The CLOUD Act, everything you need to know!

Unless you are totally airtight to the latest news in the digital world, you couldn’t have missed out on the CLOUD Act, which caused a lot of ink to flow in the international press.

Just a few weeks before the General Data Protection Regulation enforcement, this American law was enacted. Consequently, it is likely that the effects of the GDPR are lessened, and that the European citizens don’t regain the trust that was hoped for about the use of their personal data.

A little bit of history…

It all started in 2013, in a common drug trafficking case submitted to an American criminal court of law. In order to charge the suspect with drug trafficking, the prosecutor needed to gather evidence. The latter wanted to access the messaging service of the defendant to prove that he was guilty, and at the same time, find a potential accomplice in his list of recipients.

The suspect had an Outlook address, whose service is managed by Microsoft. Therefore, the prosecutor sent a request to the company in order to access the trafficker’s emails. And that’s when the real trouble began…

In response to the prosecutor, Microsoft refused to disclose the said emails on the grounds that they are hosted on data centers located outside the American territory, and more precisely, in Ireland. That means that the American authorities don’t have any extraterritorial jurisdiction that allows them to collect some data that may be stored on overseas servers.

The only option for the authorities who wanted to get the suspect’s emails was to use the Mutual Legal Assistance Treaty, ratified between the United States and the Republic of Ireland in 2001. To sum up, this treaty gives these two countries the opportunity to cooperate within the scope of a criminal investigation, just so the requesting party can obtain the data located outside the territory of the requested party. For that drug trafficking case, the American authorities sent an international request to the Irish authorities to get their hands on the defendant’s emails, and to make sure that the investigation went smoothly.

For some reason, Ireland refused to disclose the emails by not granting the request from the United States.

Last resort option for the American authorities: summons Microsoft on the basis of the SCA (Stored Communications Act). It is an old Act from 1986, that gives the United States the opportunity to get computing data in the scope of a criminal investigation. The problem with this Act is that it was written before the expansion of the internet, when the data was still stored on a floppy disk. When that law was written, no one could have imagined that the whole world would be connected, and that the data could be stored on servers located all around the globe. Consequently, the Act was silent about its extraterritorial jurisdiction.

By summoning Microsoft, the American government wanted to take advantage of that loophole to make the jurisdictions acknowledge an extraterritorial range. To support their defense, the American government said that Microsoft home office is located in the Washington State. Therefore, Microsoft must obey the American law and has to get the data stored on their own servers, wherever they are located.

The jurisdiction of first instance acceded the defense of the American government and authorized the disclosure of the data stored on the Dublin servers. In spite of this judgment, Microsoft refused to comply with the legal decision because the company thought that the SCA didn’t have any extraterritorial jurisdiction. Consequently, the company decided to appeal the decision.

The Court of Appeals for the Second Circuit in New York declares null the whole judgment from the first instance jurisdiction. More precisely, the American government cannot request the disclosure of any data located outside of its territory.

The American government decided to appeal to the Supreme Court, but they couldn’t take the risk of losing this case. In consequence, they had to scheme to find a solution and get the SCA extraterritorial jurisdiction acknowledged.

The trick was found just a few months before the case was judged by the Supreme Court: find a way to pass the CLOUD Act (Clarifying Lawful Overseas Use of Data Act). This Act could allow the American government to access personal data stored on overseas servers, by getting past the extraterritorial jurisdiction problem. All in all, the United States could hit the jackpot with this Act.

The problem is that the parliamentarians would never pass such a law that would damage the diplomatic relationships with the rest of the world.

IN SHORT: The American government wanted to access the data stored on a server located in Ireland. Microsoft was summoned to get the disclosure of the data, but the company refused on the grounds that the SCA didn’t have an extraterritorial range. Consequently, the government wanted to pass the CLOUD Act, whose goal was to abolish the extraterritoriality issue.

The CLOUD Act passed with a sleight of hand

The American government is facing a serious challenge: they had to make sure that the CLOUD Act was enacted before the case was judged by the Supreme Court. In other words, it had to happen quickly.

The executive was aware that this Act would give rise to many debates, endless amendments and get bad press.

Nevertheless, a clever idea was found. The CLOUD Act was inserted into the Appropriations bill, which was 2,232 pages long and was meant to cloud the issue. The CLOUD Act was inserted on page 2,201, even though it absolutely had nothing to do with appropriating funds. The government strategy was to drown the Act in the bill, just so it would go unnoticed by the Congressmen. Probably very few of them read carefully the 2,232 pages bill, and since it was almost the end of the year and the bill had to pass quickly, they couldn’t amend it like crazy.

Therefore, the whole Appropriations bill passed in late December 2017, which means that the CLOUD Act also passed.

Given that case opposing Microsoft to the American government would be reviewed by the Supreme Court, the Act had to come into effect fast. That’s why Donald Trump officially ratified it on March 23^rd, 2018.

This enforcement came along at the right time, just a few weeks before the decision of the Supreme Court on April 18^th, 2018.

