Following the approval of the CLOUD Act in the US, the Dutch Government requested a Memo on its application to EU Entities.
Under the GDPR, EU companies are required to comply with important data protection legislation or face serious monetary sanctions. Some critics have even argued about the GDPR’s extensive extraterritorial scope, which has seen companies based in third-countries, such as Meta or Clearview, fined for not complying with European data protection law when processing data in the US.
This dilemma also exists the other way around when it comes to the applicability of third-countries laws on data protection in Europe. Most recently, questions have been raised across the pond about the potential impact of the US CLOUD Act’s on European entities and whether this legislation puts them in a complicated position regarding strict European data protection law. As per the GDPR, European data which is stored or processed in the US must be secured under the GDPR rules. The conflict here is that the US CLOUD Act allows federal law enforcement in the US to subpoena certain tech companies to provide requested data from users even if stored on foreign territories. This puts EU entities in a sensitive situation as it forces them to potentially comply with US legislation by transferring personal data even if they are based in the EU under GDPR rules. It is therefore important to look at whether EU entities are genuinely impacted or liable under this act.
The Dutch National Cyber Security Centre had a leading law firm investigating the application of the CLOUD-Act to European entities and they published the results last week.
As explained, certain data protection or data legislation has a strong extraterritorial effect. The core question at the centre of this article is how strong the extraterritorial effect of the CLOUD Act is on European Companies especially considering GDPR compliance.
The CLOUD-Act may apply to an EU entity under certain circumstances only.
It is considered that only under certain circumstances can EU entities have this legislation applied to them. Notably, it can only be applied to providers of an electronic communication service or remote computing service (CLOUD suppliers) which must have sufficient contacts in the US. The latter is rather important because whilst this legislation does not necessarily give US courts more power over foreign companies it does impact those companies which keep ‘minimum contacts in the US. Usually, this will mean the government can apply this legislation to EU entities that have: 1) A US legal entity 2) a foreign entity with an office in the US 3) a foreign entity with enough contacts in the U.S satisfying the requirements of personal jurisdiction. Therefore, it can be considered that the applicability of the CLOUD act to EU entities outside the U.S depends on the presence and associations or affiliations the entity has or establishes within the US. Companies can rest assured that if they conduct a relevant DTIA, utilise SCCs and apply the relevant mitigation measures, in most cases compliance with the CLOUD Act in this regard will allow simultaneous compliance with GDPR. This was strengthened under the Schrems II judgement which imposes greater duties on US companies or US law enforcement which processes personal data rather than on EU entities. It was stated that SCCs and DTIA’s should be assured by the entity processing the information (in this case law enforcement).
EU entities not located in the US but offering services or products to customers in the US.
A second question which is asked is about the CLOUD Act impact on EU entities which are not located in the U.S. but that offer services or products to customers in the US. This is heavily on the criteria of ‘personal jurisdiction’ which considers if a company is at home in the US. An example is a foreign company which has a reach that is so expansive within the US that it could be brought to court in the US. This test considers a company’s activities within the US market and its interaction. Therefore, if one has a company which offers products specific to the US market, it could be considered that they would need to comply with a CLOUD Act order whereas a company which does not tailor specifically to the US may not be as impacted or concerned by a CLOUD act order of compliance especially if they do not possess contacts with the US.
Consequences of not complying with an order under the CLOUD-Act.
The final element which we can consider is what happens when a European entity or company refuses to comply with a CLOUD Act order or decides to ignore it. Similarly, to the GDPR, companies that fail to comply with the law can face important monetary sanctions. Under US law imprisonment and fines is a strong possibility in the face of noncompliance with such warrants. However, under various circumstances, a European entity can challenge a CLOUD act warrant. Firstly, if the warrant conflicts with the law of a foreign country that has not entered into an international agreement authorized by the CLOUD Act. This is interesting in light of the CJEU’s decision in Schrems II which invalidated the US-EU Privacy Shield. Consequently, this means that as there is no agreement between the EU and US regarding data transfers the CLOUD Act can be contested by European entities under this first criteria as it would clash with the GDPR. The further protection for EU entities is that the customer or subscriber does not reside in the US or hold US citizenship and that the laws would violate those of a qualifying government (the EU is included as a qualifying government). Therefore, it can be argued that EU entities currently have quite a strong protection against any CLOUD Act orders. However, this could potentially evolve considering new agreements between the US and EU regarding international data transfers.
The CLOUD-Act in light of the Schrems II judgement.
Overall, EU companies with very weak connections to the US and little to know business will face minimal consequences considering the CLOUD Act. EU entities which possess ties to the United States may also receive exemptions from complying with a CLOUD Act Order since in its current state the CLOUD Act clashes with the GDPR due to the lack of a transfer agreement. Mainly the act is redundant considering the Schrems II judgment which has made its extraterritorial effect inadequate on EU entities.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.