Where it all Started
It all started with an American investigation into a drug-trafficking case. Data on this criminal network was reportedly located on a user’s Outlook account in Microsoft’s servers in Ireland. The U.S. Government issued a warrant requiring Microsoft to disclose data in its possession but the Redmond firm refused to comply on the grounds that the data was located outside the United States. Microsoft faced backlash over its refusal, some even questioning its patriotism.
While the case was being decided by the Supreme Court, the U.S. Congress tackled the issue by enacting on March 23, 2018, a rider tacked onto an omnibus budget bill, called the “CLOUD Act” (standing for Clarifying Lawful Overseas Use of Data Act).
CLOUD ACT: WHAT DOES IT SAY?
The CLOUD Act amends the Stored Communications Act of 1986 that involved a tedious process —requests for international legal assistance based on bilateral treaties — in order to obtain the communication of any data hosted outside the American territory.
Now, a simple warrant is sufficient to enjoin any U.S. company to provide such information, regardless of the data’s physical location.
The CLOUD Act applies to any “United States person”, defined very broadly (for legal persons) as a corporation that is incorporated in the United States, including a foreign subsidiary.
Not surprisingly, the procedure against Microsoft Ireland was abandoned and reopened under the CLOUD Act, Microsoft having already publicly announced that the data would be transmitted in accordance with this new framework .
CLOUD ACT: THE EUROPEAN RESPONSE
Beyond preparing its own piece of legislation, the European Union expressed, via its European Digital Commissioner, its serious concerns following the hasty passing of the CLOUD Act.
Already in 2001, when the Patriot Act providing the U.S. Government access to some data for cases relating to national defence was signed into law, Europeans feared data “leaks” to the United States. Those fears were subsequently confirmed by the Snowden, PRISM or Echelon cases. From now on, with the CLOUD Act, the transmission of data to the American justice system can be systematised for any ordinary criminal cases.
However, the processor or the controller who would respond too quickly to a U.S. court order would necessarily incur liability, to the extent that Article 48 of the European General Regulation on the Protection of Personal Data (GDPR) clearly provides that any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement. The problem is that such international agreement does not exist (yet).
The protection of European citizens’ data would mean not entrusting their data to a company governed by American law
Under the very strong influence of the GDPR,and data sovereignty and number of EU CSP companies are now offering cloud platforms that are not under obligation to hand over EU data Subjects data under the cloud act.
What are EU government bodies saying
German Economics Minister Peter Altmaier plans to build up a German cloud service to allow European companies to store data independent of Asian or U.S. rivals such as Amazon.com Inc.
Germany’s central bank has also recently warned the region’s banking sector that the move to shifting data on the cloud will make the industry harder to monitor.
The Swiss banking Act describes the US Cloud Act as the elephant in the room
The question of who can access bank data in the cloud and under what circumstances must be set out clearly and restrictively. As a means in the fight against crime, the current US administration signed into law an Act that in certain cases permits access to the data of a CSP without a court order. This can even apply to cases in which the data are stored outside the US.
Current Cloud Service Providers who build their platforms with local and GDPR in mind are a good place to start your search for EU businesses looking to move to the cloud.
At Relentless Privacy and Compliance we build GDPR compliance programs from the ground up. Looking at risk from every angle. As you can see below Article 48 of the GDPR clearly states that any judgement of a court or tribunal in the US under the Cloud Act can only be complied with if their is a bilateral international agreement in place .
Therefore in order to provide GDPR guidance we cannot say that a company moving to a US cloud CSP provides security or complies with Article 48 of the GDPR. Cloud Migration Projects being launched by EU companies should be carrying out a full DPIA and data sovereignty should play an integral part in that DPIA.
Any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.
