On 23rdMarch 2018, US President Trump signed the “Clarifying Overseas Use of Data Act” (or: Cloud Act), indirectly putting an end to the “Microsoft Case” in the US Supreme Court. This case centered around the question whether or not the US government had the authority to force US-based service providers to hand over data even if the data was located outside of the United States (in the Microsoft case the data resided on servers in Ireland). Where the US government was adamant they had this right, Microsoft stated this was not the case as there was no clear law to justify the position of the government.
What changes under the Cloud Act?
The Cloud Act now clearly states the right of the US government (after obtaining a warrant) to force US-based companies to turn over data even if the data is stored outside of the United States and that service providers must comply!
Many US tech companies have issued statements that they are happy with the Cloud Act as it provides clarity concerning the rights of the US government and – as Microsoft President Brad Smith states – “preserves the right of cloud service providers to protect privacy rights”.
However, many privacy lawyers and groups are worried about the consequences of the Cloud Act and the effect it will have on personal privacy.
Although the Cloud Act gives companies certain means to challenge a request to hand over (personal) data, the grounds and chances of a successful challenge are very limited.
Let’s take a closer look at these grounds which both need to be affirmative:
- The customer the data relates to is not a US citizen and does not reside in the US
- The required disclosure would create a material risk that the provider would violate the laws of a qualifying foreign government.
What problems are posed by the legal grounds?
Apart from the fact that there are no foreign governments yet to meet the term “qualifying foreign governments”, the main problems here are:
- Both criteria have to be met, so just the fact that the data relates to a EU citizen is not enough!
- The fact that it would violate the rules under the GDPR concerning data transfer is probably not enough to proof a material risk.
- The burden of proof lies with the service provider.
- The court or judge deciding is a US court or judge.
- The court has limited grounds to quash a warrant.
- The court has to undertake a comity analysis (take into account certain circumstances). In this past such an exercise has often led to an outcome in favor of the party requesting the handover of the data.
Is EU data safeguarded under the Cloud Act?
The majority of privacy specialists in the field currently still have concerns regarding this issue. As the final judgement is still fresh however, the exact consequences the Cloud Act shall have in relation to the protection of personal data remain to be seen. And as we all know, changes in the field of privacy are taking place frequently, so we at iWelcome will keep following these developments for you and keep you up to date.
Feel free to repost this blog on your website or social channels! But when you do so, please be so kind to mention the source and give us a notice via firstname.lastname@example.org.
Senior Legal Council at iWelcome
With a Master Degree in Business and European Law, CIPP/E certified and more than 20 years of Corporate Law and IT experience, Annemarie brings to the table vast amounts of knowledge and experience.