The Cloud Act is a United States federal law enacted in 2018, that asserts U.S. data and communication companies must provide stored data for a customer or subscriber on any server they own when requested by warrant from a US law enforcement agency. However, the act contains mechanisms for the companies or the courts to challenge these if they believe the request violates the privacy rights of the foreign country the data is stored in.
The European Data Protection Supervisor (EDPS) and the EDBP view the Cloud Act as a law in possible conflict with the GDPR and has made an official review of the act. They point out that Article 48 of the GDPR requires that any order from a non-EU authority requiring the transfer of personal data outside the EEA must be recognized by an international agreement (i.e. MLAT) to be valid. A quote from the official report, ”We are of the view that currently, unless a US Cloud Act warrant is recognised or made enforceable on the basis of an international agreement, the lawfulness of such transfers of personal data cannot be ascertained…” Therefore, they have proposed that it’s urgent to create new MLATs between the EU and US so the Cloud Act can be incorporated in the EU’s legal framework, since today it is not.
The problem for organizations is that many fall under US jurisdiction. Businesses that utilize cloud storage solutions owned by a US company or even EU organizations that just have US customers or subscribers technically fall under US jurisdiction.
An EU-based company fulfilling a warrant that has been issued by a US court requiring the transfer of personal data is today in breach of article 44 and 48 of the GDPR if there is no international agreement in place. However, if the organization does not fulfill the warrant, they will be breaching US law instead.
Naturally, organizations do not want to be in this position where they need to choose which law they should follow. As of now there is no crystal clear right way until further legislation is enacted. That’s why partnering with a team of experts like ours at Complior ensures you can navigate these types of situations and are following the latest legal requirements as they become valid. With so much of the world quickly moving online due to current circumstances, regulations and laws are changing and adapting quicker than ever. It is easy to get penalized for something your organization truly missed, yet is accountable to implement. Choosing local and secure cloud hosting partners like Complior in Sweden minimizes issues that could arise from things like the Cloud Act in the US.
Read previous posts:
Without the Privacy Shield, are your data transfers legal?
Understanding transfer mechanisms in GDPR
