22 October 2019
The European Data Protection Board (‘EDPB’) and the European Data Protection Supervisor (‘EDPS’) have raised questions over the compatibility of requests for data that may be made by US law enforcement authorities under the US Clarifying Lawful Overseas Use of Data Act (the ‘US CLOUD Act’) with the General Data Protection Regulation (‘GDPR’). Service providers located in the EU, who are directly or indirectly subject to US jurisdiction, should carefully consider the analysis of the EDPB and EDPS in their recently published assessment when considering requests for access to data received from foreign law enforcement authorities, and particularly any request made under the US CLOUD Act.
US CLOUD Act
The US CLOUD Act was brought into force in 2018 in response to the Microsoft Warrant case. This case developed when Microsoft Ireland refused to comply with a US warrant for the production of emails, on the basis that the US Stored Communications Act did not enable US authorities to serve warrants with extra-territorial effect in order to obtain access to data held outside the US. It was argued that US authorities should request the data from Ireland through the existing mutual legal assistance treaty (‘MLAT’) regime. The US CLOUD Act was adopted, partly to amend/clarify US law (depending on one’s point of view regarding the issues raised in the Microsoft Warrant case) so that US authorities clearly have the power to demand that certain US service providers who have operations outside the US preserve, backup or disclose specified data that is within their possession or control.
EDPB and EDPS joint assessment
On 10 July 2019, the EDPB and the EDPS issued a letter to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, containing their legal assessment of the interaction between the US CLOUD Act and the European data protection legal framework. The assessment deals specifically with requests by US law enforcement authorities under the US CLOUD Act, for the purposes of criminal investigations. However certain parts of the assessment have the potential to be applied in a broader range of circumstances.
The assessment reiterates the previously stated view that a request from a foreign authority for the transfer of data does not, in and of itself, constitute a legal ground for transfer for the purpose of the GDPR. Under Article 48 of the GDPR, any judgment of a ‘foreign’ court or tribunal requiring the transfer or disclosure of personal data, as a third country, can only be recognised or enforceable where it is based on an international agreement, such as a MLAT, in force between that third country and the Member State, unless other grounds for transfer under the GDPR apply. Article 49 of the GDPR contains derogations from this general prohibition in specific circumstances. The EDPB and EDPS state that these derogations are to be interpreted strictly.
The EDPB and EDPS emphasise that there are 2 key elements to consider in relation to the legality of a transfer of personal data in response to a request made under the US CLOUD Act; there must be a legal basis for processing under Article 6 and there must be a permitted basis for engaging in the transfer under Chapter V of the GDPR. The potentially applicable provisions for each of these purposes are considered and explanations are provided as to why, in the opinion of the EDPB and the EDPS, it is unlikely that there will be a legal basis for processing that can be relied upon for the purpose of Article 6 (never mind a permitted basis for engaging in the transfer under Chapter V), except in very limited circumstances. The comments regarding the interpretation of the ‘legitimate interests’ ground for processing will be of particular concern to those who would advocate for or rely on a broader interpretation of this key concept under the GDPR.
As a result of their analysis, the EDPB and EDPS conclude that an international agreement that encompasses all necessary safeguards is the most suitable method of protection for the relevant EU data protection law. They consider that ‘unless a US CLOUD Act warrant is recognised or made enforceable on the basis of an international agreement, and therefore can be recognised as a legal obligation, as per Article 6(1)(c) GDPR, the lawfulness of such processing cannot be ascertained'. The EDPB and EDPS state that 'in the absence of such…an international agreement (such as the EU US MLAT or a MLAT between a Member State and the US in the context of a US CLOUD Act request) or another legal basis under the GDPR, service providers subject to EU law cannot legally base the disclosure and transfer of personal data to the US on such requests’. The letter contains little comfort for service providers who may be the subject of US CLOUD Act requests before any such international agreement is entered into.
Although this is only an initial assessment, the EDPB and EDPS recommend that controllers and competent authorities follow this assessment in relation to US CLOUD Act requests. If they do, then this interpretation of the GDPR will present organisations who are subject to the GDPR and warrants made under the US CLOUD Act with a clear conflict of laws challenge that will not be easy to address. More generally, certain of the views set out in this statement are likely to be a cause of concern for organisations more generally in connection with their consideration of how to engage in transfers of personal data outside the EEA in compliance with the obligations under the GDPR, as construed by the EDPB.