). The regulators were unable to establish a legal basis using four approaches. They were also unable to establish that the transfer was necessary.
Best practices for US & EU compliance
It has become more important to think strategically in terms of where your company is located and where your data is located. It is a strong approach for corporations, if they are operating in various jurisdictions, to perform due diligence about how service providers are organized when they want to contract with providers of remote computing or worldwide electronic communication services. The ways in which your providers are connected with US-based firms is critical, as is their location.
Any US-based corporation that possesses, monitors, or retains data is covered under the CLOUD Act. Under CLOUD’s umbrella are all the EU-based providers that are controlled by US providers with data ownership or storage, as well as the US providers themselves. The understanding of data control has to do with the degree of direct control, the degree to which it is a representative relationship, whether there is data access by one company of another within typical economic operations, whether there are common policies in place, and the degree to which the organizations behave as a single unit.
For data that is stored with EU subsidiaries, make a determination as to whether it is in the control, custody, or possession of the US parent organization. If that is the case, it can be a good idea to adjust agreements so that there is less US access to data stored outside the US. It is helpful if keyboards within the US cannot access data that is held by non-US organizations beyond US borders. Data that is beyond the US should be segregated both logically and physically (siloed), which should be indicated in the agreements. It should also be clear in the agreements that the data should be inaccessible from the United States.
When these kinds of service providers might be used, except in cases in which it is unlawful, the recipient of the service should be notified by the US service provider when a CLOUD Act warrant is received. So that you are protected from damages if there is a CLOUD Act disclosure, renegotiate the agreement to include a provision for those cases. You can protect both your credibility and your company from fines through that measure.
In the wake of the CLOUD Act, be painstaking in your analysis of the GDPR compliance of your providers. Check on the degree to which there are safeguards for the data of non-US citizens, and determine whether the data of citizens of the US and other nations is separated.
Be aware if encryption practices are in place for data, so that it is protected from US law enforcement. Determine if you need to update agreements with your service providers to meet that requirement. Encryption in transit, encryption at rest, and other core security techniques should be used whenever highly sensitive data will be stored within a cloud system. Except when the controller gives permission to the US service provider, encryption key management should be inaccessible to them. The service recipient (which controls the cloud data) must have complete control of it.
While complying with both CLOUD and the GDPR is challenging, you can set yourself up for success with the above approaches. Do you need further assistance in protecting yourself, given the ways in which these two laws conflict? At Revision Legal, we understand the connections between law, technology, and business. Contact our Internet and Privacy Lawyers with the form on this page or call us at 855-473-8474.