October 10, 2018

Cloud Act vs GDPR: Clash or Harmony?

Yulia Filipovich

Senior Compliance Manager, Tieto Compliance Cloud, Tieto

In my previous blog post I talked about the Cloud Act, created as a result of the Microsoft Ireland case. This law has a direct impact on the personal data of millions of Europeans – and the financial institutions storing this critical data.

I went to interview Tieto Compliance Consultant and Attorney to State of New York Cagla Salmensuu to find out more about the legal impact of the Cloud Act. Here are her valuable insights.

What does the Cloud Act mean in practice from an EU point of view?

Cagla: “The very first thing that must be remembered is that EU laws are applicable in the EU jurisdiction and the US laws are applicable in the US jurisdiction. The Cloud Act applies to “US persons” who are within the US jurisdiction but whose data may be located outside of the US territory. In that sense, the GDPR’s jurisdiction on personal data may conflict with that of the Cloud Act because the GDPR is also applicable to the “US persons” that are within the EU or whose data is used for business activities in the EU. Consequently, a company in the EU will be violating the GDPR if they disclose a US person’s data to the US enforcement (international data transfer) without appropriate GDPR-based procedures and justifications.

Currently, there exists a mechanism for the US under the GDPR to have their warrant enforceable in the EU even without the Cloud Act. That process, however, is dependent on the conditions of the GDPR and via the MLAT (Mutual Legal Assistance Treaty).

The coin has two sides, however. It is also possible that the EU enforcement may need to obtain personal data in law enforcement from the US.

In that case, the Cloud Act requires a mechanism for the “qualifying” foreign governments to bypass the MLAT system in their investigation of serious crime and directly request sought-after communications from US-based providers. This is ensured through an “executive agreement” entered into between the foreign government and the United States. The signing of executive agreements with the US also requires that the foreign government must agree to reciprocal rights of access by the United States to foreign government-held data. In order for the cooperation to be reciprocal for the EU, the EU can thus reasonably be expected to take that route and negotiate an agreement just as the UK has recently done.”

What happens if the US government wishes to obtain the personal data of a US citizen located on a European server?

Cagla: “A European company is accountable to follow its home country’s laws and court orders. The GDPR is, in the field of data protection and privacy, the number one law a European company is supposed to follow. Because the Cloud Act is not a European law, it needs to be made enforceable by the European court order in order to concern the European company. Or, the anticipated executive agreement between the US and EU (or distinct EU members) has to be made in order to facilitate exchange of e-evidence in the fight against cybercrime or crimes taking place using ICT systems.

Until then, the US enforcement will need to fulfill the GDPR’s conditions before a US-issued warrant can be enforceable in the EU. An EU company is affected by the Cloud Act to the extent it may be processing the personal data of a “US person” outside of the EU, for the business activities outside of the EU. In other words, an EU company may be affected by the Cloud Act once it falls outside of the jurisdiction of the EU due to the fluid nature of data business. “

Do the benefits really outweigh the risks?

Many organizations and experts have expressed concerns about the Cloud Act and the potential negative impact it can have on the EU. EU businesses should evaluate the risks of using US suppliers that have to follow the Cloud Act.

By all odds, it will be beneficial for companies to choose a local cloud provider, such as Tieto Compliance Cloud that follows the laws of the local country when it comes to privacy and data protection. This is especially vital for organizations who handle extremely sensitive data, such as authorities, municipalities, banks and health care and insurance companies.

RELATED READINGS

My previous blog post: It's time to talk about the Cloud Act

Cagla's latest blog post: NIS directive in the Nordics: Finnkampen in the air?

Related article: Risk management in legal cyber-security 

Stay up-to-date

Get all the latest blogs sent you now!