Thomson Reuters

The U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act has the potential to create conflicting obligations for companies that
must comply with the European Union's General Data Protection Regulation (GDPR).

Authors: Bart W. Huffman

The CLOUD Act allows governments to compel U.S.-based providers of electronic communications services and remote computing
services (providers) to store and produce electronic communications held anywhere in the world. For financial institutions that already
operate in a heavily regulated environment, the CLOUD Act provides another avenue for government access to customer data.
Because data controllers and processors owe a heightened duty to their customers under GDPR, a provider that complies with a
CLOUD Act request potentially exposes itself and the EU companies that utilise its services to liability.

Although it has yet to be seen how regulators will enforce these laws where there is a conflict, a company faced with a request to
produce data under the CLOUD Act may have to exercise its lawful rights to transfer that data under arts 44-49 of GDPR, or perhaps
seek to quash the request altogether. Ultimately, it is imperative that businesses understand their obligations under each regulation,
and that they act with those obligations, and the potentially steep fines that accompany non-compliance, in mind.