How to handle the uncertainty in light of the GDPR and the CLOUD Act

The General Data Protection Regulation (GDPR) entered into force on 25 May 2018, replacing the Personal Data Act (PUL). It is neither the beginning nor the end of the EU’s long-standing efforts to improve the protection of individuals’ data and their right to privacy. These rights are fundamental human rights in the EU, and all Member States have been bound by them in areas within the EU’s competence since the Lisbon Treaty took effect in 20091. The EU thereby strengthens its lead over the United States when it comes to legal protections for individuals’ rights to privacy and data.

Background

It was still up to each individual country to enact national legislation based on the directive. In Sweden, the directive was implemented in national law in 1998 through the Personal Data Act (PUL)3. PUL regulated both what kinds of personal data could be recorded and how such data could be transferred to so-called “third countries.” The latter required that at least one of the following three situations applied:

1. The country’s personal data legislation is deemed comparable to the European one (Section 33 PUL)
2. The individual has given consent or, by entering into a contract, has de facto accepted certain disclosures (Section 34 PUL)
3. The government has specifically granted an exemption (Section 35 PUL)

Unlike the Data Protection Directive, the GDPR applies directly as EU law and does not require transposition into national legislation. As a result, all EU Member States now have even more harmonized laws regarding personal data protection. Minor local adaptations of certain details in the GDPR are allowed, particularly concerning public administration, but the vast majority of the legislation remains alike across Member States.

Until 6 October 2015 there were several ways to enable transfers to third countries, of which the three main alternatives were:

1. Safe Harbor4 — a system for U.S. companies to self-certify their handling of personal data.
2. Binding Corporate Rules — guidelines and processes for internal transfers within multinational companies.
3. Standard Contractual Clauses5 — a standard contract that a European customer can enter into with a U.S. provider.

On 6 October 2015 the Court of Justice of the European Union, in C-362/14, annulled the European Commission’s Safe Harbor decision6. On 2 February 2016 the European Commission adopted a new system for U.S. companies to self-certify, the so-called Privacy Shield7.

Alongside the personal data protections that apply to interactions between individuals and companies or between individuals and public authorities, there is a separate system for data transfers in matters involving law enforcement authorities. These authorities can obtain information in criminal investigations and similar proceedings from other countries via so-called MLAT agreements (Mutual Legal Assistance Treaty).

Current

CLOUD Act

The Clarifying Lawful Overseas Use of Data Act (U.S. CLOUD Act)8 is a U.S. law passed on 23 March 2018, intended to remove earlier obstacles in U.S. law to U.S. IT companies disclosing personal data when U.S. authorities demand it, regardless of the physical location of that data.

The law also contains a process by which the U.S. government can qualify other countries to be allowed to request data from U.S. companies. A further purpose is to bypass existing MLATs (see above), partly because MLAT processes are considered slow. MLAT processes involve requests for disclosure being reviewed by courts, which takes time9. Both European and British law-enforcement representatives have been negotiating with their U.S. counterparts to improve the situation in this area and to establish simpler and faster access to foreign stored data in criminal investigations.

When Microsoft v. U.S. Government10 was taken up by the U.S. Supreme Court in spring 2018, the U.S. side hurried to enact new legislation to avoid the expected ruling, until the law was changed, cementing an outcome that neither Microsoft nor the U.S. Government (MS-vs-USG) wanted11. The legislation itself was drafted hastily12 and has been widely criticized for various reasons, including concern that non-U.S. authorities could gain access to inappropriate data via bilateral cooperation agreements13, and also on legal grounds given the thicket of applying extraterritorial legislation14. The Supreme Court case was dismissed after the U.S. CLOUD Act was enacted15.

Ireland16 as well as the European Commission17 submitted amicus curiae briefs18 in MS-vs-USG, which, in the latter case, essentially state that the EU has an interest in international judicial cooperation, but that any disclosure of data physically stored in the EU must comply with the GDPR to be lawful in the EU19. In the GDPR it is particularly Article 4820 that addresses the enforcement within the EU of court or administrative decisions of third countries, and states that such a transfer “may be carried out only if it is based on an international agreement, such as a mutual legal assistance treaty [Eng: MLAT].” Both Ireland and the European Commission point in their submissions to the already existing MLAT agreements as the most reasonable route.

Thus, the U.S. CLOUD Act has not yet changed the fundamental situation: U.S. and European law are not compatible on the issue of disclosing data stored in the EU to the United States. Until agreements between the EU or between each of the Member States and the U.S. are in place to legalize the use of the U.S. CLOUD Act vis-à-vis Article 48 of the GDPR, the only permissible approach that aligns with European law is for the U.S. to use the existing MLAT agreements—which is precisely what the U.S. sought to avoid in the first place. There are therefore three key questions going forward regarding the impact of the U.S. CLOUD Act on U.S. IT companies’ operations within the EU:

1. Will the EU and the U.S., or each Member State and the U.S., put one or more agreements in place that make U.S. use of the U.S. CLOUD Act lawful from a European perspective?
2. Will such an agreement meet the requirements of the Charter of Fundamental Rights (the EU Charter)?
3. Will the United States respect the territorial scope of the GDPR, or will transfers occur in violation of the GDPR, and will the EU have visibility into this or act if such transfers are discovered?

