Implication of the U.S. Cloud Act on Privacy Aspects Implication of the U.S. Cloud Act on Privacy Aspects

In March 2018 the U.S. Congress enacted the U.S. Cloud Act. From an EU-perspective there is significant concern that U.S. authorities might undermine the EU GDPR requirements by compelling U.S. providers to allow access to certain types of data stored outside the U.S.

On 23th March 2018 the U.S. Congress enacted the Clarifying Lawful Overseas Use of Data Act (U.S. Cloud Act). The Act resulted from a dispute in 2013, where the Federal Bureau of Investigation (FBI) requested access to data on servers from Microsoft located in Ireland. Microsoft claimed that the Stored Communications Act (SCA) of 1986, on which the request was based, did not apply to data stored outside of the United States and refused to provide the data. Before the case was decided, the U.S. Cloud Act was enacted.

The U.S. Cloud Act amended the SCA such that U.S. providers of electronic communication services or remote computing services must comply with the obligation “to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.“

Typical scenarios where individuals are being investigated under the U.S. Cloud Act concern cybercrimes, fraud or theft of trade secrets. Both content related information (e.g. e-mails, pictures and files) and non-content related information (e.g. metadata) may be requested from the providers.

The question whether a company exercise “possession, custody or control” over information is a complex one. In this regard different aspects must be taken into account, e.g. the degree of ownership a parent company has over a subsidiary, or whether one entity has the legal right, authority or ability to access documents from the other entity, or whether the entities have common policies in place or share employees or offices etc.

Subject to bilateral agreements, the U.S. Cloud Act also provides for the possibility for foreign security authorities to directly access user data in the U.S.

From an EU-perspective there is the significant concern that U.S. authorities might undermine the EU GDPR requirements by compelling U.S. providers to allow access to certain types of data stored outside the U.S.

According to Art. 48 of the EU GDPR (Transfers or disclosures not authorised by EU law) organizations are not allowed to transfer personal data to a third country on the basis of a court ruling or administrative decision unless it is based on an international agreement, such as a mutual legal assistance treaty.

Transferring data without such ground (and subject that no other derogations for specific situations provided by the EU GDPR apply) would lead to a violation of the GDPR and possibly high fines.

A provider that is being required to disclose the contents of a wire or electronic communication of a subscriber or customer, may file within 14 days a motion to modify or quash the legal process where:

• the customer or subscriber is not a U.S. person and does not reside in the U.S.; and
• that the required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government; and
• the foreign government, the laws of which may be violated, has an executive agreement with the U.S. in accordance with the U.S. Cloud Act.

Based on the totality of the circumstances the court may decide that the interests of justice prevails and the appeal therfore not be approved.

Legal and regulatory requirements applying to organizations in the private and public sectors are continuously growing. Privacy, with all its different requirements and characteristics in different legal jurisdictions, is one major issue. An international financial institution based in Switzerland, for example, must be simultaneously alert about obligations imposed by the GDPR, by national data privacy legislation, by specific legal and regulatory requirements applicable to financial services and, at the same time, be watchful for the effects resulting from the US Cloud Act.

As a consequence, organizations need a holistic approach to implement legal, technical and organizational measures for sustainable solutions to effectively collect, process, transfer and retain data in line with data privacy requirements and to ensure confidentiality, availability and integrity of the data in line with records management requirements.

Special attention in respect of the U.S. Cloud Act must be paid to a due diligence of the organizational setup for global electronic communication/computing services, especially when operating in multiple jurisdictions. Where critical data, including confidential information and personal data of individuals, is stored in the cloud, state-of-the-art security measures must be applied, including encryption of transmission channels and data repositories. Last not least service provider agreements should contain default language about the obligation of the service provider to

• only provide customers’ data to the law enforcement authorities subject to a valid legal request, i.e. a warrant, which is a court order based on evidence to a judge that reliable information indicates a probable reason for the requested search; and
• to redirect prosecutors to directly approach the service recipient for the data, rather than going through the cloud provider, if practical and if doing so will not compromise the investigation; and
• notify the service recipient about the law enforcement authorities request to preserve, backup, or disclose the contents, if doing so will not compromise the investigation (i.e. no gag order has been issued).