Members of the European Parliament's Civil Liberties Committee (LIBE) expressed serious concerns to the European Commission on Monday 7 January about the implications of the US CLOUD Act for data protection in EU information systems.
US law provides that US service providers will be required to comply with US data disclosure orders, regardless of where the data is stored (see EUROPE 11973).
In the field of justice and home affairs, the Commission has concluded contracts with companies for the development and management of large-scale EU IT systems. MEPs fear that, if these companies are subject to US jurisdiction, they will be forced by US law enforcement authorities to disclose sensitive data about European citizens stored in these systems.
Dutch MEP Sophie in't Veld (ALDE) submitted a written question to the Commission on 2 July on this subject, to which the Commission did not reply within the deadline. The subject was therefore referred to the parliamentary committee.
Among the major concerns are the conflicts between the application of US law and the application of European law, namely the General Data Protection Regulation (GDPR).
“Where the Americans say 'American first', we should say 'GDPR first, Europeans first’”, said the Dutch MP.
Tania Schroeter, in charge of the case at the European Commission, tried to reassure. The CLOUD Act only allows data to be requested from companies with links to the United States, which are registered in the United States, for example, she explained.
"Eu-Lisa has confirmed to us that no direct suppliers are registered in the United States”, she said. In addition, contracts with companies contain strict confidentiality requirements that prohibit them from disclosing this data to the US authorities.
"I don't think it is our role here to give an interpretation of the CLOUD Act”, the Commission representative finally concluded, sending the ball back to American legislators.
A response that left MEPs very dissatisfied, and they agreed to come back to these questions, preferably in the presence of the relevant European Commissioners, suggested Mrs in't Veld. It also requested that the European Data Protection Committee issue a legal opinion on the implications of this controversial US law. (Original version in French by Marion Fontana)