Restrictive position on the legitimacy of data transfers to US investigating authorities – EDPB

In a 10 July 2019 letter to the European parliament's committee on Civil Liberties, Justice, and Home Affairs (LIBE), the European Data Protection Board (EDPB) took a position on the first legal analysis of the impact of the US CLOUD Act relating to the EU's legal framework for the protection of personal data, stating that protection of data subjects in the EU and cre-ating legal certainty for European businesses can only be ensured through an international agreement that is in keeping with data protection law, and promotes strong procedures safe-guarding fundamental rights.

The adoption of the CLOUD Act by the US Congress in March 2018, which enables US law enforcement authorities under certain conditions to demand the disclosure of customer data by US providers outside US territory, has given rise to data protection concerns relating to the EU's General Data Protection Regulation (GDPR), particularly for users of cloud services.

Ultimately, the EDPB recommends an international agreement on data protection and data transfers that is supported by the European Data Protection Supervisor (EDPS). Under EU law, US-mandated data transfers are possible only within very narrow limits. Due to the provisions of the GDPR, the legitimacy of a relevant processing activity cannot at this time be established, unless an order by a US court is recognised or made enforceable on the basis of an international agreement and can therefore be considered a legal obligation under Article 6(1)(c) GDPR or circumstances arise that make a processing activity necessary to protect the vital interests of the data subject on the basis of Article 6(1)(d) GDPR in conjunction with Article 49(1)(f).

Disclosure of customer data by the CLOUD Act

The "Clarifying Lawful Overseas Use of Data Act" (CLOUD Act), adopted by the US Congress on 22 March 2018 as a supplement to the 1986 "Stored Communications Act" (SCA), was passed to give US investigating authorities cross-border access to electronic data and to resolve potential conflicts between different legal systems in the event of disclosure orders. For this purpose, the existing provisions in Title 18 United States Code (USC) §§ 2703ff. were supplemented with individual provisions that require US providers to disclose data stored outside US territory.

The new SCA regulations specify when US providers can be compelled to disclose electronic communications stored abroad. In accordance with the new § 2713 USC, providers – especially in the area of cloud computing – are now subject to SCA standardised obligations to preserve, backup or disclose communication data, records or other information under their control, regardless of whether they are located inside or outside the US. The regulation states:

A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication is located within or outside the United States. (Title 18 USC § 2713).

This regulation, in conjunction with the existing regulations under §§ 2703ff. USC, has created a legal basis for government agencies to demand data stored by providers outside the US. According to § 2703 USC, government agencies can, under certain circumstances, request stored content, records and communication, including metadata on communication behaviour, from a provider.

§ 2703 USC also requires that the data subject be told of a transfer in certain cases, particularly if the provision of content is based on a subpoena or a court order. The duty to inform the data subject, however, may be temporarily suspended if the prerequisites set out in § 2705 USC are met. On the other hand, if the data request is based on a search warrant, the data subject does not need to be informed. Regarding records, government agencies are not obliged – no matter the selected institution – to inform the data subject. The CLOUD Act also introduced a new legal remedy in § 2703 (h) (2) USC where a provider can lodge a court appeal for a government agency's demand for content. Under certain circumstances, the provider can also demand that the request be modified or declared invalid (i.e. a "motion to quash or modify").

EDPB assessment

In its statement, the EDPB argues that the CLOUD Act contradicts Article 48 of the GDPR, which states that any decision of a court or administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may be recognised or enforceable only if it is based on an international agreement, such as a mutual legal assistance treaty between the requesting third country and the EU (or a EU member state) without prejudice to other grounds for transfer under Chapter V GDPR.

In the absence of an appropriate legal framework or a legal basis under the GDPR, providers under EU law would not lawfully be able to disclose and transfer personal data to US agencies within the current framework of such requests. In this context, the EDPB not only reaffirms its position already formulated in the guidelines of Article 49 GDPR on data transfer requests from third countries to EU companies, but also refers specifically to the opinion of the European Commission under Article 48 GDPR, which makes it clear that a decision by a foreign court by itself does not constitute sufficient legal basis for a transfer.

Are cloud users liable?

According to the EDPB's statement, the GDPR allows few possibilities for cloud providers to carry out a data transfer under the CLOUD Act. The more important issue of whether a cloud user relying on the services of a US cloud provider can also be held responsible for a violation of a data protection law is not discussed in the statement. In this case, it would appear that EU data protection regulations no longer make it possible for EU cloud users to have recourse to US providers.

The EDPB, however, merely suggests that the CLOUD Act may also affect other obligations under the GDPR, notably the processor's obligation to process personal data only on the controller's documented instructions. In the statement, it remains unclear whether the EDPB would see a data transfer by the cloud provider as a GDPR violation by the cloud user as well and whether it considers the commissioning of such a cloud provider by itself to be legally questionable.

As a rule, neither of these interpretations is convincing. If the cloud user concludes a proper processing contract with the cloud provider, there will be a clear division of tasks between the contracting parties. The cloud provider can then process the data only on documented instructions from the cloud user or if required by the law of the EU or a member state.

If the cloud provider adheres to this (contractual) instruction, only the cloud user is responsible under data protection law. On the other hand, if the cloud provider independently decides to comply with a demand under the CLOUD Act, it becomes the responsible party (controller) and must be accountable for its actions pursuant to Article 28(10) GDPR. The cloud user then can no longer be held responsible for the (independent) actions of the cloud provider from a data protection point of view.

Position of the HBDI: Additional liability?

The Hessian Commissioner for Data Protection and Freedom of Information (Hessische Beauftragte für Datenschutz und Informationsfreiheit, HBDI) apparently assumes that cloud users may be responsible under data protection law. In a 9 July 2019 press release, the HBDI states that the use of US cloud solutions in schools is impermissible under data protection law partly because of the risk of possible access by US authorities. As the HBDI explained using the example of the popular software Office 365, such cloud solutions cannot currently be used by schools in a data protection-compliant manner, stating:

The supervisory authorities have been in discussion with Microsoft for years. The decisive aspect here is whether the school as a public institution can store personal data (relating to children) in a (European) cloud that, for example, is exposed to possible access by US authorities. Public institutions in Germany have special responsibility with regard to the permissibility and traceability of the processing of personal data. … For this reason, it also applies here that data protection-compliant use is currently not possible for schools.

The Hesse authority, however, has so far failed to provide additional detailed legal justification. It is therefore unclear what data protection regulations a school is presumed to violate when it commissions a US provider. Even if the special protection of children in public schools is understandable and desirable, this objective must not be pursued at the expense of legal certainty. It would have been preferable – although the statement expressly refers only to data processing relating to children in schools – if the HBDI had included in the opinion a clarification for cloud use by companies.

Conclusion: pay attention to the drafting of contracts

To reduce the risk of their own liability, companies should pay attention to the proper drafting of data processing contracts when using US cloud services. Legal certainty is unlikely to be achieved until an international agreement has been concluded between the EU and US. The Council has instructed the Commission to negotiate such an agreement.