The CLOUD Act and its consequences
Earlier this year, the Clarifying Lawful Overseas Use of Data (CLOUD) Act entered into force. It amended the Stored Communications Act (SCA), which already allowed United States federal law enforcement to request, through warrants, data that is stored on U.S. soil by U.S. technology companies. Right now – as a result of the Cloud Act – U.S. authorities have the possibility to request data that is stored overseas by these U.S. companies as well. What are the consequences of the CLOUD Act for European and U.S. companies? What should they for example do when they receive a warrant or subpoena which requests data that is stored in the European Union?
Before we assess what the consequences of the CLOUD Act for U.S. and EU companies are, we will take a brief look at the cause and essence of the Act.
The cause of the CLOUD Act: Microsoft vs. The U.S.
In the Microsoft Corp vs the United Statescase, the Federal Bureau of Investigation (FBI) requested data concerning suspects in a drug trafficking investigation, from Microsoft. Microsoft handed over the data that was stored in the U.S., but refused to hand over the data (e-mails) that was stored on their Irish servers. Microsoft claimed that the SCA did not apply to data stored outside of the United States. The matter ended up in the Supreme Court. Before the Court was able to determine a judgment, the CLOUD Act was passed quite suddenly in an ‘omnibus’ bill. The enactment of this Act made the, still to be made, decision of the Supreme Court irrelevant.
The CLOUD Act
As previously stated, the CLOUD Act amends the SCA in a way that allows authorities to request overseas data as well, under certain circumstances. This is possible when a technology company is located in the United States and has ‘’possession, custody, or control’’ over information regarding a customer, regardless of where that information is stored. The authorities need a search warrant from a U.S. judge, which is granted when there is a ‘probable cause’ that the information constitutes evidence for an ongoing investigation.
The company that receives the warrant has a chance to appeal under the CLOUD Act. The Act contains a ‘motion to quash or modify’ the legal process if the company believes that (1) the customer whose information is being requested is not a U.S. person and does not reside in the U.S. and (2) the required disclosure would create a material risk that the provider would violate the laws of a qualifyingforeign government. A country is qualified if it entered into an executive agreement on mutual data sharing with the U.S. This allows the country to request data stored in the U.S. as well. The U.S. did not conclude any executive agreements yet. Therefore, it is currently not possible to file a motion to quash or modify.
And even if it will be possible to file a motion to quash or modify in the future, it remains to be seen whether this will be successful. The CLOUD Act provides a list of factors that a judge should take into account when assessing this motion, which includes, among others, ‘’the interests of the United States’’ and ‘’the importance of the information to the investigation’’. This leaves a lot of discretion for a judge to deny a motion.
Conflict with the GDPR
For a successful motion to quash or modify there also needs to be ‘a material risk that the provider would violate the laws of a qualifying foreign government’. In the European Union, there might be a violation under the General Data Protection Regulation (‘GDPR’)if a provider has to comply with a U.S. court order. In its letter to the Supreme Court as an amicus curiae (a third party providing information to the Court) in the Microsoft case, the European Commission (‘EC’) explained the legal framework of data transfers outside the EU under the GDPR.
First, the Commission made clear that the GDPR requires executive agreements for transfers based on foreign court orders as well. Besides these agreements, the transfers of personal data are subject to several additional conditions. For example, there have to be suitable safeguards surrounding the transfer. The Commission did not take a stance on whether the SCA (and thus the CLOUD Act) contains suitable safeguards, but left this assessment to the U.S. Supreme Court.
The absence of executive agreements under the CLOUD Act does thus not only prevent providers to file a motion to quash or modify, but may also cause providers to violate EU law if they comply with a U.S Court order. If these agreements will be concluded at some point, the question remains whether the CLOUD Act contains ‘suitable safeguards’ and thus whether there is a violation of EU law if the data is transferred.
For the time being, another possibility to challenge a required disclosure of personal data stored overseas might be the ‘common law comity principles’. Under these principles companies do not have to meet U.S. legal obligations if they (1) conduct business in good faith; and (2) by meeting the obligations, there would be a serious chance that there will be sanctions for the company under the law of a foreign country. Although there is a clear violation of EU law at the moment, it is still uncertain if a challenge under these principles would currently prove to be successful.
U.S. companies or companies with subsidiaries in the U.S.: what to do?
Now for a more practical approach of the CLOUD Act: what should you do when a U.S. authority demands you to disclose personal data which is stored in the EU? First of all, we can make a distinction between companies that have their parent company or their subsidiary in the U.S.
If you have a subsidiary in the U.S., you do not have to be very concerned. To ensure the privacy of your (European) customers, make sure that your subsidiary has no possession, custody or control over the data that is stored in the EU. This makes the CLOUD Act non-applicable on this data.
The situation is a bit more complicated if your parent company is located in the U.S. If you store data in the EU, the CLOUD Act obviously applies to you. But even if one of your subsidiaries stores data in the EU, you may have to comply with requests of disclosure. As a parent company you have control over your subsidiaries, and thus over their data as well. As we have established before, you might be able to file a motion to quash or modify if an executive agreement is concluded with the country in which you have stored the personal data. This is not yet the case for every country, so your only possibility to challenge a court order at the moment is under the ‘common law comity principles’.
Although the chances of succeeding under these principles are still unknown, there are probably enough lawyers who want to represent your company bona fide (no cure no pay) in a unique case like this.