Scholars and practitioners on both sides of the Atlantic have been questioning the compatibility of the US Clarifying Lawful Overseas Use of Data (CLOUD) Act¹ with the European Union's General Data Protection Regulation (GDPR)² since the former was enacted in March 2018.³ In particular, European authorities and commentators have expressed concern over the legality of one of the Cloud Act’s key provisions.⁴ The Act allows US authorities, law enforcement agencies, and intelligence agencies to acquire data from the operators of cloud computing services “regardless of whether such communication, record, or other information is located within or outside of the United States.”⁵ On the other hand, the GDPR makes it unlawful for a controller or processor to transfer data unless the transfer is made subject to certain conditions.⁶ It was not surprising, therefore, when the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) issued their Initial Legal Assessment of the Impact of the US CLOUD Act on the EU Legal Framework for the Protection of Personal Data.⁷ The Assessment stated that the discretion afforded by the Cloud Act to the U.S. Department of Justice contrasts with several of the GDPR’s provisions.⁸

First, Recital 115 explicitly states that the extraterritorial application of third countries’ laws regulating data transfer could be in breach of international law and constitute an obstacle to the protection of individuals ensured by the GDPR.⁹ Further, Article 48 provides that any order from a non-EU judicial or administrative authority requiring the transfer of personal data to a third country must be based on an international agreement (such as a mutual legal assistance treaty) to be valid.¹⁰ Hence, a request for the production of electronic documents by itself does not constitute a sufficient legal basis for authorizing the transfer of data. Such a simplified procedure arguably lacks the fundamental, substantive, and procedural warranties that are guaranteed by international cooperation agreements.¹¹

Second, any international transfer of data is only lawful under certain circumstances that are laid out in Article 6(1).¹² As confirmed by the EDPB and EDPS’s joint assessment, most of these bases are not compatible with the CLOUD Act.¹³ In particular, some of these bases must be grounded in EU or Member State law.¹⁴ Additionally, a request based on Art. 6(1)(f) would be unlawful because “legitimate interest” alone is not sufficient to guarantee compliance with the protections afforded to data subjects by the GDPR.¹⁵ The only valid legal ground for purposes of the CLOUD Act is where the processing is necessary “to protect the vital interests” of an individual.¹⁶ However, such a basis can cover only exceptional circumstances: for example, a request for access to personal data related to the abduction of a minor. Finally, the joint assessment also confirmed that most derogations for transfers under Article 49 are not sufficient for purposes of the CLOUD Act.¹⁷

It seems clear that requests for data transfers governed by the CLOUD Act lack the guarantees required by the GDPR.¹⁸ Therefore, US companies, as well as their EU subsidiaries, are at an impasse: running the risk of violating the GDPR or exposing themselves to US sanctions.¹⁹ Hence, the EU and the US should enter into negotiations for a new international agreement that would allow US authorities to effectively protect public safety, without undermining the procedural safeguards of the GDPR.²⁰

Giulia La Scala is a staff member of Fordham International Law Journal Volume XLIII.

This is a student blog post and in no way represents the views of the Fordham International Law Journal.

1 Clarifying Lawful Overseas Use of Data (CLOUD) Act, 18 U.S.C. § 2703 (2019). The CLOUD Act provides trans-border access to communications data in criminal law enforcement investigations. The bill originated with the Supreme Court case United States v. Microsoft Corp., 138 S. Ct. 1186 (2018), concerning whether law enforcement could access communications content stored in Ireland under current U.S. law. Ahead of a decision, the CLOUD Act passed Congress and was signed into law by President Trump on March 23, 2018, mooting the case. Id. at 1187-88.

2 Regulation 2016/679, of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), 2016 O.J. (L 119) 59 [hereinafter GDPR].

3 See, e.g., Jonathan I. Blackman et al., CLOUD Act Establishes Framework to Access Overseas Stored Electronic Communications, 30 Intell. Prop. & Tech. J. 10, 14 (2018); Frederick T. Davis & Anna R. Gressel, Storm Clouds or Silver Linings? The Impact of the U.S. CLOUD Act, 45 Litig. J. 47, 51-52 (2018); Bart W. Huffman et al., Potential conflict and harmony between GDPR and the CLOUD Act, Reed Smith: Perspectives (June 14, 2018), https://www.reedsmith.com/en /perspectives/2018/06/potential-conflict-and-harmony-between-gdpr-and-the-cloud-act.

