The U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act has the potential to create conflicting obligations for companies that must comply with the European Union’s General Data Protection Regulation (GDPR). The CLOUD Act allows governments to compel U.S.-based providers of electronic communications services and remote computing services (Providers), to store and produce electronic communications held anywhere in the world. Because data controllers and processors owe a heightened duty to their customers under GDPR, a Provider that complies with a CLOUD Act request potentially exposes itself and the EU companies that utilize its services to liability.
Although it has yet to be seen how regulators will enforce these laws where there is a conflict, a company faced with a request to produce data under the CLOUD Act may have to exercise its lawful rights to transfer that data under Articles 44-49 or perhaps seek to quash the request altogether. Ultimately, it is imperative that businesses understand their obligations under each regulation, and that they act with those obligations, and the potentially steep fines that accompany noncompliance, in mind.
The CLOUD Act
Enacted in March 2018, the CLOUD Act amends the Stored Communications Act and resolves a prior ambiguity: whether a U.S. warrant can compel U.S.-based Providers to produce electronic communications stored in another country. This question was central to the now-mooted Supreme Court case United States v. Microsoft Corp. (Microsoft Ireland). Before the Supreme Court could decide Microsoft Ireland, the United States passed the CLOUD Act, creating a framework for law enforcement authorities in the United States to request customer and subscriber data stored abroad by U.S.-based Providers. Under the new framework, the U.S. government or another “qualifying foreign government” can issue warrants to U.S.-based Providers to preserve and produce customer or subscriber data (CLOUD Warrants).
The CLOUD Act defines a “qualifying foreign government” as “a foreign government with which the United States has an executive data sharing agreement… [and] the laws of which provide to [Providers] substantive and procedural opportunities” to challenge CLOUD Warrants similar to those provided by the United States. A foreign government can only issue CLOUD Warrants to U.S.-based Providers if it has entered into one of these executive agreement with the United States.
Providers that receive a CLOUD Warrant can move to quash the request if the Provider reasonably believes: (i) the subscriber is not a U.S. citizen, and (ii) that disclosing the information creates a material risk that the Provider would violate the laws of a qualifying foreign government.
The quash procedures under the CLOUD Act are rather limited for two reasons.
First, a Provider can only quash a CLOUD Warrant seeking a non-U.S. citizen’s data. Because GDPR, on the other hand, applies even to ‘controller’ processing of the personal data of U.S. citizens living in the EU; such a person’s data would simultaneously be protected by GDPR but also subject to transfers pursuant to the CLOUD Act. Second, a Provider can only move to quash a CLOUD Warrant if the data transfer will violate the laws of a “qualifying foreign government.” Thus, Providers may not be able to withhold data stored outside of countries that have entered into executive data sharing agreements with the United States. In any event, Providers can still challenge a warrant through the courts because the CLOUD Act does not affect the “common law standards governing the availability or application of comity analysis to other types of compulsory process.”
In addition to the limitations detailed above, a court reviewing a CLOUD Act challenge may only grant the challenge if, “based on the totality of the circumstances, the interests of justice dictate that the legal process should be modified or quashed.” The court conducting this analysis must weighs factors including: the interests of both governments, whether other means of obtaining the data exist, and the likely penalties the Provider and its employees may suffer “as a result of inconsistent legal requirements imposed on the provider.”
Complying with a CLOUD Act warrant may violate GDPR restrictions and requirements
GDPR makes it unlawful for a controller or processor to transfer data unless the transfer is made subject to certain conditions. Thus, a Provider that complies with a CLOUD Warrant may violate GDPR unless it meets one of the special conditions in Articles 44–49 of GDPR. There are several provisions that may potentially allow a controller or processor to comply with a CLOUD Warrant without violating GDPR, but much of this will be dependent upon how these provisions are interpreted in the following months.
Article 48 of GDPR contemplates foreign government requests for data and sanctions transfers “made pursuant to an existing international agreement, such as a mutual legal assistance treaty” (MLAT)
As emphasized by the European Commission in Microsoft Ireland, “Article 48 makes clear that a foreign court order does not make a transfer lawful under the GDPR.” Thus, a transfer pursuant to Art. 48 must be made pursuant to an acceptable “international agreement.” Currently, both Article 48 and the relevant Recitals counsel that MLATs are sufficiently robust agreements to sanction a data transfer.
The CLOUD Act contemplates cross-border data transfers pursuant to international agreements. Specifically, the CLOUD Act authorizes “the executive branch to conclude a new form of international agreement through which select foreign governments can seek data directly from U.S. technology companies without individualized review by the U.S. government.” Although these executive agreements will “supplement, not replace, existing avenues of international data sharing,” CLOUD Warrants will be the preferred avenue for governments seeking data because they can request information directly from Providers and avoid many of the cumbersome procedural hurdles in the MLAT process.
