Where it all Started
It all started with an American investigation into a drug-trafficking case. Data on this criminal network was reportedly located on a user’s Outlook account in Microsoft’s servers in Ireland. The U.S. Government issued a warrant requiring Microsoft to disclose data in its possession but the Redmond firm refused to comply on the grounds that the data was located outside the United States. Microsoft faced backlash over its refusal, some even questioning its patriotism.
While the case was being decided by the Supreme Court, the U.S. Congress tackled the issue by enacting on March 23, 2018, a rider tacked onto an omnibus budget bill, called the “CLOUD Act” (standing for Clarifying Lawful Overseas Use of Data Act).
CLOUD ACT: WHAT DOES IT SAY?
The CLOUD Act amends the Stored Communications Act of 1986 that involved a tedious process —requests for international legal assistance based on bilateral treaties — in order to obtain the communication of any data hosted outside the American territory.
Now, a simple warrant is sufficient to enjoin any U.S. company to provide such information, regardless of the data’s physical location.
The CLOUD Act applies to any “United States person”, defined very broadly (for legal persons) as a corporation that is incorporated in the United States, including a foreign subsidiary.
Not surprisingly, the procedure against Microsoft Ireland was abandoned and reopened under the CLOUD Act, Microsoft having already publicly announced that the data would be transmitted in accordance with this new framework .
CLOUD ACT: THE EUROPEAN RESPONSE
Beyond preparing its own piece of legislation, the European Union expressed, via its European Digital Commissioner, its serious concerns following the hasty passing of the CLOUD Act.
Already in 2001, when the Patriot Act providing the U.S. Government access to some data for cases relating to national defence was signed into law, Europeans feared data “leaks” to the United States. Those fears were subsequently confirmed by the Snowden, PRISM or Echelon cases. From now on, with the CLOUD Act, the transmission of data to the American justice system can be systematised for any ordinary criminal cases.
However, the processor or the controller who would respond too quickly to a U.S. court order would necessarily incur liability, to the extent that Article 48 of the European General Regulation on the Protection of Personal Data (GDPR) clearly provides that any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement. The problem is that such international agreement does not exist (yet).
The protection of European citizens’ data would mean not entrusting their data to a company governed by American law
Under the very strong influence of the GDPR,and data sovereignty and number of EU CSP companies are now offering cloud platforms that are not under obligation to hand over EU data Subjects data under the cloud act.
What are EU government bodies saying
German Economics Minister Peter Altmaier plans to build up a German cloud service to allow European companies to store data independent of Asian or U.S. rivals such as Amazon.com Inc.
Germany’s central bank has also recently warned the region’s banking sector that the move to shifting data on the cloud will make the industry harder to monitor.
The question of who can access bank data in the cloud and under what circumstances must be set out clearly and restrictively. As a means in the fight against crime, the current US administration signed into law an Act that in certain cases permits access to the data of a CSP without a court order. This can even apply to cases in which the data are stored outside the US.
Current Cloud Service Providers who build their platforms with local and GDPR in mind are a good place to start your search for EU businesses looking to move to the cloud.
At Relentless Privacy and Compliance we build GDPR compliance programs from the ground up. Looking at risk from every angle. As you can see below Article 48 of the GDPR clearly states that any judgement of a court or tribunal in the US under the Cloud Act can only be complied with if their is a bilateral international agreement in place .
Therefore in order to provide GDPR guidance we cannot say that a company moving to a US cloud CSP provides security or complies with Article 48 of the GDPR. Cloud Migration Projects being launched by EU companies should be carrying out a full DPIA and data sovereignty should play an integral part in that DPIA.
Art. 48 GDPR Transfers or disclosures not authorised by Union law
Any judgement of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.