In April 2019, the United States’ (U.S.) Department of Justice (D.O.J.) published a White Paper on the « Clarifying Lawful Overseas Use of Data Act », or « CLOUD Act ». The document, titled « Promoting Public Safety, Privacy, and the Rule of Law around the World: The Purpose and Impact of the CLOUD Act » aims to answer some of the more frequently asked questions on the CLOUD Act.
On April 5th, 2019, the Deputy Assistant Attorney General delivered remarks on the White Paper, in a speech called « Prospects for Transatlantic Cooperation on the Transfer of Electronic Evidence to Promote Public Safety ». In his speech, he expands on the objectives of the CLOUD Act and what can be expected from it in the future.
On a practical level, what impacts will the CLOUD Act have on providers? What can we learn from these documents?
The extraterritoriality of U.S.’s jurisdiction in question
The first part of the CLOUD Act introduces an amendment to the Stored Communications Act. In summary, it states that electronic communication service providers subject to U.S.’s jurisdiction must disclose data that is responsive to valid U.S. legal process, regardless of where the data is stored.
In his remarks, the Deputy Assistant Attorney General indicates that this is actually “a long-held legal principle”. He goes on to explain that the CLOUD Act merely codifies “what had been the long-standing practice in the United States until a single 2016 decision by a court of appeals in a case involving Microsoft”. In said case, which we analysed in a previous article, Microsoft refused to transmit data to U.S. authorities. The company argued that as it was stored outside of the U.S., it fell outside of its jurisdiction.
In its White Paper, the D.O.J. indicates that the amendment constitutes a simple “clarification”, needed to ensure that the U.S. complies with the Convention on Cybercrime of the Council of Europe of 2001 (CETS No.185), or “the Budapest Convention”. The Deputy Assistant Attorney General’s argument is based on Article 18(1)(a) of the Convention. This Article requires parties to the Convention to adopt laws ensuring their competent authorities can compel providers in their territory to disclose electronic data in their “possession or control”.
The Deputy Assistant Attorney General argues that this “leaves no exception for data that the provider may choose to store elsewhere”. However, it must be noted that the Convention does not explicitly state that the aforementioned laws should include data stored outside of the party’s territory either.
How to reconcile the Cloud Act and the GDPR?
In the Microsoft case above mentioned, concerns have been raised surrounding this rule of extraterritoriality, and the potential conflicts it could create with the General Data Protection Regulation (GDPR).
Under the GDPR, data controllers may only transfer personal data from the European Union to a third-party country or organisation that benefits from an adequacy decision from the European Commission, if certain safeguards surround said transfer, or if the transfer falls under certain exceptions. The conditions under which data transfers may lawfully happen are laid out in Chapter V of the GDPR (articles 44 through 50).
As a rule, the GDPR does not make a general exception for transfers required by a judicial or administrative authority outside of the E.U. Article 48 of the GDPR specifically states that “any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement […] without prejudice to other grounds for transfer pursuant to this Chapter”.
If a service provider receives a request from a U.S. agency to disclose data relating to one of its users that is located in the E.U., transmitting that data to the U.S. agency would constitute a transfer. Given the specific circumstances and the absence of an international agreement, it does not seem likely that one of the safeguards listed in the GPDR could apply. One exception laid out in Article 49 1. (d) of the GDPR, may apply in such a scenario. The transfer may take place without an adequacy decision or one of the appropriate safeguards if it “is necessary for important reasons of public interest”.
However, the European Data Protection Board (EDPB), in its Guidelines 2/2018 on derogations of Article 49 under GDPR, indicated that this exception could not be used broadly to justify all transfers required by a judicial or administrative authority. The EDPB indicated that, for that exception to apply, “it is not sufficient that the data transfer is requested […] for an investigation which serves a public interest of a third country which, in an abstract sense, also exists in E.U. or Member state law”. The EPDB adds that “the derogation only applies when it can also be deduced from E.U. law or the law of the member state to which the controller is subject that such data transfers are allowed for important public interest purposes including in the spirit of reciprocity for international cooperation”.
Without an “international agreement” between the U.S. and the E.U. to ensure the lawfulness of the transfers, providers could find themselves torn between two conflicting legislations. Each transfer would thus require a careful case-by-case analysis to identify the adequate safeguard or derogation.
The CLOUD Act, “a model for international cooperation”
The second part of the CLOUD Act enables the U.S. government to conclude “executive agreements” with other countries. These bilateral agreements, which we explored in a previous article, would simplify the process for gathering electronic evidence from providers established in the other party’s territory.
Usually, when law enforcement agencies from one country require evidence from entities in another country, they need to make a “mutual legal assistance” (or MLT) request to their counterpart in that country, asking them to collect the needed evidence and communicate it. However, according to the Deputy Assistant Attorney General, this system has faced criticism for being too complex and lengthy, especially regarding electronic evidence.
An executive agreement would “facilitate the ability of foreign partners to get electronic evidence”. To summarise, through such an agreement, the U.S. and its foreign partner would:
- agree to resolve any conflict of law: the parties would agree that the laws and processes of both countries could apply to providers established in their territory.
- be able to directly order providers established in the other country to communicate electronic evidence. Each party could “apply its own requirements for compulsory orders in accordance with the rule of law”.
The Deputy Assistant Attorney General’s opinion is that “the Cloud Act should be embraced as a model for international cooperation”. For him, “it offers a sorely needed step towards resolving a near-universal challenge”. Furthermore, he indicated that the CLOUD Act would mainly benefit the U.S. partners, as “the United States receives far more requests for electronic data from other countries than it sends to them” and it was “the practical impediments faced by countries outside the United States […] that fuelled the calls for legislative action”.
The Deputy Assistant Attorney General goes on to criticise the E-Evidence draft put forward by the European Union. He considers that the proposed bill is “one-directional”, and “appears to expand jurisdiction over providers outside of the EU”, whereas the CLOUD Act would not “expand jurisdiction over any additional provider”.
An uncertain future for the transmission of electronic evidence
In theory, there could be a lot of benefits for law enforcement agencies stemming from the conclusion of executive agreements, considering the number of U.S. based global electronic communications providers. However, the actual impact of the executive agreements cannot be predicted, as it is highly dependent on the scope negotiated in each agreement.
In the White Paper, the D.O.J. indicates that it would systematically restrict the agreement so that foreign government orders “may not intentionally target data of U.S. persons or persons located in the United States”. The reverse may not be true in each agreement: the D.O.J. states that foreign countries are simply free to seek the same restriction during negotiations.
Furthermore, the scope of each agreement is subject to negotiations. The base limitation set by the U.S. is that such agreement could only concern “the prevention, detection, investigation or prosecution of serious crime, including terrorism”, and “may not be used to infringe upon freedom of speech”. What constitutes a “serious crime” and what may “infringe upon freedom of speech” remains to be defined and may raise some difficulties, as the scope of those notions may vary broadly between the U.S. and its potential foreign partner.
Finally, it must be noted that the CLOUD Act does not impose any new obligation for U.S.-based entities to comply with a foreign government order. Furthermore, it does not implement within the U.S. a mechanism to enforce foreign government orders. To summarize, should a U.S.-based entity refuse to comply with an otherwise valid foreign government order, the U.S. would not, by default, offer a recourse to foreign governments.
If you have questions on the impacts of the CLOUD Act on your contracts, please feel free to contact Mathias Avocats.