In March 2018 the U.S. Congress enacted the U.S. Cloud Act. From an EU-perspective there is significant concern that U.S. authorities might undermine the EU GDPR requirements by compelling U.S. providers to allow access to certain types of data stored outside the U.S.
On 23th March 2018 the U.S. Congress enacted the Clarifying Lawful Overseas Use of Data Act (U.S. Cloud Act). The Act resulted from a dispute in 2013, where the Federal Bureau of Investigation (FBI) requested access to data on servers from Microsoft located in Ireland. Microsoft claimed that the Stored Communications Act (SCA) of 1986, on which the request was based, did not apply to data stored outside of the United States and refused to provide the data. Before the case was decided, the U.S. Cloud Act was enacted.
Scope of application
The U.S. Cloud Act amended the SCA such that U.S. providers of electronic communication services or remote computing services must comply with the obligation “to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.“
Typical scenarios where individuals are being investigated under the U.S. Cloud Act concern cybercrimes, fraud or theft of trade secrets. Both content related information (e.g. e-mails, pictures and files) and non-content related information (e.g. metadata) may be requested from the providers.
The question whether a company exercise “possession, custody or control” over information is a complex one. In this regard different aspects must be taken into account, e.g. the degree of ownership a parent company has over a subsidiary, or whether one entity has the legal right, authority or ability to access documents from the other entity, or whether the entities have common policies in place or share employees or offices etc.
Subject to bilateral agreements, the U.S. Cloud Act also provides for the possibility for foreign security authorities to directly access user data in the U.S.
Conflicts with the EU GDPR
From an EU-perspective there is the significant concern that U.S. authorities might undermine the EU GDPR requirements by compelling U.S. providers to allow access to certain types of data stored outside the U.S.
According to Art. 48 of the EU GDPR (Transfers or disclosures not authorised by EU law) organizations are not allowed to transfer personal data to a third country on the basis of a court ruling or administrative decision unless it is based on an international agreement, such as a mutual legal assistance treaty.
Transferring data without such ground (and subject that no other derogations for specific situations provided by the EU GDPR apply) would lead to a violation of the GDPR and possibly high fines.
Possibility to appeal
A provider that is being required to disclose the contents of a wire or electronic communication of a subscriber or customer, may file within 14 days a motion to modify or quash the legal process where:
- the customer or subscriber is not a U.S. person and does not reside in the U.S.; and
- that the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government; and
- the foreign government, the laws of which may be violated, has an executive agreement with the U.S. in accordance with the U.S. Cloud Act.
Based on the totality of the circumstances the court may decide that the interests of justice prevails and the appeal therfore not be approved.