The Cloud Act: New Measures Against Companies and European Personal data

The Cloud Act has been signed into law, and is now the target of criticism from proponents for the protection of privacy and personal data. With the application of the General Data Protection Regulation (GDPR) on May 25th, the Cloud Act seems to be in total opposition to the new European requirements.

What is the Cloud Act?

The Cloud Act, or Clarifying Lawful Overseas Use of Data Act, is the new American legal framework related to data entry by the government or the American law-enforcement officers.

Voted with the two thousand pages of financial law, the Cloud Act allows law-enforcement officers, whether federal or local, to compel service providers located in the United States to transmit personal data, and including those stored on servers of third countries to the United States.

It therefore lies in the continuity of the Patriot Act, which imposes a mandatory collaboration of businesses and US citizens to provide information to fight cybercrime.

However this obligation can only be carried out within the framework of a legal procedure. The text allows these European Data entries to be made without informing the person concerned and without having to go through any legal authority of the country concerned.

The Cloud Act simplifies the seizure procedure. Indeed, this was already made possible before the Cloud Act’s entry into force, its implementation being more restricted: the seizure was possible if it was previously validated by committees specialized in this matter.

What’s new with the Cloud Act is that it allows the President to negotiate and conclude executive agreements for the exchange of information with other governments, without needing the approval of Congress.

And in practice?

Security is the first argument in favour of this law. It boasts the fight against crime and mutual assistance at an international level to explain why the data entry by law-enforcement officers must be facilitated.

Safeguards are still provided by the text, allowing the US service providers to refuse such requests. However, the field of application is limited to the fulfilment of two cumulative conditions. First of all, the person whose data is at stake cannot be an American citizen or an American resident. The second condition requires that data disclosure puts the provider at risk to go against local laws.

In short, this law particularly impacts the privacy of the individuals concerned, and equally the companies which are not protected by these safeguards.

The Cloud Act against the rest of the World

The Cloud opposes the European General Data Protection Regulation (GDPR) that strictly conditions the extraterritorial European personal data transfer. More specifically, Article 48 prohibits transfers based solely on the unilateral request of a foreign government, unless there is an international agreement binding the concerned countries.

Similarly, the United States has entered into the Privacy Shield agreement with Europe, in force since the 1st August 2016. Previously self-certified American companies are regarded as offering an adequate level of protection for personal data transferred by a European entity.

Despite the measures undertaken to protect personal data, these regulations do not guarantee the protection of the people who are affected by data entry under the Cloud Act. Similarly, while these regulations aim to protect people in the best way possible,  they fail to do the same for companies.

At this stage, imagining interactions between these regulations is complex. If Microsoft did not succeed against the American state, we will have to wait for the next legal battle to determine whether or not a cohabitation between these rules is possible, and what strategies and positions need to be taken by companies in these legal and regulatory quagmire.