Relentless Privacy and Compliance Provides full GDPR Services for all sizes of organisations from startups to PLC’s
FIND OUT MORE
The Cloud Act
The US (CLOUD) Act came into force in 2018, amending the US Stored Communications Act 1986 (SCA 1986) primarily for the purpose of allowing US law enforcement to demand (via warrant or subpoena) personal data from US electronic communications and cloud service providers (together, ‘CSPs’), to assist in investigations relating to serious crime and terrorism, even when that data is held in a third country.
Where it all began
The CLOUD Act represents the culmination of a series of attempts to amend SCA 1986, which came into force before cloud technology existed. The Bill originated following the case of United States v Microsoft Corp 548 US (2018), in which the Federal Bureau of Investigation (FBI) was granted a warrant directing Microsoft to disclose to the US Government the contents of, and all other records associated with, a specified email account within its control. Microsoft determined that the requested data was all stored in its data-centre in Dublin, Ireland and refused to comply with the request.
The Congressional Findings in the CLOUD Act recognise that CSPs may face conflicts in providing the requested disclosure, due to the data protection laws of the country their servers are based in. The CLOUD Act therefore provides a procedure by which the CSP can apply to the court to have the request either quashed or modified. However, such a request can only be made if the data subject is not a US citizen or resident and if disclosure ‘would create a material risk’ of violating the laws of the third country. The threshold for a ‘material risk’ is not clear. In any event, after considering a list of specified factors balancing foreign and US Government interests, the court can still order that the data be provided, even if this would violate the law of the country in which the data is stored.
Let’s clear up the confusion of the Name the “Cloud” Act
The term CLOUD Act mistakenly suggests that this is only relevant for cloud services. In fact, the aim of the ‘Clarifying
Lawful Overseas Use of Data Act’ – the full title – is to remove all boundaries so that it is irrelevant where the data is processed or stored: in the cloud, in a data centre outside the cloud, in the US or abroad. All that matters is that it belongs to a US company that must support the US authorities when it comes to any aspect of their jobs, including criminal investigations.
Which companies are directly affected?
Those directly affected by the CLOUD Act include internet providers, IT service providers, and cloud providers based in the US, as well as their customers, i.e. European companies whose data is processed via an American service provider, possibly via the cloud.
While companies could previously argue that a court order for the release of data is only effective in the United States, they must now inevitably also transfer data stored abroad to the requesting US authorities. In addition, there is a danger that US authorities will not limit their data search to companies based in the US, such as Microsoft, Google, and Amazon (among others), but will also extend their request for information to all companies as soon as they have found a connection to the US.
How far reaching is it
The history of the CLOUD Act suggests that the data in question is exclusively only personal data – which in itself is worrying enough given the particular importance of data protection in Europe. But the CLOUD Act allows US authorities access not only to data of US citizens stored in the EU, but also all other data that a US company processes or has processed abroad.
This means that the personal data of EU citizens worth protecting is just as insecure as operational data or company data – from business details to trade secrets and intellectual property. The CLOUD Act thus collides with laws in Germany, such as the Unfair Competition Act, and with the European Union, above all the General Data Protection Regulation (GDPR).
The EU and USA Interpretation of Data Protection are far apart.
The fact that the US does not have the same ideas about data protection as Germany and the European Union should not come as a surprise. There is a reason why the United States of America is regarded by the EU as an “insecure third country”. The latest developments confirm this once again: the CLOUD Act creates an immense contradiction to the GDPR that applies within Europe.