This is problematic in light of the recent Article 29 Working Party’s guidance stressing that MLATs “must—as a general rule—be obeyed” because “[t]he circumvention of existing MLATs. . .by a third country’s law enforcement authority” is “an interference with the territorial sovereignty of an EU member state.” Given these strong pronouncements by the Article 29 Working Party and the European Commission, a transfer of personal data made pursuant to the CLOUD Act’s executive agreements may still violate GDPR unless data protection authorities determine that the CLOUD agreements provide the protection contemplated by Article 48. Until additional guidance is provided in regards to their equivalency, a controller or processor who complies with a CLOUD Warrant may open itself up to liability under GDPR.
Two of the Article 49 derogations for specific situations may sanction data transfers under the CLOUD Act
The European Commission noted in its amicus brief in Microsoft Ireland that the following two derogations for specific situations may sanction transfers pursuant to a government request:
(1) transfers “necessary for important reasons of public interest,” which would be more likely to govern situations where a government needs data to combat serious crime, humanitarian purposes, monitoring epidemics, or in situations of natural or man-made disasters; and
(2) transfers “necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject.”
Whether a Provider’s risk of being subject to a U.S.-issued contempt order will outweigh a data subject’s rights or freedoms is likely to be heavily litigated. In any case, the European Commission has counseled that these derogations are not meant to be workarounds for GDPR’s protections and should be strictly construed.
Article 6 of GDPR allows processing “necessary for the purposes of the legitimate interests pursued by the controller” provided that interest is not “overridden by the interests or fundamental rights and freedoms of the data subject”
Article 6 may sanction processing of personal data where Providers must comply with a CLOUD Warrant to avoid punishment in the United States. Under this argument, a Provider’s desire to avoid being held in contempt may amount to a “legitimate interest” that outweighs the fundamental privacy rights of the data subject, similar to the balancing test under Article 49’s derogations. Given the robust due processes and privacy protections in the GDPR and historical EU laws including the EU Charter of Fundamental Rights, it may be difficult to argue that complying with U.S. law outweighs the fundamental rights of the data subject.
Complying with the CLOUD Act and GDPR
Whether in its capacity as a controller using a U.S.-based Provider, or as a U.S.-based processor storing data in its own cloud, a company complying with a CLOUD Warrant may violate the GDPR. However, Providers and their customers can take several measures to remain GDPR compliant.
First, a U.S.-based Provider can rely on the CLOUD Act’s built-in process to attempt to quash the warrant, provided that it meets the conditions outlined above. Even if the personal data is stored outside of a country that has entered into an executive agreement with the United States, the Provider could still challenge a CLOUD Act Warrant, or a contempt order entered for non-compliance, in court relying on principles of comity.
Additionally, controllers that contract with U.S.-based Providers may need to modify their data-sharing agreements with cloud-providers and customers to limit their liability. A controller may also consider including a provision in their data-processing agreement with Providers explicitly objecting to transfers to other countries or in response to a government request. Although this may not stop a Provider from turning over data in response to a CLOUD Warrant, it still stands to show a regulator that the controller was not complicit in the improper processing of an EU resident’s data.
If a Provider cannot comply with GDPR and the CLOUD Act
Assuming these two regulations cannot operate in harmony, data controllers and processors subject to CLOUD Warrants may face punishment from both the EU and the United States. If a Provider refused to comply with a CLOUD Warrant, the Provider could face contempt sanctions in the United States. On the other hand, a Provider that violates GDPR could be punished with a suspension of the data flow, fines, or enforcement actions brought by a supervisory authority.
Where a Provider refuses to comply with a CLOUD Warrant for fear of violating GDPR, courts in the United States will likely apply principles of comity and choice of law to determine the appropriate course of action. Although the United States Supreme Court generally presumes that U.S. law does not apply extraterritoriality, it also recognizes that “Congress has the authority to enforce its laws beyond the territorial boundaries of the United States.” Thus, it is possible that the Court could find that the CLOUD Act is enforceable outside the United States. In such a circumstance, it is likely that a court would apply comity principles similar to those used when a party to U.S. litigation tries to compel a foreign corporation to produce documents in violation of foreign law.
The true level of conflict between these two data regulations is yet to be seen. Indeed, many of the gray areas raised in this article (the breadth of the quash procedures, whether the executive agreements satisfy Article 48, whether complying with CLOUD Warrant requests constitutes a “legitimate interest” of the Controller) will play out with the EU Data Protection Board, the EU Member State supervisory authorities, and in courtrooms over the next few years. It is also unclear whether the data protection authorities in the EU will aggressively prosecute companies that comply with CLOUD Warrant. For the time being, companies need to be mindful of with whom their data is stored and take measures to understand their obligations under both GDPR and the CLOUD Warrant.