Freedom is Not Limitless in the Cloud (CLOUD Act, EU GDPR)

Cloud Became Such a Thing That Acts Made! 8 years ago, when we published articles on virtualization, cloud computing; few readers actually searched and read. Today, value of keyword of cloud computing touched the sky. Needless to say – our notion of using cloud is for cost effectiveness, not for replacing on-premise. Freedom is Not Limitless in the Cloud in Respect To Acts Like CLOUD Act, EU GDPR. Since March 23, 2018, CLOUD Act is in force in the USA. From May 25 2018, EU GDPR will come in force.

Freedom is Not Limitless in the Cloud !

On March 2018, US Congress passed the CLOUD Act with the signing of US President Donald Trump. Under the CLOUD Act, US authorities will be able to access (personal) information from (US) companies which are not stored in the US, even without recourse to international mutual legal assistance agreements. The bill was criticized by the Electronic Frontier Foundation, the American Civil Liberties Union, Amnesty International, and Human Rights Watch to name a few.

So far, there has been considerable legal disputes as to whether providers of cloud services need to provide US authorities access to user data even when these data are stored abroad. Among other things, the law states that the existing obligations must be fulfilled regardless of whether the user data concerned, which US authority wants to access, and is stored inside or outside the United States. Specifically, this means that the Stored Communications Act is also applicable to data stored abroad. According to this law, which has been in place since 1986, US companies must grant US authorities direct access to data resulting from a legal act, such as an administrative order.

Background of the issue started with legal dispute of whether Microsoft is required to provide US authorities with access to user data stored abroad based on administrative and judicial orders, user data in this context means complete communication, records or other information. Microsoft had initially refused to grant access to the US authorities, and had obtained justice before the US Court of Appeals. A verdict in this matter was originally expected in the middle of the year, but is now is meaningless with the CLOUD Act.

Apart from the questions of international law, may a state readily grant itself the right to access data stored in other states and thereby circumvent existing mutual legal assistance agreements? However, the CLOUD Act is particularly relevant against the background of the EU GDPR applicable from 25.05.2018. This raises the question of whether the direct transfer of data from a company to a US authority under the DSGVO will be permitted at all.

Decisive for cooperation with third countries is in Article 48 of GDPR. Accordingly, decisions of the administrative authority of a third country requiring the transfer or disclosure of personal data and may only be recognized or enforced if they are based on an international agreement. An example would be a mutual legal assistance agreement between the requesting third country and the Union or a Member State. It seems highly questionable whether direct access can still be regarded as covered by existing mutual assistance agreements. The mere infringement of the clear wording of the GDPR is likely to speak in favor of the inadmissibility of data transfers to the US authorities. It follows that companies that transfer (personal) data from the EU directly to US authorities, could commit a violation of GDPR, which accordingly would impose fine of up to 20 million Euros or up to 4 percent of the total worldwide sales of the previous year, whichever is higher.