The U.S. Clarifying Lawful Overseas Use of Data (CLOUD) Act has the potential to create conflicting obligations for companies that
must comply with the European Union's General Data Protection Regulation (GDPR).
The CLOUD Act allows governments to compel U.S.-based providers of electronic communications services and remote computing
services (providers) to store and produce electronic communications held anywhere in the world. For financial institutions that already
operate in a heavily regulated environment, the CLOUD Act provides another avenue for government access to customer data.
Because data controllers and processors owe a heightened duty to their customers under GDPR, a provider that complies with a
CLOUD Act request potentially exposes itself and the EU companies that utilise its services to liability.
Although it has yet to be seen how regulators will enforce these laws where there is a conflict, a company faced with a request to
produce data under the CLOUD Act may have to exercise its lawful rights to transfer that data under arts 44-49 of GDPR, or perhaps
seek to quash the request altogether. Ultimately, it is imperative that businesses understand their obligations under each regulation,
and that they act with those obligations, and the potentially steep fines that accompany non-compliance, in mind.
The CLOUD Act
Enacted in March 2018, the CLOUD Act amends the Stored Communications Act and resolves a prior ambiguity: whether a U.S.
warrant can compel U.S.-based providers to produce electronic communications stored in another country. This question was central to
the now-mooted Supreme Court case United States v Microsoft Corporation (Microsoft Ireland).
Before the Supreme Court could decide Microsoft Ireland, the United States passed the CLOUD Act, creating a framework for law
enforcement authorities in the United States to request customer and subscriber data stored abroad by U.S.-based providers. Under
the new framework, the U.S. government or another "qualifying foreign government" can issue warrants to U.S.-based providers to
preserve and produce customer or subscriber data (CLOUD warrants).
The CLOUD Act defines a "qualifying foreign government" as "a foreign government with which the United States has an executive data
sharing agreement … [and] the laws of which provide to [providers] substantive and procedural opportunities" to challenge CLOUD
warrants similar to those provided by the United States. A foreign government can only issue CLOUD warrants to U.S.-based providers
if it has entered into one of these executive agreements with the United States.
Providers that receive a CLOUD warrant from the United States can move to quash the request if the provider reasonably believes: (i)
the subscriber is not a U.S. citizen, and (ii) that disclosing the information creates a material risk that the provider would violate the laws
of a qualifying foreign government.
The quash procedures under the CLOUD Act are rather limited for two reasons. First, a provider can only quash a CLOUD warrant
seeking a non-U.S. citizen's data. GDPR, on the other hand, applies even to "controller" processing of the personal data of U.S. citizens
living in the EU, so that such a person's data would simultaneously be protected by GDPR but also subject to transfers pursuant to the
CLOUD Act.
For example, a bank located in the EU that utilises a U.S.-based cloud provider must look outside the CLOUD Act to quash a CLOUD
warrant from the U.S. government seeking information of a U.S. citizen residing in the EU and utilising the bank's services.
Secondly, a provider can only move to quash a CLOUD warrant if the data transfer will violate the laws of a "qualifying foreign
government". Thus, providers may not be able to withhold data stored outside of countries that have entered into executive datasharing
agreements with the United States.
In any event, providers can still challenge a warrant through the courts because the CLOUD Act does not affect the "common law
standards governing the availability or application of comity analysis to other types of compulsory process".
In addition to the limitations detailed above, a court reviewing a CLOUD Act challenge may only grant the challenge if, "based on the
totality of the circumstances, the interests of justice dictate that the legal process should be modified or quashed". The court conducting
this analysis must weigh factors including: the interests of both governments, whether other means of obtaining the data exist, and the
likely penalties the provider and its employees may suffer "as a result of inconsistent legal requirements imposed on the provider".
Complying with a CLOUD Act warrant may violate GDPR restrictions and requirements
GDPR makes it unlawful for a controller or processor to transfer data unless the transfer is made subject to certain conditions. Thus, a
financial institution that turns over customer information in response to a CLOUD warrant may violate GDPR unless it meets one of the
special conditions in arts 44–49 of GDPR. There are several provisions that may potentially allow a controller or processor to comply
with a CLOUD warrant without violating GDPR, but much of this will be dependent upon how these provisions are interpreted in the
following months.
Article 48 of GDPR contemplates foreign government requests for data and sanctions transfers "made pursuant to an existing
international agreement, such as a mutual legal assistance treaty" (MLAT)
As emphasised by the European Commission in Microsoft Ireland, "Article 48 makes clear that a foreign court order does not make
a transfer lawful under the GDPR." Thus, a transfer pursuant to art 48 must be made pursuant to an acceptable "international
agreement". Currently, both art 48 and the relevant recitals counsel that MLATs are sufficiently strong agreements to sanction a data
transfer.
The CLOUD Act contemplates cross-border data transfers pursuant to international agreements. Specifically, the CLOUD Act
authorises "the executive branch to conclude a new form of international agreement through which select foreign governments can
seek data directly from U.S. technology companies without individualised review by the U.S. government."
Although these executive agreements will "supplement, not replace, existing avenues of international data sharing", CLOUD warrants
will be the preferred avenue for governments seeking data because they can request information directly from providers and avoid
many of the cumbersome procedural hurdles in the MLAT process.
