In March 2018, the US president signed into law the US CLOUD Act (Clarifying Lawful Overseas Use of Data). The Act expands US and foreign law enforcement’s ability to target and access individual’s data across international borders. It amends the US Stored Communications Act (SCA) and provides that such information must be disclosed regardless of where it is stored.
The SCA had been enacted in 1986 and facilitated law enforcement access to electronic communications. In the years since it came into force, difficulties have arisen in applying it to technologies like internet applications and cloud computing which did not exist when the SCA was passed.
The introduction of the CLOUD act has added to the complexity of the legal/regulatory environment, especially for organisations that process and store electronic data. Adapting to this environment is proving to be a significant challenge for many organisations and in responding to such demands, organisations are required to consider their legal and ethical responsibilities, particularly in striking a balance between a citizen’s right to privacy and civil authorities’ right to seek the information.
What information does it apply to:
The U.S. CLOUD Act applies only to the contents of electronic communications, documents stored in the cloud, and to certain types of transmission and account information.
Who does it apply to?
The CLOUD Act applies to all electronic communication service or remote computing service providers that operate in the U.S. (such as email and cloud service providers), whether those providers are established in the United States or another country.
The US CLOUD Act - Potential Conflict with the EU GDPR
The General Data Protection Regulation (GDPR) places high priority on individual privacy rights, making data controllers accountable for processing activities and ensuring that certain conditions are met before disclosure to law enforcement agencies can occur. One of the fundamental requirements of the GDPR is that the data controller must have a lawful basis for processing the data and such processing includes disclosure to law enforcement authorities.
What does the European Data Protection Board (EDPB) say about the Cloud Act?
The EDPB issues advice and guidance to the national authorities on various topics.
On 10 July 2019, the EDPB - together with the European Data Protection Supervisor (EDPS) - published a joint legal assessment on the CLOUD Act and the EU legal framework for data protection.
The assessment states that a request from a foreign authority for the transfer of data does not, in and of itself, constitute a legal ground for transfer for the purpose of the GDPR. Under Article 48 of the GDPR, any judgment of a ‘foreign’ court or tribunal requiring the transfer or disclosure of personal data, as a third country, can only be recognised or enforceable where it is based on an international agreement, such as a MLAT, in force between that third country and the Member State, unless other grounds for transfer under the GDPR apply.
The EDPB assessment stresses that there are 2 key elements to consider in relation to the legality of a transfer of personal data in response to a request made under the US CLOUD Act;
There must be a legal basis for processing under Article 6 and
There must be a permitted basis for engaging in the transfer under Chapter V of the GDPR.
While the assessment is detailed and needs to be considered in its totality, its main conclusion is that the CLOUD Act does not contain a sufficient legal basis under GDPR to justify personal data transfers to the US and the most suitable method of protection for the GDPR provisions is an international agreement that encompasses all necessary safeguards.
In particular, the assessment concludes that “unless a US CLOUD Act warrant is recognised or made enforceable on the basis of an international agreement, and therefore can be recognised as a legal obligation, as per Article 6(1)(c) GDPR, the lawfulness of such processing cannot be ascertained”.
This EDPB assessment/interpretation will clearly present organisations, who are subject to the GDPR and who are served with warrants under the US CLOUD Act, with a clear conflict in terms of compliance. In practice this means that any organisation using US based tech public cloud services, responding to a CLOUD Act / Stored Communications act Order, runs a risk of breaching the GDPR, with the prospect of fines of up to €20 million or 4% of annual worldwide turnover.
The UK-US Data Access Agreement (DAA), 2022
The UK-US DAA is a bilateral agreement between the UK and the US, which came into force in October 2022. The agreement is intended to enable both countries to share information and intelligence with each other for the purpose of law enforcement or other national security purposes, including preventing, detecting, investigating, and prosecuting serious crimes, such as terrorism, transnational organised crime, and child exploitation.
Under the DAA, both countries are required to ensure that their national legal framework allows service providers operating within its territory to lawfully respond to requests for electronic data made by the relevant public authorities in the other state party’s jurisdiction. The DAA mandates that all such requests and the treatment of any acquired data should be compliant with the applicable domestic legal framework to which a public authority is subject.
The DAA permits the USA to serve orders directly on providers in the UK (and vice versa).
How iTrust 6A™ can help?
iTrust 6A™ is the first RegTech that standardises and simplifies the complex decision-making process when disclosing data to law enforcement. It will enable your organisation to demonstrate compliance by fully documenting and keeping audit records of every step taken in the decision-making process when handling demands for disclosure of data.
In today’s digital age, customers are rightfully concerned about their privacy, security and use of their personal data. By prioritising ethics and transparency when disclosing personal data, organisations can demonstrate to their customers that they are trustworthy and transparent, and to regulators that they are compliant and committed to protecting user data.
To find out more please contact our privacy team at firstname.lastname@example.org or visit iTrust6A™.