The European General Data Protection Regulation (GDPR) has brought important changes to the legal grounds for data transfers between the EU and the United States. Simultaneously, a new act in the United States has come into force that also affects data transfers between the United States and the EU. This act, the Clarifying Overseas Use of Data Act (the CLOUD Act) creates legal uncertainty and could lead to violations of GDPR.
The CLOUD Act – Purpose and Consequences
Over the past several years, a number of U.S.-government investigative institutions encountered problems when they needed criminal data from the EU. In these instances, the data was managed by cloud solution providers established in the United States but not actually stored in the United States. Therefore, data collection generally took a long time or was inaccessible due to restrictive local privacy laws.
The CLOUD Act aims to address this issue by giving the U.S. government the right to access data stored abroad. However, such a right potentially conflicts with several EU laws and principles, including GDPR.
GDPR: Conditions for International Data Transfers
GDPR allows for international data transfer solely if certain provisions are met. International data transfers resulting from court orders must be based on an international agreement such as a Mutual Legal Assistance Treaty (MLAT).
MLATs: Providing for Checks and Balances
The purpose of an MLAT is to create a fair process for sharing information across two jurisdictions. The process is performed by the governmental institutions of the relevant jurisdictions. The United States has entered into numerous MLATs worldwide.
An MLAT has been in place between the EU and the United States since 2003, ensuring the following:
- that information is provided and the requesting state may limit its obligations to provide assistance;
- that limitations are in place regarding the use of the evidence or information obtained; and
- that states may be asked to keep the request for information confidential if desired by the requesting state.
The MLAT thus establishes limitations and safeguards when data is transferred from the EU to the United States.
After the CLOUD Act: No More Use of MLATs
Under the CLOUD Act, a request for data can be filed directly with the target corporation. Consequently, the need to have an MLAT in place is removed, and supervision of the process by the governmental institutions of relevant jurisdictions no longer takes place. Since the MLAT was generally considered time-consuming and burdensome, this may be viewed as a beneficial change by entities seeking to obtain EU data. However, a consequence of no longer needing the MLAT for international data transfers is that the checks and balances that are built into the MLAT regarding the exchange of data between the EU and the United States will also no longer apply.
While the CLOUD Act contains a framework for new executive agreements on international data transfers, these agreements appear to remove legal restrictions rather than establish limitations and safeguards. Furthermore, several written certifications and wide-ranging technical measures are required for a country to enter into a new international executive agreement under the CLOUD Act. Therefore, even if a country can meet the requirements, considerable time may pass before an executive agreement can be reached.
Legal Uncertainty for EU Corporations
It is currently unclear how an EU corporation should handle a court order from the United States based on the CLOUD Act. It is unlikely that the CLOUD Act itself qualifies as an international agreement as required by the GDPR for international data transfers. After all, the CLOUD Act is not technically an agreement between two countries, nor is it a legal basis pursuant to Article 6 of the GDPR.
New executive agreements between EU member states and the United States may take considerable time – if the relevant country is even able to meet all requirements. Data transfer agreements between the EU and the United States based on the CLOUD Act could provide a solution, although negotiations on behalf of all countries could be time-consuming as well. Brexit causes additional challenges in this respect.
Motions to Quash or Modify a Data Request
The existence of an executive agreement between the United States and a foreign state also affects the legal means of a target corporation that is asked to provide data. Based on the CLOUD Act, such corporation may file a motion to a U.S. court to modify or quash the request only if certain conditions are met. These consider, among others, whether the disclosure violates the laws of a foreign government and if the ‘interests of justice’ dictate that the request should be quashed or modified – which is also to be determined by a multi-factor comity analysis. Depending on whether or not an executive agreement is in place between the United States and the relevant state, that comity analysis includes a balancing of interests test to be conducted by the U.S. court. The outcome of a motion to quash or modify a data request may thus differ depending on the existence of an executive agreement between the United States and the relevant foreign state.
The CLOUD Act creates legal uncertainty on data transfers from the EU to the United States among European corporations that are faced with a court order to transfer data. A rapid solution is not expected, as any required agreement (between either the EU or separate member states and the United States) may take a considerable amount of time. We await EU action for much-needed clarity on this issue.