Norton Rose Fulbright - Data Protection Report blog

The U.S. Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) is apparently the Goldilocks of the privacy world, according to recent statements issued by two international jurisdictions. The CLOUD Act’s requirements are “too hard” for Australian law, according to the Law Council of Australia, but the privacy protections are “too soft” for the European Data Protection Board and European Data Protection Supervisor. The current lack of any executive agreements between the U.S. and another jurisdiction under the CLOUD Act seems to indicate that the U.S. has not yet found a jurisdiction that is “just right” for the CLOUD Act.

CLOUD Act – Background

The U.S. enacted the CLOUD Act in 2018 in response to a case pending before the U.S. Supreme Court relating to stored e-mails controlled by a U.S.-based provider. The e-mails in that case were stored in Ireland, and the provider argued that reach of the U.S. order for the e-mails (in a criminal case) stopped at the U.S. border. The CLOUD Act resolved the issue by amending the federal Stored Communications Act to state that a criminal warrant served on a U.S.-based provider extended to all e-mails in scope regardless of where in the world the e-mails were located. (Amending 18 U.S.C. § 2713.)

Another reason for the CLOUD Act was that the U.S. complained that the already-exiting Mutual Legal Assistance Treaty (“MLAT”) process was too slow for fast-moving criminal matters, such as terrorism. As the name implies, MLATs are international treaties negotiated with various countries, and can vary based upon the countries’ legal requirements.

Congress responded to that concern in the CLOUD Act as well, by providing an alternative: an “executive agreement.” The CLOUD Act states that the U.S. Attorney General, with the concurrence of the Secretary of State, may enter into an executive agreement with another country if the Attorney General finds that the other country’s domestic law “affords robust substantive and procedural protections for privacy and civil liberties in light of the data collection and activities of the foreign government that will be subject to the agreement” based on factors listed in the CLOUD Act. (18 U.S.C. § 2523(b)(1)) Note that the Act expressly prohibits the executive agreement from creating “any obligation that providers be capable of decrypting data or limitation that prevents providers from decrypting data.” (18 U.S.C. § 2523(b)(3))

Law Council of Australia

On July 16, 2019, the Law Council of Australia—an organization somewhat similar to the American Bar Association in the U.S.—made a submission to an Australian Parliamentary enquiry regarding a recent and controversial Australian law relating to telecommunications and government access in Australia (the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018). The executive agreements are intended to work in both directions so that, for example, the Australian government could require production of data stored in the U.S. Therefore, the Council considered whether a request made pursuant to the new Assistance and Access laws would be compatible with the CLOUD Act.

In its submission, the Council concluded that the Assistance and Access laws could prevent Australia from entering into an executive agreement under the CLOUD Act by running afoul of the CLOUD Act’s requirements in three ways:

a) The CLOUD Act requires that the order issued by the foreign government should be specific and identify the relevant individual, account, address or personal device or another specific identifier. This requirement is not reflected under the Australian law;

b) The CLOUD Act requires that the executive agreement cannot create an obligation that cannot be fulfilled under U.S. law. “In this context, the requirements under the Assistance and Access Act and the CLOUD Act clearly differ, as the US law does not allow for the mandating of the decryption of data as is now permitted under Australian law.”; and

c) The CLOUD Act requires that the order issued by the foreign government ‘be subject to review or oversight by a court, judge, magistrate or other independent authority prior to, or in proceedings regarding, enforcement of the order’ and “this condition may not be adequately addressed by the amendments introduced by the Assistance and Access Act.”

(Comments, ¶ 24.)

In other words, the CLOUD Act’s requirements were “too hard” for the proposed Australian law amendments.

European Data Protection Board and European Data Protection Supervisor

In contrast, on July 10, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) jointly issued an initial legal assessment of the CLOUD Act on the E.U.’s framework on cross-border access to electronic evidence. The EDPB and EDPS (collectively, the “European Regulators”) found that the CLOUD Act’s privacy protections were “too soft.”

The European Regulators found that the CLOUD Act could cause service providers to face a conflict between complying with U.S. law and complying with the personal data protections required by the General Data Protection Regulation (GDPR) and other E.U. laws. They pointed to Article 48 of GDPR, “transfers or disclosures not authorized by Union law.” That Article provides that a foreign court or agency’s order to a data controller or processor—such as a service provider—to transfer data “may only be recognized or enforceable in any manner if based on an international agreement, such as a MLAT . . .”

Because the CLOUD Act specifically contemplates court orders/warrants requiring the transfer of personal data without an MLAT, the European Regulators concluded: “service providers subject to E.U. law cannot legally base the disclosure and transfer of personal data to the US on such requests.” (Assessment, at page 3.). Their clear preference is for such disclosures to be made under a MLAT where “data is disclosed in compliance with EU law, and under the supervision of the courts in the EU”.

Despite this preference, encouragingly the European Regulators also explored whether such a data transfer would be lawful under Article 6 and Article 49 of the GDPR, using a two-step test:

  1. “A legal basis must apply to the data processing as such together with all relevant provisions of the GDPR” (Article 6); and
  2. “The provisions of Chapter V must be complied with” (derogations in Article 49).

