In case you missed it, the CLOUD Act is now law
You may recall that the issue of where data is located for the purposes of a subpoena or warrant has been brewing in the federal courts for sometime now. We previously outlined three cases that are pending in the federal courts, including the Second Circuit’s opinion in the Matter of Warrant to Search a Certain EMail Account Controlled & Maintained by Microsoft Corp., 829 F.3d 197 (2d Cir. 2016). That case was appealed to the Supreme Court and just concluded oral arguments at the end of February.
In the midst of the Microsoft case, Senators Orrin Hatch (R-Utah), Christopher Coons (D-Del.), Lindsey Graham (R-S.C.) and Sheldon Whitehouse (D-R.I.), introduced the Clarifying Lawful Overseas Use of Data Act, or “CLOUD Act” in February, to create a framework for law enforcement to access data that is stored overseas. At the time the CLOUD Act was first introduced, we addressed some of the potential impacts the Cloud Act would have in light of the pending Microsoft case, and the jurisdiction of data generally.
Now, buried in a 2,232-page omnibus spending bill adopted on March 23rd, intended “only” to appropriate future government spending and keep the government open, was the CLOUD Act. (Scroll all the way to page 2116 of the bill -- you will find it.) It is curious that with little or no prior discussion, Congress decided to adopt this legislation in a -- let’s just say -- cloudy manner. To date, the CLOUD Act has never received a public hearings nor has it been reviewed by any committee. In fact, the last action taken (prior to its inclusion in the omnibus spending bill) was to refer the CLOUD Act to the Committee on the Judiciary and the Committee on Rules- which never actually considered it.
Even more concerning is that this bill was adopted on the eve of the GDPR. It addresses an issue that has already drawn the attention, and concerns about the way in which the US addresses privacy protection, of the EU authorities and many of the individual member states within the European Union. These concerns continue to cause friction between the EU and the US in the realm of privacy protections. In 2015, the Safe-Harbor provision was declared invalid by the Court of Justice of the European Union because the US failed to provide an adequate level of protection for personal data. The EU-US Privacy Shield, adopted to replace the Safe-Harbor provision and provide for the transfer of data from Europe to the United States, received less than glowing marks in its first annual review in September 2017.
Further, in the Microsoft case, the EU Commission submitted an amicus brief that emphasized that
Any domestic law that creates cross-border obligations—whether enacted by the United States, the European Union, or another state—should be applied and interpreted in a manner that is mindful of the restrictions of international law and considerations of international comity.
See Amicus Brief, at 7. Placing this issue squarely within the confines of the GDPR, the EU Commission noted that “Article 48 makes clear that a foreign court order does not, as such, make a transfer lawful under the GDPR.” See Amicus Brief, at 14. Article 48 provides that “[a]ny judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement.”
In its Amicus Brief, the EU Commission appears to find, without much analysis, that the personal data stored by Microsoft in Ireland, is subject to the data protections outlined in the the GDPR. This conclusion sheds some light on how the EU Commission interprets what data actually comes under the jurisdiction of the GDPR. And the answer seems to be anything located in the EU.
The Amicus Brief shows that the EU Commission is already questioning the ability of the U.S. courts to order data be transferred outside of the EU. Now, with the passage of the CLOUD Act, there is a real potential for a company to be placed between the proverbial rock and a hard place. Either face a decision to comply with a US court order and risk non-compliance with the GDPR, or comply with the GDPR and face potential sanctions within the US courts.
Both the GDPR and the CLOUD Act do provide for a balancing of the interests. The CLOUD Act allows a court to conduct a comity analysis to determine the balance between the US’s interest in disclosure of the data and the interests of a foreign country in prohibiting such disclosure. Further, the EU Commission acknowledged in its Amicus Brief that the GDPR provides for a balancing of the interests when a transfer is “necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject.” GDPR Art. 49(1). This two balancing tests may give enough leeway for companies to skirt around the potentially conflicting GDPR and CLOUD Act requirements -- but that remains to be seen.
Now, putting aside the overall lack of transparency in the adoption of the CLOUD Act, there are some very real potential ramifications as a result of its inclusion in the omnibus spending bill. First, it is likely (probable) that the Supreme Court will issue a very short opinion resolving the Microsoft case and directing the parties to follow the CLOUD Act. This will resolve the federal court split and allow these cases to move forward. But, more importantly, the passage of the CLOUD Act creates a huge potential for the US to be at odds with the EU as it relates to the the transfer of data. Even though a number of large technology companies, including Apple and Google, vocalized their support for the CLOUD Act when it was initially introduced, there was no opportunity for all stakeholders to fully address issues or concerns regarding the Act.
It will be interesting to watch as the CLOUD Act unfolds in the era of the GDPR. Companies are already dealing with the ramifications of one of the largest data protection regulations to impact business to date. Now, with these news changes within the US, companies will need to navigate an additional layer of complexity with a law that has not been vetted. Companies will once again be faced with a law or regulation, the ramifications of which are still unknown.
* * * * *
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.