CLOUD Act vs GDPR
GDPR, Cloud Act and California Consumer Privacy Act are data protection laws with differing purposes. Between data monitoring and data protection, which one to choose?
GDPR, CLOUD act, California Consumer Privacy Act, 2018 seems to be the data protection laws cradle. However, not all of them go in the same direction and this is how friction arises.
Explanation of the content of these standards and their disagreements.
THE PATRIOT Act, in need of national defense?
THE PATRIOT Act, predecessor of the CLOUD Act divides. Clarification on this controversial Act.
This law was passed under the presidency of Georges W. Bush by the American Congress after the attacks of September 11, 2001. If, at first, it was to be an exceptional law and last only 4 years, the reality was different.
Indeed, it is still in force today (after two renewals respectively in 2006 and 2011) and some of its provisions have been made permanent.
Temporary you say?
Why this PATRIOT Act?
The aim was for the United States of America to adopt an anti-terrorism law in order to guarantee better national defense.
But how? By allowing American government administrations (the FBI in the lead but not without the CIA, the NSA, the army…) to obtain enhanced powers so that they can fight terrorism more effectively.
In other words, this law is the possibility to obtain for these American administrations, without prior judicial authorization or mandate and without consent or even information from the users concerned, their computer data, communications (telephone, Internet…) and other types of information.
PATRIOT Act reviews
Under this law, this right can only be used to guarantee national defense.
To any good intention its drifts.
Thus, in practice, this act allowed American organizations to “justify” the surveillance they had put in place on the behavior of American individuals (but not only, see the PRISM program).
Moreover, this law is criticized by human rights organizations because it can be a real infringement of rights and freedoms.
The birth of the CLOUD Act or an exacerbated lack of protection?
As equivalent to our Criminal Code and Code of Criminal Procedure, the United States is the holder of Title 18 of the United States Code (codification of federal American Law, it includes several titles relating to the different branches of Law). This title includes a chapter entitled “Stored wire and electronic communications and transactional records access” (for the most curious, it is chapter 121) relating largely to data protection.
This text did not seem sufficient since the CLOUD Act was adopted.
Why this CLOUD Act?
1.In the first place, because the drafting of Chapter 121 did not enable to escape disputes. Indeed the well-know Warrant case was born (this case which opposes Microsoft to the United States government). Therefore, the United States wanted a stronger text.
2.But that’s not all. The GDPR also appears to have played a role in the development of this legislation. Let us look at the backdrop of the passage of this law:
- Date of adoption: one month before the GDPR coming into force (April 2018). Coincidence?
- The adoption procedure: this law was adopted with complete discretion. It is encapsulated in a much larger law (some 2232 pages) which is the United States Budget Act of 2018. However, the latter is very sensitive and its failure to adopt has serious consequences for the American administration. It is an understatement to say that therefore, political pressure has had considerable power in this matter.
Moreover, this text of about thirty pages was not subject to any reinforced control. Surprising in view of what we are talking about…
The friction point: the fate of data located outside the US territory
International data transfer processing is carried out by agreements negotiated between States. These agreements take the MLAT name (acronym of Mutual Legal Assistant Treaty). According to these agreements, the transfer of data between States may take place after validation by a judge of the request providing for the transfer.
But the CLOUD Act does not see it that way…
Data transfer as seen by the CLOUD Act
Content of the CLOUD Act:
The Act states that “any operator or provider of online services must comply with obligations (…) to preserve, store or communicate electronic communications content and any records and information relating to a customer or subscriber in their possession, custody or control, wherever such communications, records and information are located inside or outside the United States.”
What does this provision mean?
American companies must, regardless of where they are stored, communicate the data in their possession to the American authorities whenever there is a “credible” and “justifiable” need in the context of a criminal investigation.
What does this provision mean?
If one exists, it is not territorial. Indeed, American companies are targeted, which makes this law extraterritorial.
Nota bene: under U.S. law, a company is any company incorporated in the United States OR any company controlled by it.
Everyone is concerned.
Is there an escape?
There is the possibility to refuse the transfer for companies in case of legal proceedings if:
- the consumer in question does not reside in the USA and,
- if the transfer would oblige the provider to violate the regulations of the country hosting the data. In this case, a motion must be tabled.
For the most eager, you can go to the CLOUD act text.
Divergent visions on the CLOUD Act
Pros: no wonder on why this CLOUD Act has been approved by Oath and 4 of the 5 GAFAM (Google, Apple, Facebook and Microsoft). Indeed, according to them, and contrary to all that the specialists agree to say, this CLOUD Act would allow a more important protection of the consumers.
As such, Brad Smith (president and chief legal officer of Microsoft) was able to say on March 21 that this law was a “good compromise” that would “defend the privacy rights of our customers around the world.
But how do they justify such a position? Through the affirmation of better information. The possibility of transferring data to U.S. surveillance agencies – regardless of where the data is located – would enhance consumer privacy, they said.
Counters: the major problem is the interference of the American authorities. That is why the vast majority of thinking heads are opposed to this overly intrusive act.
Data protection seen by the GDPR
GDPR article 48 “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”
Under this article, only an international agreement can legitimize the transfer of data from European citizens to a non-European territory.
What about such an agreement with the United States?
At the moment it is the Privacy Shield which manages the reports Europe/USA as for the transfer of data. The events to come will tell how all these acts are articulated.
Nota bene: the European Parliament’s Civil Liberties Committee (LIBE) considered that the Privacy Shield does not provide sufficient protection. Therefore it adopted a draft resolution to suspend the agreement if the event that deficiencies persist after 1 September 2018.
A European CLOUD: the solution?
It is essential to choose your subcontractors carefully and to know where your data is hosted. This is why theorists and practitioners today recommend turning to an European cloud.
Case to follow.