The Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”) at its core allows US law enforcement authorities to request from communication service providers ("CSP"), such as cloud or email suppliers, in the Unites States (US) data over which they exercise possession, custody or control. It may also affect data hosted by CSPs on servers in member states of the European Union (EU), the European Economic Area (EEA) and Switzerland.
What is the CLOUD Act?
In 2013, in Microsoft vs. United States, Microsoft successfully refused to disclose data to the Federal Bureau of Investigations (FBI). The FBI requested access to data on servers from Microsoft located in Ireland. The Stored Communications Act (“SCA”) at that time did not allow for extraterritorial application. As a result, the CLOUD Act amended the SCA, with this the said court decision is nullified, and US law enforcement agencies are again enabled to access data located outside the US.
What has changed?
The CLOUD Act consists of two parts. Part 1 restores the status quo that existed prior to the Microsoft litigation: Again there is the mandatory disclosure of data regardless of its location. Part 2 provides the basis for foreign government agreements (Executive Agreement) between the US with other countries. Those agreements safeguard US CSPs from violating local legislation in case of disclosing data to US law enforcement authorities pursuant to a request.
Scope of application
Essentially, the CLOUD Act amends the SCA such that cloud providers must disclose data regardless of its location (within or outside the US). However, two factors limit the scope of application: (i) The US CSP must exercise “possession, custody or control” over data and (ii) the concerned data requested by the US law enforcement authorities must be linked to a serious crime. Both narrow the effect of the CLOUD Act significantly. Typical scenarios concern cybercrime, fraud or theft of trade secrets.
Currently, the EU is drafting a new e-Evidence Regulation and the Council of Europe is developing a second protocol to the Cybercrime Convention. Both initiatives would allow member states’ law enforcement authorities to issue directly cross-border data requests to companies in other member states.
Given its limited innovative character and narrow scope of application, general concerns about the CLOUD Act seem rather exaggerated. Nevertheless, some legal issues arise for companies outside the US. Worried are in particular companies providing legal, financial and health services or are otherwise bound to confidentiality with regard to specific core data.
It remains undefined how those companies can live up to their legal or contractual obligations with regard to confidentiality. The European Data Protection Board is likely to address this issue and provide guidance with regard to the GDPR.
However, companies bound to data confidentiality are now well advised to apply a combination of contractual and technical safeguards, such as privacy preserving computing, enhanced security standards and/or well-defined service provider agreements, to address and mitigate relevant legal risks. PwC Legal experts are ready to provide you with the necessary legal advice and technical expertise.