|Where does the idea of data protection come from?||Data protection is based on the fundamental right to informational self-determination.||Data protection is anchored as part of the consumer protection and thus part of commercial law.|
|Is there a universal legal basis?||Yes, the Basic Data Protection Regulation (GDPR).||No , but there are industry-specific solutions (e.g. SCA, CLOUD Act).|
|Duties of companies||The rights and obligations of companies that process data and those that commission such processing are comprehensively regulated by the GDPR.||Companies that process data and those that commission such processing should ensure the security of such data.|
|Rights of companies||Companies can define their own level of data protection and set up self obligatory regulations (compliance).|
|Consequences of infringement||Violations of the GDPR may result in hefty fines and prohibition orders.||Violations of compliance are considered to be deceptive or unfair actions and are punished with consequences under competition law.|
|Supervisory authority||Data protection authorities in accordance with Art. 51 GDPR, check compliance with the GDPR. Companies must cooperate with the supervisory authorities.||Data protection supervision is carried out by the Federal Trade Commission, which is responsible for monitoring companies under competition law and consumer protection law.|
|Encryption||Art. 32 of the GDPR recommends encryption of pseudonymisation of data.||The CLOUD Act does not prevent data storage or processing companies from supporting the decryption of data.|
Shortly after the US enacted the CLOUD Act, the GDPR came into force in Europe. The regulation of the European Union regulates the processing of personal data by private companies and public authorities. The aim of the GDPR is to safeguard the fundamental rights and freedoms of natural persons, to protect personal data and at the same time to ensure the free movement of data within the EU.
Workarounds Are there any and do they work?
What chance do companies and their customers, who are subject to both laws, have of avoiding this dilemma? On the part of relevant US providers who store or process data, numerous solutions have already been identified or tried out to solve this conundrum. So far, none of the attempts to circumvent the problem have been satisfactory.
If there is no possible way to avoid data access by US authorities… If the discrepancy between European and American understanding of data protection cannot be eliminated. If the contradiction between the GDPR and CLOUD Act cannot be resolved by negotiation… What does this mean for companies in Germany and the EU? The following five typical scenarios illustrate the impact of the CLOUD Act in Germany and the corresponding recommended course of action
1: Subsidiary of a US corporation
The simplest case is a company operating in Germany or the EU that is part of a US company’s group structure. In this case, the CLOUD Act also applies without there having to be a data transfer with the USA. The parent company is subject to US law, as are all of its subsidiaries. An objection is not possible; protective measures (such as technical encryption or a data trustee) are ineffective.
2: EU company with a subsidiary in the USA
For an EU-based company that has a subsidiary in the USA and thus a data transfer with the USA, the GDPR could initially be invoked as an objection in the event of a request for data by a US authority. In this scenario the corporate structure is relevant. For example, it is advisable to define a data separation in the company (if possible), which can reduce the relationship with the US. Whether this really helps in individual cases is unclear. The local companies must also expect that the US authorities could threaten the US subsidiary with reprisals in order to increase the pressure on the parent company in the EU to grant data access after all. In the case of personal data, a European company behaving this way would be in violation of the GDPR and would have to be reported to the supervisory authorities.
3: EU company with US service providers in the broader sense
The CLOUD Act does not only oblige companies to disclose their own data, but to disclose any data in their possession, custody or control. Consequently, scenarios 1 or 2 apply to any service provider (unless it is considered to be merely a US provider) that is contracted to store and process data. For example, for a German or EU company that has its data processed by a hosting provider or cloud service provider with a “connection” to the USA, the CLOUD Act applies. Any obligations and measures on the part of the service provider that are set out in a contract for the processing of personal data pursuant to
GDPR Article 28, and which serve to protect personal data, cannot invalidate the CLOUD Act. All other economic data is also not secure in a US-related cloud. In the event of a request by US authorities, the service provider must grant it, but inform its customer of access by third parties in accordance with the processing contract.
4: Other uses of American cloud services
Even if a processing contract cannot release a cloud service provider from its obligation to provide data under the CLOUD Act, it is a signal that companies in times of the CLOUD Act to take a closer look at the provider. But what about data services for which there is no processing contract? Anyone who believes that something like this does not happen in their company and that all data, even remotely personal or otherwise sensitive, is safe should check carefully which tools and programs they use:
- Is there a social media account with a relevant US provider in which new employees are introduced?
- Do teams use free sharing solutions from US providers to work together on projects?
- Does the company send marketing emails via US servers?
- Does the company use popular analytics programs from US providers for website visitors?
