In March 2018, the US CLOUD Act was signed into law. This Act (the acronym standing for Clarifying Lawful Overseas Use of Data) allows US authorities to compel US-based technology companies offering electronic communication services or remote computing services to provide personal data. It is not necessary for these data to be stored in the US. The Act may therefore have a profound impact on Dutch civilians, as their personal data may be shared with US authorities, but also on Dutch companies, as they may end up in a legal quandary. Click here to read more.
Law authorities cannot simply request that such data be provided - they need a search warrant, which is granted only if there is a “probable cause”: a reasonable ground to suspect that actual evidence will be found to aid ongoing investigations. Companies receiving a warrant have a chance to appeal to a US court, which must then balance the interests of the parties. Under the CLOUD Act, countries can conclude executive agreements with the US, which agreements regulate the transfer of personal data as part of a criminal investigation.
It should be noted here that the Act does not concern the systematic, large-scale harvesting of data; only targeted, individual requests are covered by its scope. One should further bear in mind that the US government has other acts in store by virtue of which it is authorised to obtain data, such as the US Patriot Act.
Impact of the CLOUD Act
Although the CLOUD Act is US legislation, it may actually impact on the rights of Dutch citizens. After all, companies may be required under the provisions of the Act to submit information about non-US citizens directly to the US authorities.
The European Data Protection Board (“EDPB") and the European Data Protection Supervisor (“EDPS") have published a joint opinion, in which they state that this obligation conflicts with the GDPR. They note that a foreign judgment cannot unreservedly be considered a ground on the basis of which personal data can be or must be transferred. For such judgment to be recognised or enforceable, it must be based on an international agreement, such as a mutual legal assistance treaty (Article 48 GDPR). If there is no such agreement or treaty, processing and transfer of personal data can only take place if one or more of the conditions of Article 6 or Article 49 are fulfilled.
Given this conflict, companies offering electronic communications services or remote computing services in the US are in a legal quandary: should they follow the GDPR or the US CLOUD Act?
They have another possibility to challenge orders for disclosure of personal data where the US CLOUD Act conflicts with the GDPR: the “comity procedure”. This can be relied upon if (i) the person to whom the data relates is not a US citizen or resident, and (ii) if compliance with the order would create a material risk to violate a third-country law. The comity procedure only applies to those countries that have concluded executive agreements with the US. The EU has not concluded such agreement yet. This being so, the EDPB and the EDPS wonder whether the comity procedure can actually be invoked at all.
Exception(?)
There is another way out for companies receiving a request to disclose data: the “common law comity principles”. Under these principles, companies to not have to meet US legal obligations if they conduct business in good faith and by meeting the obligations, there would be a serious chance that there will be sanctions for the company under the law of foreign country. As for Dutch companies, it is for now unclear whether they can - and will - rely on those principles, a missive from minister Grapperhaus shows.
Need for a new (European) cloud?
With the current cloud business being dominated by American companies - Google, Microsoft and Amazon spring to mind - European politicians fear that the cloud providers they use fall within the scope of the US CLOUD Act, which appears to offer fewer safeguards for the protection of personal data than the GDPR does. Another possibility that cannot be precluded is that future US legislation will subject US cloud service providers to even tougher rules, thereby increasing the risks for the security of data. It is also feared that EU companies will fall seriously behind the US powerhouses when it comes to cloud services. For this reason, the German government recently announced plans to set up a European cloud system called Gaia X in order to “develop a new generation of European data infrastructure for Europe, its companies and its citizens”.
The doubts about the safety of US cloud and other service providers manifested themselves when the Dutch government carried out a data protection impact assessment (“DPIA”) in relation to Microsoft services, including its cloud service Azure, because storing information in the US is a high-risk situation for users, the government argued. The results of the DPIA were clear: the collection, storage and use of data was not GDPR-compliant.
Microsoft has since made some adjustments to its services, agreeing on supplementary terms with the Dutch government, as a result of which its services are GDPR-compliant now. The changes implemented are now available worldwide, but the supplementary terms apply to the relationship between Microsoft and the Dutch government only.
Conclusion
It is safe to conclude that the US CLOUD Act, with its sweeping reach, could under circumstances be in violation of the provisions on the transfer of personal data as laid down in the GDPR.
A European cloud where personal data stays in Europe and the cloud provider does not fall within the ambit of the US CLOUD Act appears an excellent solution. This is offset by the fact that the Dutch government is confidently using Microsoft's cloud services, following a DPIA and some adjustments and supplementary terms were agreed so that the services are now - in Microsoft's own words - are GDPR-compliant.
There appears to be no reason to panic, as using the Us-based cloud services is neither prohibited nor by definition unlawful. However, it is of overriding importance that service providers are able to offer sufficient protection and are compliant with the legislation and regulations applying in the Netherlands.
Legal advise or more information
If you wish to know whether the services you provide are GDPR-compliant or if you have questions about the transfer of personal data to third countries, then feel free to contact Martin Hemmer.
Author of this blog: Sophie Hendriks.