This is problematic given the recent Article 29 Working Party's guidance stressing that MLATs "must — as a general rule — be
obeyed" because "[t]he circumvention of existing MLATs. … by a third country's law enforcement authority" is "an interference with the
territorial sovereignty of an EU member state". Given these strong pronouncements by the Article 29 Working Party and the European
Commission, a transfer of personal data made pursuant to the CLOUD Act's executive agreements may still violate GDPR unless data
protection authorities determine that the CLOUD agreements provide the protection contemplated by art 48. Until additional guidance is
provided regarding their equivalency, a controller or processor who complies with a CLOUD warrant may open itself up to liability under
GDPR.
Two of the art 49 derogations for specific situations may sanction data transfers under the CLOUD Act
The European Commission noted in its amicus brief in Microsoft Ireland that the following two derogations for specific situations may
sanction transfers pursuant to a government request:
• transfers "necessary for important reasons of public interest", which would be more likely to govern situations where a government
needs data to combat serious crime, humanitarian purposes, monitoring epidemics, or in situations of natural or man-made disasters;
and
• transfers "necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the
interests or rights and freedoms of the data subject".
Whether a provider's risk of being subject to a U.S.-issued contempt order will outweigh a data subject's rights or freedoms is likely to
be heavily litigated. There may be a stronger argument that the type of data sought from financial institutions is more integral to the
public interest as such information can be critical to law enforcement. Conversely, financial information may be deemed to be more
sensitive, and therefore warrant greater protection. In any case, the European Commission has counselled that these derogations are
not meant to be workarounds for GDPR's protections and should be strictly construed.
Article 6 of GDPR allows processing "necessary for the purposes of the legitimate interests pursued by the controller"
provided that interest is not "overridden by the interests or fundamental rights and freedoms of the data subject"
Article 6 may sanction processing of personal data where providers must comply with a CLOUD warrant to avoid punishment in
the United States. Under this argument, a provider's desire to avoid being held in contempt may amount to a "legitimate interest"
that outweighs the fundamental privacy rights of the data subject, similar to the balancing test under art 49's derogations. Given the
extensive due processes and privacy protections in GDPR and historical EU laws including the EU Charter of Fundamental Rights, it
may be difficult to argue that complying with U.S. law outweighs the fundamental rights of the data subject.
Complying with the CLOUD Act and GDPR
Whether in its capacity as a controller using a U.S.-based provider, or as a processor facilitating its own customers' electronic
communications, any company turning over customer data may violate GDPR. Providers and their customers can, however, take
several measures to remain GDPR-compliant.
First, a U.S.-based provider can rely on the CLOUD Act's built-in process to attempt to quash the warrant, if it meets the conditions
outlined above. Even if the personal data is stored outside of a country that has entered into an executive agreement with the United
States, the provider could still challenge a CLOUD Act warrant, or a contempt order entered for non-compliance, in court, relying on
principles of comity.
Additionally, controllers that contract with U.S.-based providers may need to modify their data-sharing agreements with cloud-providers
and customers to limit their liability. A controller may also consider including a provision in their data-processing agreement with
providers explicitly objecting to transfers to other countries or in response to a government request. Although this may not stop a
provider from turning over data in response to a CLOUD warrant, it still stands to show a regulator that the controller was not complicit
in the improper processing of an EU resident's data.
If a provider cannot comply with GDPR and the CLOUD Act
Assuming these two regulations cannot operate in harmony, data controllers and processors subject to CLOUD warrants may face
punishment from both the EU and the United States. If a provider refused to comply with a CLOUD warrant, the provider could face
contempt sanctions in the United States. On the other hand, a provider that violates GDPR could be punished with a suspension of the
data flow, fines, or enforcement actions brought by a supervisory authority.
Where a provider refuses to comply with a CLOUD warrant for fear of violating GDPR, courts in the United States will likely apply
principles of comity and choice of law to determine the appropriate course of action. Although the United States Supreme Court
generally presumes that U.S. law does not apply extra-territoriality, it also recognises that "Congress has the authority to enforce its
laws beyond the territorial boundaries of the United States." Thus, it is possible the court could find that the CLOUD Act is enforceable
outside the United States. In such a circumstance, it is likely that a court would apply comity principles similar to those used when a
party to U.S. litigation tries to compel a foreign corporation to produce documents in violation of foreign law.
Grey areas
For banks and other institutions in the heavily-regulated financial sector, the CLOUD Act adds yet another concern regarding customer
data. In large part, the true impact and conflict between these two data regulations is yet to be seen. Many of the grey areas raised in
this article (the breadth of the quash procedures, whether the executive agreements satisfy art 48, whether complying with CLOUD
warrant requests constitutes a "legitimate interest" of the controller) will play out with the EU Data Protection Board, the EU member
state supervisory authorities and in courtrooms during the next few years.
It is also unclear whether the data protection authorities in the EU will aggressively prosecute companies that comply with CLOUD
warrants, or whether there will be a special focus on financial institutions. The Swedish government recently announced plans to
monitor entities in certain industries more closely for their compliance with certain aspects of GDPR. It is possible certain regulatory
authorities apply a similar approach to gauge compliance with GDPR's data transfer standards across specific industries.
For the time being, companies, including those in the banking and finance sector, need to be mindful of with whom their data is stored
and take measures to understand how their obligations under both GDPR and the CLOUD Act interact within the existing regulatory
environment.