In the CJEU’s “Safe Harbor” decision, the Court reasoned not primarily in terms of what had demonstrably happened in individual cases, but rather what U.S. law de facto makes possible. Regarding the third point above, the U.S. CLOUD Act enables the United States to request transfers of data in violation of the GDPR: under the U.S. CLOUD Act it is up to the company addressed to challenge the request in court on its own initiative—there is only a U.S. court proceeding if it does so. Even if a U.S. court were to find reasons not to approve a request for disclosure of data, it might also find reasons to approve it. The law explicitly lists several factors the court must consider, including U.S. interests such as national security interests. From a European perspective, this is problematic. The European right to data protection safeguards EU citizens, and the European judiciary (particularly the courts) is tasked with ensuring that European legislation is interpreted so as to protect EU citizens.

What must be understood is that the EU Charter is part of the Treaties and codifies the EU’s fundamental principles. That means other EU law—such as directives, regulations, and rules for agreements—successively builds on that legislation. The EU Charter guarantees rights to EU citizens, which European courts must take into account in legal disputes. It therefore seems that the second question above leads to the same fundamental issue that the CJEU already has to consider in handling the “Data Protection Commissioner” case (see below). The second point can also be said to have been largely assessed already in C-362/14 (see in particular paragraphs 79–98, which entirely struck down the Safe Harbor agreement). As to the first question, it is claimed that the United Kingdom is engaged in bilateral negotiations with the United States to conclude a new MLAT agreement21, while the EU is pursuing a multilateral agreement for the entire Union with the United States22. A problem for the EU is that, strictly read, the U.S. CLOUD Act does not allow the U.S. to conclude multilateral agreements rather than bilateral ones, which may mean that U.S. law prevents the U.S. government from doing anything other than seeking bilateral agreements with each individual EU Member State. For the EU, such a solution would be unsatisfactory. Additional legislation or a “lenient” interpretation of the U.S. CLOUD Act would be required for the EU to be able to seek a multilateral agreement.

C-311/18, Data Protection Commissioner

After the Safe Harbor decision was annulled by the CJEU on 6 October 2015 in C-362/14, Austrian citizen Max Schrems again applied to the Irish Data Protection Commissioner for supervision of Facebook Ireland’s data flows out of the EU. He argued that, given the outcome in C-362/14, it could not possibly be lawful to transfer data to the U.S. based on the Standard Contractual Clauses or the Privacy Shield. The case went to court as Schrems argued that the Irish Data Protection Commissioner could itself decide to stop Facebook’s data flows out of the EU. The U.S. government, Digital Europe, and the Business Software Alliance are assisting Facebook in the case, while Schrems and the Irish Data Protection Commissioner are supported by EPIC.

The Commissioner agrees with Schrems that Article 47 of the EU Charter—Right to an effective remedy and to a fair trial—is not respected under the arrangements established by the Standard Contractual Clauses and the Privacy Shield, and that the rights of EU citizens under Articles 7 and 8 are therefore at risk. The Irish High Court24 decided on 3 October 2017 to refer the matter to the CJEU so that the judgment would be valid throughout the EU. Facebook appealed the decision to make a reference to the CJEU to the Irish Supreme Court. When the High Court finally announced the reference on 12 April 2018, Facebook then applied to the High Court to stay the reference to the CJEU pending the Supreme Court’s decision.

On 2 May the High Court decided against this because Facebook’s application lacked merit, writing that “the reference must proceed immediately,” and that Facebook’s conduct in court had been borderline blameworthy and unserious25. Media assessments are that Facebook has been attempting in various ways to delay the legal process26. This was also evident in the hearing conducted by the European Parliament on 22 May 2018 with Facebook CEO Mark Zuckerberg, that Facebook’s business has numerous current areas of conflict with the EU27 28 29.

An MEP remarked during the hearing with Zuckerberg on the differing levels between U.S. and EU data protection and the difficulty of reconciling the two30. The validity of both the Standard Contractual Clauses and the Privacy Shield is questioned in the reference to the CJEU. As regards the Privacy Shield, the dispute primarily concerns whether the Ombudsperson appointed by the U.S. government meets EU law’s requirements for an independent judicial body with a number of additional characteristics.

When one reads paragraphs 43 and 44 of the reference, it is hard to see how this could be the case given the reasoning advanced by the Irish Data Protection Commissioner, but we must await the CJEU’s decision.

The reference consists of 11 questions asking the CJEU to state whether the Standard Contractual Clauses and the Privacy Shield are compatible with Union law (the EU Charter, etc.), but there is no room to describe all the other preliminary questions here. It should be noted that the CJEU sometimes answers the questions it wishes it had been asked rather than the ones it actually received, so one cannot expect straightforward answers.