4 See, e.g., Council of Bars and Law Societies of Europe Assessment of the U.S. CLOUD Act, at 3-4 (Feb. 28, 2019), https://www.ccbe.eu/fileadmin/speciality_distribution/public/documents/SURVEILLANCE/ SVL_Position_papers/EN_SVL_20190228_CCBE-Assessment-of-the-U-S-CLOUD-Act.pdf; Leigh Thomas, France recruits Dassault Systemes, OVH for alternative to U.S. cloud firms, Reuters (Oct. 3, 2019), https://uk.reuters.com/ article/uk-france-dataprotection/france-recruits-dassault-systemes-ovh-for-alternative-to-u-s-cloud-firms-idUKKBN1WI15J; Janosch Delcker, German watchdog says Amazon cloud vulnerable to US snooping, Politico (Apr. 4, 2019, 4:40 PM), https://www.politico.eu/article/german-privacy-watchdog-says-amazon-cloud-vulnerable-to-us-snooping/. National organizations also criticized the provision. See, e.g., Camille Fischer, The CLOUD Act: A Dangerous Expansion of Police Snooping on Cross-Border Data, Electronic Frontier Foundation (Feb. 8, 2018), https://www.eff.org/it/deeplinks/ 2018/02/cloud-act-dangerous-expansion-police-snooping-cross-border-data.

5 CLOUD Act §3(a)(1).

6 GDPR arts. 44-49.

7 European Data Protection Supervisor & European Data Protection Board Initial legal assessment of the impact of the US CLOUD Act on the EU legal framework for the protection of personal data and the negotiations of an EU-US Agreement on cross-border access to electronic evidence, (Jul. 10 2019), https://edpb.europa.eu/sites/ edpb/files/files/file2/edpb_edps_joint_response_us_cloudact_annex.pdf [hereinafter EDPS & EDPB]. The EDPB is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. The EDPS is the European Union’s independent data protection authority. See European Data Protection Board, https://edpb.europa.eu (last visited Nov. 8, 2019); European Data Protection Supervisor,https://edps.europa.eu (last visited Nov. 8, 2019).

8 See EDPS & EDPB, supra note 7, at 2; Kristof Van Quathem & Nicholas Shepherd, European Data Protection Board Issues Opinion on U.S. CLOUD Act, Inside Privacy (July 23, 2019), https://www.insideprivacy.com/data-privacy/european-data-protection-board-issues-opinion-on-u-s-cloud-act/.

9 GDPR recital 115.

10 Id. art. 48.

11 See EDPS & EDPB, supra note 7, at 3.

12 GDPR art. 6(1).

13 See EDPS & EDPB, supra note 7, at 4-6; Van Quathem & Shepherd, supra note 8.

14 GDPR art. 6(3) (concerning processing necessary to comply with a legal obligation or necessary to perform a task in the public interest or in the exercise of an official authority).

15 See EDPS & EDPB, supra note 7, at 5; Van Quathem & Shepherd, supra note 8.

16 GDPR art. 6(1)(d).

17 These derogations must either be grounded in EU or Member State law or would be inappropriate for certain types of court orders under the CLOUD Act. See EDPS & EDPB, supra note 7, at 6-7; Van Quathem & Shepherd, supra note 8.

18 See EDPS & EDPB, supra note 7, at 8.

19 See Matthias Artzt & Walter Delacruz, How to Comply with Both the GDPR and the CLOUD Act, The Privacy Advisor (Jan. 29, 2019), https://iapp.org/news/a/questions-to-ask-for-compliance-with-the-eu-gdpr-and-the-u-s-cloud-act/; John DiGiacomo, Cloud Act Compliance & Relationship to GDPR, Revision Legal (Sept. 30, 2019), https://revisionlegal.com/internet-law/cloud-act-compliance-relationship-to-gdpr/.

20 On 5 February 2019, the Commission adopted a Recommendation for a Council Decision to authorize the opening of negotiations in view of an international agreement between the EU and the US on cross-border access to electronic evidence. On 6 June 2019, the Council adopted the Decision authorizing the opening of these negotiations. EDPS & EDPB, supra note 7, at 9.