(Id. at 3-4.)

For step #1, the European Regulators examined four potential legal bases and found that none of them worked:

i. Processing of the personal data is “necessary for compliance with a legal obligation to which the controller is subject.” (Article 6(1)(c)) The European Regulators found that this standard could be met by an MLAT or a “future international agreement” between the U.S. and E.U., but not by the CLOUD Act. (Id. at page 4.)

ii. Processing of the personal data is “necessary to protect the vital interests of the data subject or another natural person.” (Article 6(1)(d)) Although the European Regulators found that the provision was intended for situations such as child abduction or an imminent threat to the life or physical integrity of other persons, the European Regulators found that this provision “should not, in principle, based use as a valid legal basis to process personal data of such data subjects since there are other legal bases available for such transfer under EU law, i.e., the E.U.-U.S. MLAT.” (Id.)

iii. Processing of the personal data is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.” (Article 6(1)(e)) The European Regulators rejected this provision because the “processing should have a basis in Union or Member State law”—not the law of a third country.(Id. at pages 4-5.)

iv. Processing of the personal data is “necessary for the purpose of the legitimate interest pursued by the controller or by a third party, except when such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.” (Art. 6(1)(f)) The European Regulators considered that the controller may have a legitimate interest in complying with CLOUD Act requests, but they took the position that in criminal matters “the interests or fundamental rights and freedoms of the data subject would override the controller’s interest such as not to be sanctioned by the U.S. for eventual noncompliance with the request.” (Id. At page 5.)

In step #2, the European Regulators examined four derogations under Article 49 to determine if the transfer was necessary, and found that none of these applied:

i.  The transfer of personal data is “necessary for important reasons of public interest.” (Art. 49(1)(d)) The European Regulators pointed out that the “public interest” needs to be an interest recognized in E.U. law or Member State law—not a third country. (Id. At page 6.)

ii. The transfer of personal data is “necessary for the establishment, exercise or defence of legal claims.” (Art. 49(1)(e)) The European Regulators found this derogation was not satisfied because “a close link is necessary between a data transfer and a specific procedure and the derogation cannot be used to justify the transfer of personal data on the grounds of the mere possibility that legal proceedings may be brought in the future.” (Id. at pages 6-7.)

iii. The transfer of personal data is “necessary in order to protect the vital interests of the data subject or of other persons, when the data subject is physically or legally incapable of giving consent.” (Art. 49(1((f)) As with item d in step 1 above, the availability of the MLAT process led the European Regulators to conclude that this derogation should not be used with respect to CLOUD Act requests. (Id. at page 7.)

iv. The transfer of personal data is “necessary for the purpose of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights or freedoms of the data subject.” (Art. 49(1) last paragraph.) The European Regulators found that the GDPR requirement that the controller must provide notice to both the data subject and the supervisory authority is often in conflict with the “protective order” attached to U.S. CLOUD Act warrants. In addition, the GDPR requirement that the controller use “suitable safeguards” “cannot be applied in practice. Therefore the EDPB and the EDPS consider that Article 49(1) last paragraph cannot provide a valid legal ground to transfer personal data on the basis of U.S. CLOUD Act requests.” (Id.)

Although the European Regulators recognized that further analysis was needed, “we recommend to controllers and competent authorities that they follow this initial assessment in particular in relation to US CLOUD Act requests.” (Id. at page 8.)

In other words, the CLOUD Act privacy protections are “too soft.”

Our Take

Most U.S. corporations are not particularly concerned with the CLOUD Act because (1) they are not Internet Service Providers; (2) it is limited to criminal acts, and (3) it only covers communications—not databases, documents, spreadsheets, or types of electronic documents. Nevertheless, the recent pushback from both Australia and the EU shows that there remains a wide gap between these key economic powers on how to transfer personal information properly across jurisdictions. As such, we can expect the confusion over how best to comply simultaneously with US and non-US data transfer laws to continue.

In respect of Australia, it may be possible for the U.S. to draft an executive agreement that carves out any requests or orders based on Australia’s Assistance and Access laws or which are otherwise inconsistent with the requirements of the CLOUD Act.

Finally, the analysis is the first of Article 48, which could impact cross-border transfers in civil discovery matters, though the analysis does support the position that a proper transfer under Article 49 would comply with Article 48 with no additional requirements. That being said, it is hard to square the EDPB and EDPS’s discussion of Article 49(1)(e) with the EDPB’s general Article 49 guidance where it explicitly found that civil discovery in a third country was sufficient to comply with Article 49(1)(e) so long as the transfers were necessary and occasional. (Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 (May 25, 2018).) If discovery in a civil litigation in third-country is “necessary for the establishment, exercise or defence of legal claims,” then how is a warrant under the CLOUD Act more attenuated and not a close enough link? Could an unwelcome distinction emerge in the interpretation of Article 49(1)(e) between claims where the controller is the claimant or defendant in the substantive action versus claims where it is a third-party in the possession of data and documents pertinent to a claim between other parties? This distinction would be problematic because the danger to the subpoenaed party is just as real for failure to comply with the subpoena can be punished by a U.S. court just as surely as it could punish a party who flouts a discovery request or order.