The CLOUD Act and European companies: what scope of application?

Legal Watch No. 40 – October 2021

The CLOUD Act and European companies: what scope of application?The dematerialization of data and their storage in the “clouds” have fundamental and complex consequences on the obligations of companies.

Even when stored in Europe, data is not immune to a request for disclosure by a third country in a legal context.

The increasingly topical issue of digital sovereignty finds a particular echo in the evolution of United States law, with the CLOUD Act and its extraterritorial scope of application.

Under what conditions can the European subsidiary of an American company, or conversely, the American subsidiary of a European company, be forced to communicate their data to the American authorities?

The CLOUD Act (Clarifying Lawful Overseas Use of Data) was adopted in the United States in March 2018. Its objective is to allow US criminal authorities to access data from US cloud service providers, regardless of where the data is stored, and without having to initiate proceedings through international mutual legal assistance.

Shortly before the adoption of the CLOUD Act, Microsoft had refused to provide US authorities with data stored in its Irish cloud, citing the non-application of US law to data stored in Europe, which had led to lengthy legal proceedings.

The CLOUD Act clarifies and expands its scope to prevent this type of situation.

The text also allows foreign states to also have access to data from cloud service providers based in the USA, without having to file a request for mutual legal assistance, in the event of a bilateral agreement.

An agreement of this type was recently concluded between the United States and the United Kingdom, the first of its kind.

The CLOUD Act applies to any US company within the meaning of US law, i.e., a company incorporated in the United States and companies controlled by it.

A European subsidiary or a European company controlled by an American company may therefore be subject to this law, which will inevitably cause conflicts of law to the extent that these companies are also subject to the GDPR.

Note that the concept also targets European companies with a "presence" in the United States, which considerably extends its scope.

This is what the European Data Protection Committee points out in a position dating from 2019, as well as the Swiss Ministry of Justice in a very recent study of September 17, 2021 on the CLOUD Act.

This uncertainty about the scope of the CLOUD Act is relayed by the United States Department of Justice itself in an April 2019 white paper on the subject, of which here is an extract (unofficial translation):

“Whether a foreign corporation located outside the United States but providing services in the United States has sufficient contacts with the United States to be subject to U.S. jurisdiction is a fact-specific inquiry, which turns on the nature, quantity, and quality of the corporation's contacts with the United States.

The more a company deliberately directs its conduct toward the United States, the more likely it is that a court will find that the company is subject to U.S. jurisdiction.

U.S. courts applying this analysis in civil cases involving websites, for example, have focused on the degree of interactivity of a site with customers in their jurisdiction, considering factors such as the function and mechanics of the website, any specific promotion to customers, the solicitation of business through the site, and actual use by customers. 

This interpretation potentially subjects a very large number of European companies to US legal claims, even when the databases are located in Europe. However, under Article 48 of the GDPR, a foreign country's law cannot constitute a sufficient legal basis for transferring personal data to the authorities of that country.

The text of the GDPR explicitly provides that such data transfers can only take place within the framework of an international agreement such as a mutual legal assistance agreement.

This principle aims to ensure both the protection of the transferred data and a minimum of legal security.

What solutions?

From a political perspective, first of all, let us note that the European Commission is currently negotiating an agreement with the United States aimed at facilitating access to electronic evidence in criminal investigations, while the Council of Europe is in the process of developing a second protocol to the Budapest Convention on Cybercrime... two texts which would clarify the legal framework concerning these data transfers in compliance with European law.

More specifically, the Cloud Act provides that a company facing a conflict of law may invoke the law to which it is subject, in this case the GDPR, to challenge the American request ("material risk of violating foreign laws").

This nevertheless involves procedures which can prove long and costly, with no certainty as to their outcome.

In practice, technical measures can be taken to protect data, inspired by the recommendations of the European Data Protection Committee.

Data storage in Europe, no retention of data "in clear", specific encryption measures such as those detailed by the EDPS in its June 2021 opinion concerning data transfer tools outside the European Union (p. 30), and the retention of encryption keys in the European Union.

The CLOUD Act does not prohibit encryption (although the United States requires companies to cooperate with government authorities on this issue) and does not take a position on third-party country decryption rules.

Finally, let us add that the first European clouds have recently been endorsed by the European data protection authorities: last spring, the CNIL approved the first European code of conduct dedicated to cloud infrastructure service providers.

It has also just approved the National Metrology and Testing Laboratory (LNE) and Bureau Veritas Italia Spa to carry out checks on compliance with this code of conduct.

Without considering "all local" as the absolute panacea, European clouds have the merit of offering increased legal security, as long as an international agreement has not clarified the situation.

And also

France:

The CNIL has formally notified the company Francetest to secure the health data (screening tests) it collects on behalf of pharmacies. It has also approached more than 300 pharmacies to verify their compliance with the GDPR.

The authority also published at the beginning of October a white paper on data and payment methods, and a public consultation on a draft recruitment guide.

Finally, the CNIL is studying the possibility of Use of facial recognition for the Olympic Games from 2024.

Europe

The Dutch Data Protection Authority On October 21, the UK rejected a request for authorization to blacklist suspected fraud in telecommunications and online payments.

Spanish authority fined the person responsible for implementing a biometric identification system in the workplace without a prior impact assessment of 16,000 euros.

Following a security breach in the context of the use of the Clearview AI facial recognition system, theFinnish Data Protection Authority considered that the police had used this software without a legal basis, and ordered it to comply with the law and inform the persons concerned.

The Provincial Administrative Court of Warsaw considered it unlawful for a bank to process personal data on the basis of Article 6(1)(f) of the GDPR (balance of interests), solely because of their possible future usefulness. Source of national decisions: gdprhub

Amazon has entered into a contract with the British Secret Service (GCHQ, MI5, MI6), through which the company will host and operate artificial intelligence analyses on sensitive data from intelligence agencies. 

In Switzerland, Proton, the secure messaging and VPN service, won an appeal on October 22 against the obligation it had been served with to monitor and store its users' data.

The European Parliament On October 6, the U.S. Senate adopted a resolution rejecting facial recognition and artificial intelligence-based predictive analysis in policing.

International :

The 43rd International Conference of Data Protection Authorities took place in Mexico City and via videoconference from October 18 to 21.

The conference adopted several resolutions, including one on children's digital rights and another regarding law enforcement access to private sector data.

The Data Protection Authority of South Korea recommends compensation following a Facebook (Meta) security breach of $257 to each user whose data was improperly transmitted to third parties.

Anne Christine Lacoste

Partner at Olivier Weber Avocat, Anne Christine Lacoste is a lawyer specializing in data law; she was Head of International Relations at the European Data Protection Supervisor and worked on the implementation of the GDPR in the European Union.