In March 2018, the US CLOUD Act was signed into law. This Act (the acronym standing for Clarifying Lawful Overseas Use of Data) allows US authorities to compel US-based technology companies offering electronic communication services or remote computing services to provide personal data. It is not necessary for these data to be stored in the US. The Act may therefore have a profound impact on Dutch civilians, as their personal data may be shared with US authorities, but also on Dutch companies, as they may end up in a legal quandary. Click here to read more.
Law authorities cannot simply request that such data be provided - they need a search warrant, which is granted only if there is a “probable cause”: a reasonable ground to suspect that actual evidence will be found to aid ongoing investigations. Companies receiving a warrant have a chance to appeal to a US court, which must then balance the interests of the parties. Under the CLOUD Act, countries can conclude executive agreements with the US, which agreements regulate the transfer of personal data as part of a criminal investigation.
It should be noted here that the Act does not concern the systematic, large-scale harvesting of data; only targeted, individual requests are covered by its scope. One should further bear in mind that the US government has other acts in store by virtue of which it is authorised to obtain data, such as the US Patriot Act.
Impact of the CLOUD Act
Although the CLOUD Act is US legislation, it may actually impact on the rights of Dutch citizens. After all, companies may be required under the provisions of the Act to submit information about non-US citizens directly to the US authorities.
The European Data Protection Board (“EDPB") and the European Data Protection Supervisor (“EDPS") have published a joint opinion, in which they state that this obligation conflicts with the GDPR. They note that a foreign judgment cannot unreservedly be considered a ground on the basis of which personal data can be or must be transferred. For such judgment to be recognised or enforceable, it must be based on an international agreement, such as a mutual legal assistance treaty (Article 48 GDPR). If there is no such agreement or treaty, processing and transfer of personal data can only take place if one or more of the conditions of Article 6 or Article 49 are fulfilled.
Given this conflict, companies offering electronic communications services or remote computing services in the US are in a legal quandary: should they follow the GDPR or the US CLOUD Act?
They have another possibility to challenge orders for disclosure of personal data where the US CLOUD Act conflicts with the GDPR: the “comity procedure”. This can be relied upon if (i) the person to whom the data relates is not a US citizen or resident, and (ii) if compliance with the order would create a material risk to violate a third-country law. The comity procedure only applies to those countries that have concluded executive agreements with the US. The EU has not concluded such agreement yet. This being so, the EDPB and the EDPS wonder whether the comity procedure can actually be invoked at all.
Exception(?)
There is another way out for companies receiving a request to disclose data: the “common law comity principles”. Under these principles, companies to not have to meet US legal obligations if they conduct business in good faith and by meeting the obligations, there would be a serious chance that there will be sanctions for the company under the law of foreign country. As for Dutch companies, it is for now unclear whether they can - and will - rely on those principles, a missive from minister Grapperhaus shows.
Need for a new (European) cloud?
With the current cloud business being dominated by American companies - Google, Microsoft and Amazon spring to mind - European politicians fear that the cloud providers they use fall within the scope of the US CLOUD Act, which appears to offer fewer safeguards for the protection of personal data than the GDPR does. Another possibility that cannot be precluded is that future US legislation will subject US cloud service providers to even tougher rules, thereby increasing the risks for the security of data. It is also feared that EU companies will fall seriously behind the US powerhouses when it comes to cloud services. For this reason, the German government recently announced plans to set up a European cloud system called Gaia X in order to “develop a new generation of European data infrastructure for Europe, its companies and its citizens”.
The doubts about the safety of US cloud and other service providers manifested themselves when the Dutch government carried out a data protection impact assessment (“DPIA”) in relation to Microsoft services, including its cloud service Azure, because storing information in the US is a high-risk situation for users, the government argued. The results of the DPIA were clear: the collection, storage and use of data was not GDPR-compliant.
Microsoft has since made some adjustments to its services, agreeing on supplementary terms with the Dutch government, as a result of which its services are GDPR-compliant now. The changes implemented are now available worldwide, but the supplementary terms apply to the relationship between Microsoft and the Dutch government only.
Conclusion
It is safe to conclude that the US CLOUD Act, with its sweeping reach, could under circumstances be in violation of the provisions on the transfer of personal data as laid down in the GDPR.
A European cloud where personal data stays in Europe and the cloud provider does not fall within the ambit of the US CLOUD Act appears an excellent solution. This is offset by the fact that the Dutch government is confidently using Microsoft's cloud services, following a DPIA and some adjustments and supplementary terms were agreed so that the services are now - in Microsoft's own words - are GDPR-compliant.
There appears to be no reason to panic, as using the Us-based cloud services is neither prohibited nor by definition unlawful. However, it is of overriding importance that service providers are able to offer sufficient protection and are compliant with the legislation and regulations applying in the Netherlands.
Legal advise or more information
If you wish to know whether the services you provide are GDPR-compliant or if you have questions about the transfer of personal data to third countries, then feel free to contact Martin Hemmer.
Author of this blog: Sophie Hendriks.