CLOUD Act vs GDPR
GDPR, Cloud Act and California Consumer Privacy Act are data protection laws with differing purposes. Between data monitoring and data protection, which one to choose?
GDPR, CLOUD act, California Consumer Privacy Act, 2018 seems to be the data protection laws cradle. However, not all of them go in the same direction and this is how friction arises.
Explanation of the content of these standards and their disagreements.
The birth of the CLOUD Act or an exacerbated lack of protection?
As tantamount to the French Criminal Code and Code of Criminal Procedure, the United States are the holder of Title 18 of the United States Code (codification of federal American Law, it includes several titles relating to the different branches of Law). This title includes a chapter entitled “Stored wire and electronic communications and transactional records access” (for the most curious of you, it is chapter 121) relating largely to data protection.
This text did not seem sufficient since the CLOUD Act was passed.
Why this CLOUD Act?
1. First of all, because the drafting of Chapter 121 did not enable to avoid disputes. Indeed, the well-know Warrant case was born (this case which opposes Microsoft to the United States government). Therefore, the United States wanted a stronger text.
2. But that’s not the end of the story. The GDPR also appears to have played a part in the development of this legislation. Let’s look at the backdrop of the passage of this law:
- Date of adoption: one month before the GDPR came into force (April 2018). Coincidence?
- The adoption procedure: this law was adopted with complete discretion. It is encapsulated within a much larger law (some 2232 pages) which is the United States Budget Act of 2018. However, the latter is very sensitive and any failure to pass it could have serious consequences for the American administration. It is an understatement to say that therefore, political pressure has had considerable power in this matter.
Moreover, this text about thirty pages long was not subject to any reinforced control. This is surprising given what we are talking about…
The sticking point: the fate of the data located outside the US territory
International data transfer processing is carried out by agreements negotiated between States. These agreements are called MLAT (acronym of Mutual Legal Assistant Treaty). According to these agreements, the transfer of data between States can be done after validation by a motions judge providing for the transfer.
But the CLOUD Act does not see it that way…
Data transfer according to the CLOUD Act
Content of the CLOUD Act:
The Act states that “any operator or provider of online services must comply with obligations (…) to preserve, store or communicate electronic communications content and any records and information relating to a customer or subscriber in their possession, custody or control, wherever such communications, records and information are located inside or outside the United States.”
What does this provision mean?
American companies must, regardless of their storage location, pass the data in their possession on to the American authorities whenever there is a “credible” and “justifiable” need in the context of a criminal investigation.
Is there a collection limitation?
If there is one, it is not territorial. Indeed, American companies are targeted, which makes this law extraterritorial.
Nota bene: under the U.S. law, a company is any company established in the United States OR any company controlled by it.
Everyone is concerned.
Is there a way around?
There is the possibility to refuse the transfer for companies in case of legal proceedings if:
- the consumer does not live in the USA and,
- if the transfer would make the provider violate the regulations of the country hosting the data. In this case, a motion must be tabled.
For the most eager of you, you can go to the CLOUD Act text.
Divergent visions on the CLOUD Act
Pros: no wonder on why this CLOUD Act has been approved by Oath and 4 of the 5 GAFAM (Google, Apple, Facebook and Microsoft). Indeed, according to them, and contrary to what the specialists agree to say, this CLOUD Act would provide a more important protection of the consumers.
Indeed, Brad Smith (president and chief legal officer of Microsoft) said on March 21 that this law was a “good compromise” that would “defend the privacy rights of our customers around the world“.
But how do they justify such a position? Through the assertion of a better information. The possibility of transferring data to U.S. surveillance agencies – regardless of where the data is located – would enhance consumer privacy, they said.
Cons: the major problem is the interference of the American authorities. That is why the vast majority of the thinkers are opposed to this overly intrusive act.
Data protection according to the GDPR
Article 48 of the GDPR says that “Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognized or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.”
Under this article, only an international agreement can legitimize the transfer of data from European citizens to a non-European territory.
What about such an agreement with the United States?
At the moment, the Privacy Shield which supervises the Europe/USA relationship regarding the transfer of data. The events to come will tell us how all these acts are going on.
Nota bene: the European Parliament’s Civil Liberties Committee (LIBE) considered that the Privacy Shield does not provide sufficient protection. Therefore it adopted a draft resolution to suspend the agreement if the event that deficiencies persisted after 1 September 2018.
A European cloud: the solution?
It is essential to choose your subcontractors carefully and to know where your data is hosted. This is why theorists and practitioners today recommend turning to an European cloud.
Case to follow.
In the meantime, it is never to late to master the GDPR like the back of your hand! Thanks to the GDPR training by Ziwit Academy, you will know exactly all the mandatory requirements to implement in order to secure your data processing, whatever your level is.