Any US service provider whose tool or platform companies use falls within the scope of the CLOUD Act. The question that users of cloud services must ask themselves is: how sensitive, mission-critical, or worth protecting is the data that organisations put in the cloud using such services?
5: Cloud solutions from the EU for the EU
As clear as the situation is for subsidiaries of a US group, it is for EU companies to choose a cloud provider based in the EU that does not store or process data anywhere other than in European data centres. Providers that are subject to German or EU law must act in accordance with the GDPR. If they are also exempt from any influence or “association” with the USA or US service providers, there is no danger of being obliged to disclose personal data on the basis of the CLOUD Act. If a European cloud service provider is acquired by a US company, it falls directly within the scope of the CLOUD Act. In this case, the cloud provider would have to inform its customers at an early stage and offer them the opportunity to export and delete data.
What about non-personal data?
The CLOUD Act also applies to non-personal data. It must therefore be clear that in the course of IoT measurement and telemetry data, raw data for big data analysis, data in merchandise management systems, and for ERP software – and even data representing protected intellectual property – can be viewed by US authorities. Therefore, the European cloud servers are also the recommendable storage location for other corporate data in order to protect it from access by US authorities.
Conclusion and Roundup
Unfortunately, the fact that the GDPR and the CLOUD Act are so fundamentally incompatible creates only limited security. The mood remains dark and for local companies it is unclear what will really happen if the worst comes to worst. For cloud users and cloud service providers, there are still many questions:
- Should we trust self-obligatory data protection rules, for example from
Microsoft, Google, etc.?
- Are we prepared to submit to a data query by the US authorities?
- What would an obligation to disclose our data mean for us and our customers from an economic point of view?
Ultimately, each company must think carefully about which provider it wants to entrust with what data. Cloud providers and IT service providers from the EU currently offer maximum security and are GDPR-compliant. Especially since one can never know when the next threatening storm will brew in the USA.
Is there any compatibility with the CLOUD Act?
As far as facilitating prosecutions on both sides of the Atlantic is concerned, it remains to be seen where the road leads. After all, the European Commission is also endeavouring to regulate the release of data for criminal prosecution by law. In addition to an E-Evidence Regulation, which advocates requesting electronic evidence (including user and content data) directly from data processing service providers in order to speed up investigations, there is also a paper setting out the arguments in favour of an agreement with the USA on the CLOUD Act.
Better to play it safe
Those who want to take their data quickly out of danger should rely on an experienced GDPR-compliant service provider from Germany or the EU, one that processes their data according to the current highest data protection and data security standards and that will continue to support this in the future.
Is the whole of Europe data safe from EU agency prying eyes?
Well not all recently three EU member countries have passed laws
In the Netherlands, the lower house approved a bill that allows the police to hack suspects in a criminal case. It’s called Cyber-crime III and, in its original form, gave the police the power to make use of software vulnerabilities that the developers were unaware of (zero-day vulnerabilities). This divided lawmakers and ultimately the
he French government imitates the PRISM project with it expansive electronic surveillance networks, reports Le Monde. It has found that French intelligence collected massive amounts of data and stored it on its servers. The data included telephone records — the identifiers of participants, place, date, duration and the size of the message — as well as emails (metadata) and all internet activity which goes through Google, Microsoft, Apple and Yahoo.
In the UK, the law to watch out for is the Investigatory Powers Act. It allows for the government to access and store data of everyone in the country. That data includes browser history, phone records and messages. The government issued a restriction that justifies intrusions only in the case of “serious crime.” However, they defined “serious crime” itself as any offence punishable by six months in prison and any crime that involves sending a communication.
Our recommendation at the moment in time is to find a CSP based in Germany for maximum protection.
Relentless Privacy and Compliance Services provides expert advisory services for Global Data Protection. Are you an EU business ? Do you have questions regarding your data positioning? Contact us to find out how we can advise on the best CSP solution for your organisations data.
Find Out More