The CLOUD Act
Enacted in March 2018, the CLOUD Act amends the Stored Communications Act1 and resolves a prior ambiguity: whether a U.S. warrant can compel U.S.-based Providers to produce electronic communications stored in another country. This question was central to the now-mooted Supreme Court case United States v. Microsoft Corp. (Microsoft Ireland).2 Before the Supreme Court could decide Microsoft Ireland, the United States passed the CLOUD Act, creating a framework for law enforcement authorities in the United States to request customer and subscriber data stored abroad by U.S.-based Providers. Under the new framework, the U.S. government or another “qualifying foreign government” can issue warrants to U.S.-based Providers to preserve and produce customer or subscriber data (CLOUD Warrants).3
The CLOUD Act defines a “qualifying foreign government” as “a foreign government with which the United States has an executive data sharing agreement… [and] the laws of which provide to [Providers] substantive and procedural opportunities” to challenge CLOUD Warrants similar to those provided by the United States.4 A foreign government can only issue CLOUD Warrants to U.S.-based Providers if it has entered into one of these executive agreement with the United States.
Providers that receive a CLOUD Warrant can move to quash the request if the Provider reasonably believes: (i) the subscriber is not a U.S. citizen, and (ii) that disclosing the information creates a material risk that the Provider would violate the laws of a qualifying foreign government.5
The quash procedures under the CLOUD Act are rather limited for two reasons.
First, a Provider can only quash a CLOUD Warrant seeking a non-U.S. citizen’s data. Because GDPR, on the other hand, applies even to ‘controller’ processing of the personal data of U.S. citizens living in the EU; such a person’s data would simultaneously be protected by GDPR but also subject to transfers pursuant to the CLOUD Act. Second, a Provider can only move to quash a CLOUD Warrant if the data transfer will violate the laws of a “qualifying foreign government.”6 Thus, Providers may not be able to withhold data stored outside of countries that have entered into executive data sharing agreements with the United States. In any event, Providers can still challenge a warrant through the courts because the CLOUD Act does not affect the “common law standards governing the availability or application of comity analysis to other types of compulsory process.”7
In addition to the limitations detailed above, a court reviewing a CLOUD Act challenge may only grant the challenge if, “based on the totality of the circumstances, the interests of justice dictate that the legal process should be modified or quashed.”8 The court conducting this analysis must weighs factors including: the interests of both governments, whether other means of obtaining the data exist, and the likely penalties the Provider and its employees may suffer “as a result of inconsistent legal requirements imposed on the provider.”9
Complying with a CLOUD Act warrant may violate GDPR restrictions and requirements
GDPR makes it unlawful for a controller or processor to transfer data unless the transfer is made subject to certain conditions.10 Thus, a Provider that complies with a CLOUD Warrant may violate GDPR unless it meets one of the special conditions in Articles 44–49 of GDPR. There are several provisions that may potentially allow a controller or processor to comply with a CLOUD Warrant without violating GDPR, but much of this will be dependent upon how these provisions are interpreted in the following months.
Article 48 of GDPR contemplates foreign government requests for data and sanctions transfers “made pursuant to an existing international agreement, such as a mutual legal assistance treaty” (MLAT)
As emphasized by the European Commission in Microsoft Ireland, “Article 48 makes clear that a foreign court order does not make a transfer lawful under the GDPR.”11 Thus, a transfer pursuant to Art. 48 must be made pursuant to an acceptable “international agreement.” Currently, both Article 48 and the relevant Recitals counsel that MLATs are sufficiently robust agreements to sanction a data transfer.12
The CLOUD Act contemplates cross-border data transfers pursuant to international agreements. Specifically, the CLOUD Act authorizes “the executive branch to conclude a new form of international agreement through which select foreign governments can seek data directly from U.S. technology companies without individualized review by the U.S. government.”13 Although these executive agreements will “supplement, not replace, existing avenues of international data sharing,”14 CLOUD Warrants will be the preferred avenue for governments seeking data because they can request information directly from Providers and avoid many of the cumbersome procedural hurdles in the MLAT process.15
This is problematic in light of the recent Article 29 Working Party’s guidance stressing that MLATs “must—as a general rule—be obeyed” because “[t]he circumvention of existing MLATs. . .by a third country’s law enforcement authority” is “an interference with the territorial sovereignty of an EU member state.”16 Given these strong pronouncements by the Article 29 Working Party and the European Commission, a transfer of personal data made pursuant to the CLOUD Act’s executive agreements may still violate GDPR unless data protection authorities determine that the CLOUD agreements provide the protection contemplated by Article 48.17 Until additional guidance is provided in regards to their equivalency, a controller or processor who complies with a CLOUD Warrant may open itself up to liability under GDPR.
