[THE U.S. FEDERAL CLOUD ACT AND THE EUROPEAN RGPD]

[AMERICAN LAW - EUROPEAN LAW - DIGITAL AND TECHNOLOGICAL SOVEREIGNTY - PERSONAL DATA - CRIMINAL INVESTIGATION - SECURITY]

🚨 The American CLOUD Act has pierced through the EU's umbrella.

In its information report No. 4299, the National Assembly raised concerns about data confidentiality and security, as well as the digital and technological sovereignty of States. By way of example, it refers to the difficulties caused by the extraterritoriality of certain foreign laws, which could prove detrimental to state and European interests.

(National Assembly Information Report of 29 June 2021, No. 4299, Volume I, on ‘Building and Promoting National and European Digital Sovereignty’; the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) of 2018; Foreign Intelligence Surveillance Act (FISA) of 1978; US Intelligence Activities Executive Order 12333 of 1981).

⚖️Contrary to popular belief, the CLOUD Act does not give the US authorities unlimited and arbitrary access to European personal data. The aim of the CLOUD Act is to clarify the rules governing subpoenas issued by the US authorities. The US authorities can submit a request to a US judge, seeking a warrant for certain data hosted abroad.

The scope of the CLOUD Act remains relatively broad, covering the following operators:

- providers of remote computing services (FSID) (18 U.S.C. Sec. 2711) ;

- providers of electronic communication services (FSCE) (18 U.S.C. Sec. 2510);

- U.S. companies and their subsidiaries (including foreign subsidiaries); and

- foreign companies abroad with a sufficient connection to the United States.

However, the request from the US authority must satisfy the following cumulative conditions:

- be requested in the context of an ongoing criminal investigation relating to the prevention, detection or prosecution of a serious crime (‘Purpose’) ;

- identify the target customer or operator (‘Target’);

- specify the data targeted and the scope of the search (‘Data’); and

- demonstrate the existence of a sufficient connection between the Subject, the Target and the Data.

Elle peut être émise sous ordonnance de confidentialité, soit en l’absence de notification au Cible.

In any event, the judge in charge of the case is required to examine the lawfulness of the request, considering the principles of proportionality and necessity (e.g. the importance of the data concerned, the specificity of the request, the availability of alternative means of obtaining the data concerned).

⚠ The CLOUD Act has raised many questions regarding its compatibility with Regulation (EU) 2016/679 (GDPR), Article 48 (Transfers or disclosures not authorised by Union law) of which provides: ‘Any decision of a court or administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may be recognised or otherwise made enforceable only if it is based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer under this Chapter.’.

In the 2018 Microsoft Ireland case, the European Commission submitted an amicus curiae opinion on the various grounds that may justify the lawfulness of transfers of personal data to third countries, as well as their processing (in particular Articles 44 to 50 of Chapter V of the GDPR).

(United States v. Microsoft Corp (Microsoft Ireland), No. 17-2, slip op. at 3 (17.04.2018) (per curiam), 584 U.S.___(2018); cf. Conseil d'Etat, Juge des référés, 13/10/2020, 444937; Schrems II, C-311/18; Stored Communications Act of 1986; Article 18(1) of the Convention on Cybercrime (ETS No. 185), Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (USA PATRIOT Act) of 2001)

#cloudact #personaldata #security #digital #transfer #data #conflictoflaws #extraterritoriality #RGPD #US law #DUE