How the US CLOUD Act Overturns and Impedes the GDPR
Published on 16 November 2018 | Author Thomas Köbrich0
One oft the objectives of the General Data Protection Regulation (GDPR) was to create legal certainty for companies. The same data protection standards now apply in every EU country, and US companies doing business in EU countries must also comply with the requirements of the GDPR. If, for example, a German company stores data on Irish servers of an US cloud provider, this data is subject to the GDPR and not US law. However, this legal certainty may habe been undermined.
While in the weeks before the GDPR came into force there were still extensive and often controversial discussions about the GDPR, the US congress, largely unnotiteced by the European public, passed the CLOUD Act, a law that obliges US companies to violate the GDPR.
The CLOUD Act (Claryfying Lawful Overseas Use of Data Act) is an US-American law which was approved by the US Congress in March 2018. The law oblives US cloud providers to allow US authorities access to stored data, even if this data is stored outside the USA. This makes it clear that applicable national law is not an obstacle to the disclosure of data. An American company with a server location in the European Union is therefore obliged to grant US authorities access to these servers, although this is prohibited by the GDPR. Accordingly, the transmission of disclosure of personal data held may only be carried out if this is based on an international agreement in force (e.g. an agreements on extradition and mutual legal assistance). There are corresponding legal assistance agreements between the United States and the EU. These are, however, very unpopular due to their long duration, which is why it ist to be expected tha tUS courts will increasingly resort to the CLOUD Act in the future.
In these cases, the provider is in a dilemma. Either they violate the GDPR by handing over the data if they comply with the concerns of US courts, or they violate US law if they do follow the orders. The provider cannot act with legal certainty and, in case of doubt, must weigh up his own consequences. In consideration of the fines of up to 4 percent of the worldwide group’s annual turnover that the GDPR envisages, this consideration will not be very easy. Particularly critical: as a US provider, any company with a registred office in the USA is potentially regarded as such, even if this is ot the headquarters. The decisive factor here is that the US provider controls the data.
The trigger fort he CLOUD Act was that US authorities had problems accessing the data stored on an Irish server of the e-mail service of a large US-American IT group. Before the CLOUD Act came into force, a search warrant issued by a US authority was only valid on US soil. Users and customers of offers from US service providers may not leran anything about a data query under the CLOUD Act, as the authorities can also prohibit companies from informing the affected customers/users.
The CLOUD Act thus clearly opposes the principles oft he GDPR and once more creates a great deal of uncertainty in the use of US cloud services.
The GDPR should create legal certainty. It is debatable whether the GDPR as a whole has succeeded in doing so. In many passages, there is still disagreement about possible interpretations among lawyers, data protection authorities and even among politicians who helping drafting the GDPR. This uncertainty for companies will become even more acute ifo ne connat even rely on the fact that some services and providers affected by the GDPR do not comply with the regulation, and are not even allowed to do so under US law. And as customers of these companies, they are not even informed about unauthorised (according to the GDPR) access.
Moreover, after the end of Safe Harbour, the days oft he Privacy Shield Agreement, which was supposed regulate data storage on US servers, are probably also coming to an end.