It all started with an American investigation into a drug-trafficking case. Data on this criminal network was reportedly located on a user’s Outlook account in Microsoft’s servers in Ireland. The U.S. Government issued a warrant requiring Microsoft to disclose data in its possession but the Redmond firm refused to comply on the grounds that the data was located outside the United States. Microsoft faced backlash over its refusal, some even questioning its patriotism.
While the case was being decided by the Supreme Court, the U.S. Congress tackled the issue by enacting on March 23, 2018, a rider tacked onto an omnibus budget bill, called the “CLOUD Act” (standing for Clarifying Lawful Overseas Use of Data Act) (1).
CLOUD Act: What Does it Say?
The CLOUD Act amends the Stored Communications Act of 1986 that involved a tedious process —requests for international legal assistance based on bilateral treaties — in order to obtain the communication of any data hosted outside the American territory.
Now, a simple warrant is sufficient to enjoin any U.S. company to provide such information, regardless of the data’s physical location.
The CLOUD Act applies to any “United States person”, defined very broadly (for legal persons) as a corporation that is incorporated in the United States, including a foreign subsidiary.
Not surprisingly, the procedure against Microsoft Ireland was abandoned (2) and reopened under the CLOUD Act, Microsoft having already publicly announced that the data would be transmitted in accordance with this new framework (3).
CLOUD Act: The European Response
Beyond preparing its own piece of legislation (4), the European Union expressed, via its European Digital Commissioner, its serious concerns following the hasty passing of the CLOUD Act (5).
Already in 2001, when the Patriot Act providing the U.S. Government access to some data for cases relating to national defence was signed into law, Europeans feared data “leaks” to the United States. Those fears were subsequently confirmed by the Snowden, PRISM or Echelon cases. From now on, with the CLOUD Act, the transmission of data to the American justice system can be systematised for any ordinary criminal cases.
However, the processor or the controller who would respond too quickly to a U.S. court order would necessarily incur liability, to the extent that Article 48 of the European General Regulation on the Protection of Personal Data (GDPR) clearly provides that “[a]ny judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement (...)”. The problem is that such international agreement does not exist (yet).
The protection of European citizens’ data would mean not entrusting their data to a company governed by American law — but this is both technically and economically unreasonable.
Under the very strong influence of the GDPR, cloud players, including Americans, have already started to make offers that are more respectful of European standards, with the installation of servers in Europe.
Many are calling for a European sovereign cloud (6). Various certification initiatives, such as ANSSI’s SecNumCloud (formerly known as Cloud Secure), are working in this direction, in particular on public architectures. Cloud security can also be achieved through the Network and Information Security Directive (NIS Directive) (7), recently implemented into French law (8).
For several years already, some users are following a “cloud strategy” consisting in using both a public cloud for less sensitive data and a private cloud for more sensitive data. The hybrid cloud architecture thus tends to develop.
This may be quite expensive, but this is the price for greater technical and legal security.
References
- The provisions of the CLOUD Act (amending the Stored Communications Act (SCA) of 1986, codified in Chapter 121, Part 1, Title 18 of the US Code) were enacted with the Consolidated Appropriations Act (Division V: Cloud Act) on 23 March 2018.
- U.S. Supreme Court’s United States v. Microsoft Corp. decision dismissing the case as moot, 17-4-2018
- « Après le vote du Cloud Act, la Cour Suprême jette l’éponge face à Microsoft », Le Monde Informatique, 7-4-2018;
- The EU is committed to improving cross-border access to electronic evidence. To make it easier and faster for law enforcement and judicial authorities to obtain the electronic evidence they need, such as e-mails or documents located on the cloud, to investigate and eventually prosecute criminals and terrorists, the Commission proposed on 17 April 2018 new rules in the form of a Regulation (Proposal for Regulation on cross-border access to e-Evidence) and a Directive (Proposal for a Directive laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings). See the European Commission’s Press release: http://europa.eu/rapid/press-release_IP-18-3343_en.htm?locale=EN
- « Pourquoi le «Cloud Act » américain inquiète l’Union européenne », Le Soir, 27-3-2018.
- « Cloud souverain et offre informatique : état des lieux », www.alain-bensoussan.com, 7-12-2015.
- NIS Directive, Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union, OJ L 194, 19.7.2016, p. 1-30.
- Loi n° 2018-133 du 26 février 2018 portant diverses dispositions d’adaptation au droit de l’Union européenne dans le domaine de la sécurité, JORF, 27-2-2018.
Article provided by:
Eric Le Quellenec, Lawyer, Head of the IT Advisory department Lexing Alain Bensoussan Avocats.
Eric Le Quellenec is a lawyer in Paris (France). A specialist in new technologies, information technology and communications law, Eric Le Quellenec is the Head of the IT Advisory department, where he also provides litigation services. He holds a Master 2 in business law (DJCE) and studied at the University of Ottawa (Canada). Having a solid experience in GDPR, he is leading the compliance programme of worldwide automotive and agribusiness groups. He is the exiting Vice-President of the Young Lawyers Association of Paris (Union des Jeunes Avocats de Paris – UJA), and previously chaired the new technologies and prospective commission of the French federation of young lawyers associations (Fédération des Unions des Jeunes Avocats de France - FNUJA). He has been appointed expert for the business and IT commissions of the French Bar Association (CNB).