Based on the legislation it is possible for US law enforcement agencies request the US courts to issue a warrant to access data from providers of electronic services or so-called remote computing service providers regardless of whether information/data/communication is physically located in the US or not (the "rule"). This stems from § 2713:
Required preservation and disclosure of communications and records
"A provider of electronic communication service or remote computing service shall comply with the obligations of this chapter to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider's possession, custody, or control, regardless of whether such as communication, record, or other information is located within or outside of the United States."
The is primarily applicable to US companies, but the interpretation that the rule applies also to EU companies (similarly when GDPR may apply to US companies) cannot be excluded. This is because the exception from the CLOUD Act states that the rule shall not apply if access to data violates the law of a foreign country that the US has a bilateral treaty with. It also seems that the rule shall apply only to US citizens/residents. In this context the interesting question arises:
Is provision of data based on the CLOUD Act compliant with the GDPR?
EU institutions were naturally not pleased with the CLOUD Act. On 10th July 2019 the European Data Protection Board (“EDPB”) and European Data Protection Supervisor (“EDPS”) issued preliminary opinion containing legal analysis. In the introduction of the EDPB and EDPS (correctly) state that with the CLOUD Act, the US congress attempts to bypass the so-called Mutual Legal Assistance Treaty concluded between EU and US as this treaty requires approval procedure of national judicial bodies to allow access to data and does not foresee a direct communication between the US authorities and European companies. The procedure under such treaty is often long, inefficient and does not have to result in provision of data at all.
According to the opinion, there are two options in the GDPR to be assessed. The first option is to rely on legal ground in Article 6 of the GDPR (determined by controller providing data) and Article 48 of the GDPR (enforceability of foreign decisions). The second option is to rely on legal grounds in Article 6 of the GDPR and Article 49 of the GDPR (cross-border transfer derogations for specific situations).
The answer seems to be no. Article 48 of the GDPR presumes that a foreign judicial decision can be enforceable in the EU based on the international treaty (for example based on the Mutual Legal Assistance Treaty) but such treaty does not exist in relation to the CLOUD Act. It has to be noted though that according to Article 48 of the GDPR such treaty may also exist between the US and EU member state. The opinion quotes the amicus curiae of the EU Commission from the case the USA v. Microsoft Corporation:
“Article 48 makes clear that foreign court order does not, as such, make a transfer lawful under GDPR.”
Without deeper analysis, we are not able to answer the question whether extradition treaties concluded between member states and US (e.g. the United Kingdom) qualify as international treaties based on the Article 48 and what other national laws might affect in terms of the legal basis of such processing. These issues are naturally absent in the opinion. However, from the point of EU law, there is currently no valid treaty legitimizing the transfer of data based only on the warrant of US bodies derived from the CLOUD Act. According to the opinion, the company wishing to transfer the data based on the CLOUD Act must: (i) have a legal ground based on the Article 6 of the GDPR and (ii) comply with derogations for cross-border transfer based on the Article 49 of the GDPR.
Four legal grounds based on Article 6 of the GDPR are discussed in the opinion:
compliance with a legal obligation according to Article 6 (1) (c) of the GDPR;
protection of the vital interests of the data subject or another natural person according to Article 6 (1) (d) of the GDPR;
performance of a task carried out in the public interest according to Article 6 (1) (e) of the GDPR; and
legitimate interests according to Article 6 (1) (f) of the GDPR.
Based on the discussion in the opinion, the legal ground of legal obligation would be applicable only in the case of the existence of international treaty under Article 48 of the GPDR. The EU Commission also presented similar opinion. Legal ground of protection of vital interest is suitable only in exceptional circumstances (e.g. kidnapping a child) and shall not be used in general as more suitable legal grounds exist (conclusion of the international agreement). Public interest is also off the table as the opinion states that this is the case of public interest of a third country and not of the EU / members state. In the case of legitimate interest, the EDPB and EDPS argue that legitimate interest does not prevail over rights, freedoms, and interests of data subjects.
The current interpretation of the Union law should mean that without international agreement between the United States and EU the company under GDPR shall not comply with the warrant based on the CLOUD Act as legal ground under Article 6 (1) (c) of the GDPR does not exist.
The following derogations under Article 49 of the GDPR are discussed in the opinion:
important reasons of public interest according to Article 49 (1) (d) of the GDPR;
establishment, exercise or defense of legal claims according to Article 49 (1) (e) of the GDPR;
protection the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent according to Article 49 (1) (f) of the GDPR; and
compelling legitimate interests according to Article 49 (1) of the GDPR (last section).
Based on the opinion, only two options of the aforementioned legal grounds are practically available. When using the legal ground of establishment, exercise or defense of legal claims the close link between proceedings and personal data is required and it is not possible to use the legal ground in case of the mere possibility of potential future proceedings. Theoretically, the only usable legal ground is the regime provisioned in the Article 49 (1) (f) of the GDPR: “the transfer is necessary to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.” However, this legal ground is usable only under exceptional specific circumstances and not in general. Other legal grounds are not applicable from similar reasons than their respective counterparts in the Article 6 of the GDPR taking into account that legal grounds under Article 49 of the GDPR require an even higher standard of protection in case of cross-border transfers.
It seems that from the EU law’s perspective there is only restricted space to comply with the warrant based on the CLOUD Act that is compatible with GDPR. This shall entail such exceptional situations that compliance, in general, is practically excluded. However, the situation might change in the case of the conclusion of the bilateral treaty between the EU and US that is currently subject to negotiation.
As we know from the practice, the applicability of the GDPR itself is a problematic issue. In connection with the group-structure companies, cross-border transfers and the extraterritorial applicability of the CLOUD Act it is given that warrants based on this act will cause interpretation issues for the companies. Last but not least, it is necessary to take into account specifics of different EU national laws that are not dealt with in the opinion.
Therefore, companies with a presence in the EU and US shall:
Identify how the CLOUD Act and the GDPR apply to their business (e.g. what data is potentially at stake);
Identify international treaties between EU member states and the US and other EU national laws that might change conclusions in the opinion; and subsequently.
Consider changing existing processes in order to minimize the impact of CLOUD Act warrants on the organization and on data subjects’ rights and freedoms.
Each of us can become victim to a hacker attack. However, the fulfillment of remediation, notification and documentation obligations under the GDPR doesn´t mean the end of the case itself. What usually follows is the establishment of liability. Although during this process, the courts will work with classic legal instruments, their application may get complicated by a still relatively new legal regulation for the courts - GDPR. In a series of blogs, we will follow Case C-340/21 before the CJEU, which may develop this area further.
Dve úplne základné otázky, s ktorými sa mal v rámci prípravy na GDPR vysporiadať každý podnikateľ sú: (i) „v akom som postavení pri spracúvaní osobných údajov?“ a zároveň; (ii) „v akom postavení sú moji obchodní partneri alebo dodávatelia?“.