In this article, first published on Lexis®PSL, Robert Bond, partner, and Fiona Campbell, associate at Bristows LLP discuss the repercussions of the US Clarifying Lawful Overseas Use of Data Act 2018 (CLOUD Act) on UK service and cloud providers. Bond and Campbell consider the action UK-based businesses need to take to ensure they comply with data protection laws in the relevant jurisdictions—the US, EU and UK.

What is the background to and purpose of the US CLOUD Act?

The US (CLOUD) Act came into force in 2018, amending the US Stored Communications Act 1986 (SCA 1986) primarily for the purpose of allowing US law enforcement to demand (via warrant or subpoena) personal data from US electronic communications and cloud service providers (together, ‘CSPs’), to assist in investigations relating to serious crime and terrorism, even when that data is held in a third country.

The CLOUD Act represents the culmination of a series of attempts to amend SCA 1986, which came into force before cloud technology existed. The Bill originated following the case of United States v Microsoft Corp 548 US (2018), in which the Federal Bureau of Investigation (FBI) was granted a warrant directing Microsoft to disclose to the US Government the contents of, and all other records associated with, a specified email account within its control. Microsoft determined that the requested data was all stored in its datacentre in Dublin, Ireland and refused to comply with the request.

The Congressional Findings in the CLOUD Act recognise that CSPs may face conflicts in providing the requested disclosure, due to the data protection laws of the country their servers are based in. The CLOUD Act therefore provides a procedure by which the CSP can apply to the court to have the request either quashed or modified. However, such a request can only be made if the data subject is not a US citizen or resident and also if disclosure ‘would create a material risk’ of violating the laws of the third country. The threshold for a ‘material risk’ is not clear. In any event, after considering a list of specified factors balancing foreign and US Government interests, the court can still order that the data be provided, even if this would violate the law of the country in which the data is stored.

A further hurdle to pass is that for the quashing request to be valid the third country must be a ‘qualifying foreign government’, which means it needs to have an ‘executive agreement’ in place with the US. Before such an agreement can be made, the Attorney General must certify to Congress that the third country:

• has sufficient protection for data, privacy and civil rights
• upholds the rule of law
• has adequate substantive and procedural laws on cybercrime and electronic evidence

In return for US access to data stored abroad, the executive agreement introduces a fast-track system (bypassing the slower mutual legal assistance treaty regime), which allows the third country, for its own serious crime and terrorism investigations, to side-step US data privacy laws in a similar way, and to request data without further assessment of the request by US courts.

No countries have yet signed an executive agreement, so it is not currently possible to seek a quashing or amending order.

To what extent does the CLOUD Act align with UK/EU laws and legislative initiatives?

Article 48 of the General Data Protection Regulation (EU) 2016/679 (GDPR) states that any judgment of a court—or any decision of an administrative authority of a third country (including the US) requiring a controller or processor to transfer or disclose personal data—may only be enforceable if it is based on an international agreement in force between the requesting third country and the EU or a Member State. This could lead to a direct clash with the CLOUD Act, which states that data from the EU will need to be transferred to US law enforcement if it belongs to a US headquartered CSP controller, regardless of any agreements that may or may not be in place. The procedure for requesting a quashing or modification will only assist so far in overcoming this clash.

What are the implications for US-based CSPs with operations in Europe?

To some extent, the CLOUD Act provides clarity for US-based CSPs with operations in Europe, as it is now clear that they should provide requested data to US law enforcement unless to do so would be breaching the local domestic law of a qualifying government, in which case they should apply for the warrant to be quashed or modified.

However, it could also cause difficulty for the CSP if it faces a situation where the third country is not a qualifying foreign government but transfer of the data would breach the GDPR, or where a court refuses to quash or modify a warrant. It remains to be seen how the court will deal with scenarios where the CSP will be penalised whether it does provide the data (under the GDPR) or does not provide the data (under the CLOUD Act).
What are the implications for UK-based service and cloud providers?

The CLOUD Act might be good news for UK-based CSPs. If companies in the EU are concerned that US-based cloud providers will disclose their data to the US authorities, they might instead seek cloud providers in alternative jurisdictions—particularly in the EU and the UK.

How has the legislation been received by the EU? In its response to a parliamentary question on the impact of the CLOUD Act, the European Commission stated that it is aware of the potential impact on fundamental rights ‘such as the protection of privacy of individuals concerned by a disclosure’ but noted that the CLOUD Act ‘only’ applies to CSPs under US jurisdiction and the European Agency does not use any such services.
The Commission also emphasised that when it acted as an amicus curiae (third party assistant) to the US Supreme Court in US v Microsoft, it made clear that any transfers of personal data from the EU to the US always need to have a legal basis, such as an international agreement, and also need to respect the general data protection principles, including purpose limitation and data minimisation.

The Commission has therefore taken the position that no transfers will take place under the CLOUD Act if this were to mean that a GDPR breach would occur. It has also shown support for the CLOUD Act to the extent that it has stated it intends to propose the adoption of a recommendation for an EU-US executive agreement to be negotiated.