Two of the Article 49 derogations for specific situations may sanction data transfers under the CLOUD Act
The European Commission noted in its amicus brief in Microsoft Ireland that the following two derogations for specific situations may sanction transfers pursuant to a government request:
(1) transfers “necessary for important reasons of public interest,”18 which would be more likely to govern situations where a government needs data to combat serious crime, humanitarian purposes, monitoring epidemics, or in situations of natural or man-made disasters;19 and
(2) transfers “necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject.”20
Whether a Provider’s risk of being subject to a U.S.-issued contempt order will outweigh a data subject’s rights or freedoms is likely to be heavily litigated. In any case, the European Commission has counseled that these derogations are not meant to be workarounds for GDPR’s protections and should be strictly construed.21
Article 6 of GDPR allows processing “necessary for the purposes of the legitimate interests pursued by the controller” provided that interest is not “overridden by the interests or fundamental rights and freedoms of the data subject”
Article 6 may sanction processing of personal data where Providers must comply with a CLOUD Warrant to avoid punishment in the United States.22 Under this argument, a Provider’s desire to avoid being held in contempt may amount to a “legitimate interest” that outweighs the fundamental privacy rights of the data subject, similar to the balancing test under Article 49’s derogations. Given the robust due processes and privacy protections in the GDPR and historical EU laws including the EU Charter of Fundamental Rights,23 it may be difficult to argue that complying with U.S. law outweighs the fundamental rights of the data subject.
Complying with the CLOUD Act and GDPR
Whether in its capacity as a controller using a U.S.-based Provider, or as a U.S.-based processor storing data in its own cloud, a company complying with a CLOUD Warrant may violate the GDPR.24 However, Providers and their customers can take several measures to remain GDPR compliant.
First, a U.S.-based Provider can rely on the CLOUD Act’s built-in process to attempt to quash the warrant, provided that it meets the conditions outlined above.25 Even if the personal data is stored outside of a country that has entered into an executive agreement with the United States, the Provider could still challenge a CLOUD Act Warrant, or a contempt order entered for non-compliance, in court relying on principles of comity.26
Additionally, controllers that contract with U.S.-based Providers may need to modify their data-sharing agreements with cloud-providers and customers to limit their liability. A controller may also consider including a provision in their data-processing agreement with Providers explicitly objecting to transfers to other countries or in response to a government request. Although this may not stop a Provider from turning over data in response to a CLOUD Warrant, it still stands to show a regulator that the controller was not complicit in the improper processing of an EU resident’s data.
If a Provider cannot comply with GDPR and the CLOUD Act
Assuming these two regulations cannot operate in harmony, data controllers and processors subject to CLOUD Warrants may face punishment from both the EU and the United States. If a Provider refused to comply with a CLOUD Warrant, the Provider could face contempt sanctions in the United States. On the other hand, a Provider that violates GDPR could be punished with a suspension of the data flow, fines, or enforcement actions brought by a supervisory authority.27
Where a Provider refuses to comply with a CLOUD Warrant for fear of violating GDPR, courts in the United States will likely apply principles of comity and choice of law to determine the appropriate course of action. Although the United States Supreme Court generally presumes that U.S. law does not apply extraterritoriality,28 it also recognizes that “Congress has the authority to enforce its laws beyond the territorial boundaries of the United States.”29 Thus, it is possible that the Court could find that the CLOUD Act is enforceable outside the United States. In such a circumstance, it is likely that a court would apply comity principles similar to those used when a party to U.S. litigation tries to compel a foreign corporation to produce documents in violation of foreign law.30
Conclusion
The true level of conflict between these two data regulations is yet to be seen. Indeed, many of the gray areas raised in this article (the breadth of the quash procedures, whether the executive agreements satisfy Article 48, whether complying with CLOUD Warrant requests constitutes a “legitimate interest” of the Controller) will play out with the EU Data Protection Board, the EU Member State supervisory authorities, and in courtrooms over the next few years. It is also unclear whether the data protection authorities in the EU will aggressively prosecute companies that comply with CLOUD Warrant. For the time being, companies need to be mindful of with whom their data is stored and take measures to understand their obligations under both GDPR and the CLOUD Warrant.