Conclusion

First, there are no indications that European courts are prepared to significantly weaken such civil rights as have been codified. The only feasible direction is for U.S. law to improve protections for individuals. Such a development would, however, run counter to U.S. practice concerning national security, which in practice does not recognize the rights of persons who are not U.S. citizens (which EU citizens typically are not), as statements by legal experts in the High Court’s reference in C-311/18 indicate.

Second, it is possible that the CJEU will invalidate both the Standard Contractual Clauses and the Privacy Shield, and that the European Commission will negotiate a “Safe Harbor 3” with the U.S., to the extent the U.S. CLOUD Act has not made such a solution impossible. One may speculate about which party’s position would be most strengthened for such negotiations by a CJEU decision.

Third, the current political situation between the EU and the U.S. is anything but good. The downsides of U.S. IT companies’ privacy policies—such as Facebook’s—which are partly considered to have made Brexit possible through influence campaigns, have not escaped EU politicians. To this can be added diplomatic problems arising from the U.S. withdrawal from the Iran agreement, and the nascent trade war initiated by the U.S. administration.

Fourth, a common objection to the possibility that the CJEU could annul both the Standard Contractual Clauses and the Privacy Shield at all, or without an alternative in place, is that the consequences for business would be too great. The CJEU’s task is to ensure that the EU Charter is respected in the EU’s laws and decisions. If the EU Charter obstructs business, then it must be amended. Until then, it applies as is. The European Commission acknowledged that EU citizens’ rights had been infringed but did not consider itself obligated to amend the Safe Harbor decision in light of this, pending an imminent renegotiation of the decision with the U.S. The CJEU, for its part, maintains that transfers should in fact be stopped in such circumstances in order to cease infringing EU citizens’ constitutionally protected rights31.

What the next step would be after the EU has invalidated the U.S. as an adequate third country can only be speculated about. It can, however, be noted that in the CJEU’s previous preliminary ruling in C-362/14, Safe Harbor ceased to apply immediately, but the European data protection authorities gave data protection officers (processors) a three-month grace period so that the European Commission and the U.S. could find a new solution. If a new solution cannot be found in the near term, data protection officers must cease processing personal data on affected services to avoid the threat of fines.

Recommendations for organizations

Recommendations regarding IT architecture

1. Make sure to build your cloud infrastructure with vendor-agnostic tools and platforms so you can more easily move the environment to another provider if the legal landscape worsens. Building your environment with containers (or Docker) instead of virtual servers is a proven way to make it easier to migrate services to another provider.
2. Calculate how data egress costs will hit you the day you want to move out. Many cloud service providers charge nothing to upload—but much more to download—which can lead to unpleasant surprises.
3. Make sure to separate data from services with open (or at least standardized) interfaces to make it easier to switch storage platforms. Amazon’s S3 protocol has become the industry standard for large-scale storage of unstructured data in the cloud. Unfortunately, Amazon uses certain extensions that are not supported by other S3-compatible services. If you start with a more generic S3-compatible provider, it will be easier to move to another provider.
4. Invest in your own identity management instead of relying on the cloud service provider’s. This will in some cases be a bit more cumbersome but incredibly much easier if the services need to be migrated elsewhere.

Recommendations regarding risk analysis and compliance with data protection legislation

1. Do the groundwork on the GDPR regarding the handling of personal data. Such groundwork should include reviewing:
   1. where you geographically store your personal data,
   2. your legal basis for processing and (if the personal data is stored outside the EU/EEA) for the transfer itself,
   3. how sensitive the personal data being processed is (especially if processing occurs outside the EU/EEA),
   4. whether you have informed the data subjects that their personal data is being processed, and
   5. whether any retention and deletion policy is implemented. This point is of course particularly important if data is stored in the U.S., since organizations then at least have a natural way to reduce the data that could end up having to be disclosed.
2. Deepen your GDPR work by introducing security classification of the information processed within the organization—this is necessary in order to subsequently conduct proper suitability and risk analyses regarding the use of various cloud services.
3. Include in the risk analysis the legal uncertainty surrounding existing and new cloud service providers—make a probability assessment and impact analysis and act accordingly: for example, if there is assumed to be a 20% risk of a complete halt to the transfer of personal data to U.S. services over 12 months starting in 9 months’ time, how would this affect operations and the decision-making process for your IT strategy regarding vendor choices?
4. Build redundancy at the vendor level as well. This is particularly important for services in the risk zone, and assess the migration process—how long would it take, for example, to replace all U.S. services if the need were to arise? It may seem too catastrophic to even consider, but the groundwork is needed to be able to make the right decision if it becomes a live issue.

Recommendations for organizations that rely on the Privacy Shield and SCCs

1. Analyze data flows that involve transferring data to countries outside the EEA and determine which transfer mechanism is used, how important it is to the business, and the likely consequences of being unable to continue such transfers. Develop possible solutions that could avoid the need for transfers.
2. Find out how the third parties that handle data flows from your organization will deal with a potential invalidation of the SCCs and/or the Privacy Shield.
3. Inform management and other key stakeholders about the risks arising from a potential invalidation of the SCCs and/or the Privacy Shield.