Unsurprisingly, the high court decided the case in favor of the American government. The judges didn’t really have a choice because they had to base their decision on the law enacted just a few days ago.

From now on, the United States can freely access the data stored on overseas servers.

IN SHORT: In order to make the Congressmen pass the CLOUD Act before the Microsoft case was reviewed by the Supreme Court, the American government inserted the Act into the Appropriations bill. By passing the bill, the deputies also passed the CLOUD Act. Consequently, the Supreme Court had to apply the CLOUD Act when the case was reviewed because it was enacted a few weeks earlier.

What’s the CLOUD Act all about?

The CLOUD Act is an invading law from the United States on a global scale, because they can access personal data hosted on data centers all around the world.

Nevertheless, the law only applies to companies established in the United States. All the web giants have to obey it, including their subsidiaries in Europe.

To get access to data located abroad, the American authorities must obtain a warrant that can only be issued if there is a serious presumption that someone committed – or is about to commit – a criminal offence. The authorities will give this warrant to the American provider of service involved, which will have no other choice but to hand over the requested data. If this provider thinks that the request is unfounded, they can quash of modify it with a motion. However, their room for maneuver is too narrow: they will be able to quash the warrant only if the suspect is not an American citizen or doesn’t reside in the American territory.

Let’s just say that the submissions offered to the providers are extremely poor.

Moreover, the judiciary authorities also have a narrow room for maneuver when it comes to quashing or modifying the warrant, because they can only base their decisions on a limited list provided by the CLOUD Act. Therefore, their discretional power is jeopardized by this law.

IN SHORT: During a criminal investigation, the CLOUD Act requires the American companies to disclose data stored on any server around the world. The submissions offered to the provider of services are very limited.

A law contrary to the spirit of the GDPR

When the European regulation 2016/679 about the personal data protection passed in 2016, the European institutions were very pleased about their progress in protecting their citizens.

The main goal of the GDPR was for private individuals (and companies, to a certain extent) to regain trust on the use of their personal data by third parties. That means that the citizens would also invest inside the single market. The European Union would benefit from this, and the consumers would be more likely to buy, now that they know their data is “supposed” to be protected.

However, this feeling of safety seems deceptive, since it is contradictory to the CLOUD Act. Indeed, all of the companies that have subsidiaries inside the European Union are torn between obeying the American law that has extraterritorial jurisdiction, and the European law that forbids them to transfer any personal data outside of its territory.

In the moment, these transfers to the United States don’t seem particularly serious. Indeed, Article 45 of the GDPR gives the possibility to transfer data outside of the EU thanks to an adequacy decision signed with the European institutions. The United States negotiated this agreement a few years ago, which was called “Safe Habor”. However, this agreement was very criticized for its lack of protection towards personal data. This criticism was confirmed when the Court of Justice of the European Union judged nullified the Safe Harbor in 2015, in the Schrems case.

Overcome by panic, the European Commission got together with the United States to pass a new agreement more respectful of the processing of personal data done by American companies. On July 12^th, 2016, the Commission proudly announces the ratification of a new agreement with the United States: the Privacy Shield, enacted on August 1^st, 2016.

Nevertheless, this new agreement doesn’t seem any different from the last one, which was criticized then ultimately nullified. Even the Art. 29 WP, former advisory body of the European Union, expressed concern about the Privacy Shield, because it still doesn’t offer enough guarantees about the use of personal data transferred to the United States.

Consequently, we can legitimately question the consequences of the CLOUD Act within the European Union. Indeed, the American authorities can remotely get personal data stored within the Union. It really gives bad press to the GDPR, whose goal was to stop this kind of practice.

Therefore, the European subsidiaries of American companies are currently facing a conflict of laws. If they transfer data to the United States, they take the risk of getting an administrative fine on the grounds of Article 83 of the GDPR (up to 20 000 000 EUR or up to 4 % of the total worldwide annual turnover). On the other hand, if they don’t transfer the data, the American company could be convicted by the American jurisdictions.

That means that the American companies are unintendedly facing a real headache. As long as these judiciary and political uncertainties are not resolved, it is not recommended to subscribe to a service from an American company.

IN SHORT: The European subsidiaries of American companies are facing a conflict of laws. They must respect the European and American law, even though they are contradictory.

The possible solutions

There is no silver bullet guaranteeing that American companies won’t transfer any European user’s data to the United States. The users must be careful when it comes to subscribing an online platform of any kind.

You should choose a company that is not established in the United States, and then the CLOUD Act shouldn’t be enforceable.

However, it’s difficult to get rid of any American provider of service from our lives because of their monopoly in some areas. Indeed, how can we find an alternative to Google, Amazon, Microsoft, Apple or Netflix? The latters’ are getting huge market shares in their area of expertise, so it is hard to do without these services.

As long as the jurisdictions don’t make any decision about this conflict of laws, you should wait before subscribing to an American platform.

Some European platforms are just as efficient as any American service provider. For instance, the services offered by HTTPCS by Ziwit gives you the opportunity to protect your personal data without transfering it to the American territory.