- Stored Communications Act, Pub. L. 99-508, tit. II, 100 Stat. 1848, 1860-68 (1986) (codified as amended at 18 U.S.C. §§ 2701-12).
- 138 S. Ct. 1186 (2018) (per curiam) (vacating and remanding judgment).
- The CLOUD Act also creates a framework for law enforcement agencies in other countries to compel U.S.-based Providers to produce consumer and subscriber information.
- 115 P.L. 141, 132 Stat. 348 § 2713(h). The Attorney General has the power to enter into these executive agreements, provided that the foreign government meets a minimum standard of privacy and human rights protections, does not seek data on U.S. citizens, and only seeks data to investigate “serious crimes.” See id. at § 2523(b).
- § 2713.
- 115 P.L. 141, 132 Stat. 348 § 2713(h)(2).
- § 2713(c).
- § 2713(h)(3).
- Other factors include the: “location and nationality of the subscriber or customer;” “nature and extent of the provider’s ties to and presence in the United States;” and “importance to the investigation of the information required to be disclosed.” See § 2713(h)(3).
- See GDPR Arts. 44–49. Notably, the provision of personal data to a U.S. authority would constitute “processing” under the GDPR, such that an Article 6 lawful basis must apply. And, as discussed below, the Article 6(c) basis of compliance with a legal obligation only applies to legal obligations under EU or EU Member State law. GDPR Recital 45.
- Brief of the European Commission on behalf of the European Union as Amicus Curiae in support of neither party, at 14, U.S. v. Microsoft Corp., No. 17-2 (2d Cir. 2017).
- Id. (cautioning against transfers “which are not based on an international agreement, such as a mutual legal assistance treaty”).
- Stephen P. Mulligan, Report of the Congressional Research Service on Cross-Border Data Sharing Under the CLOUD Act, CONG. RES. SERV. (Apr. 23, 2018).
- Id.
- For example, requests for data under MLATs must be reviewed and approved by both the DOJ and a federal court before they are issued resulting in substantial delays. See id.
- Statement of the Article 29 Working Party. Data protection and privacy aspects of cross-border access to electronic evidence.(Nov. 29, 2017).
- Or whether the United States will enter into agreements with individual EU Member States, or even the EU itself.
- Art. 49(4) of GDPR notes that the public interest “shall be recognized in [European] Union law or in the law of the Member State.”
- See, GDPR Recital 46.
- GDPR Art. 6(1).
- Brief of the European Commission on behalf of the European Union as Amicus Curiae in support of neither party, at 16, U.S. v. Microsoft Corp., No. 17-2 (2d Cir. 2017).
- ”Processing” under the GDPR is a broad concept that includes “disclosure by transmission” and “dissemination.” See Art. 4(2). Thus, an Article 6 lawful basis (as also reflected in the principles set forth in Article 5) is necessary in addition to the transfer requirements. Recital 45 of the GDPR, meant to provide guidance on the application of the new law, notes that a legal obligation is an alternative lawful basis for processing. However, such legal obligation must be based in EU or Member State law, which the CLOUD Act is not.
- See Charter of Fundamental Rights of the European Union, 2012 O.J. 326.
- Because the United States is not deemed to provide an adequate level of protection for personal data, Art. 45 would not sanction transfers to U.S. law enforcement.
- 115 P.L. 141, 132 Stat. 348§ 2713(h)(2). Note, these avenues may only be available when the request comes from the U.S. government because qualifying foreign governments are allowed to adopt their own challenge processes similar to the “substantive and procedural opportunities” available when the request comes from the U.S. government.
- See id. Part. 4; 115 P.L. 141, 132 Stat. 348 § 2713(c) (preserving “common law standards governing the availability or application of comity analysis to other types of compulsory process”).
- For more on these punishments, please see reedsmith.com.
- See RJR Nabisco, Inc. v. European Cmty., 136 S. Ct. 2090, 2093 (2016).
- E.E.O.C. v. Arabian Am. Oil Co., 499 U.S. 244 (1991) (emphasis added).
- See Société Nationale Industrielle Aérospatiale v. U.S. District Court for the Southern District of Iowa, 482 U.S. 522 (1987) (analyzing a cross-border discovery question by looking at: (1) the importance to the…litigation of the documents or other information requested; (2) the degree of specificity of the request; (3) whether the information originated in the United States; (4) the availability of alternative means of securing the information; and (5) the extent to which noncompliance with the request would undermine important interests of the United States, or compliance with the request would undermine important interests of the state where the information is located).
Client Alert 2018-133