The European Data Protection Board and the European Data Protection Supervisor published on Friday 12 July their joint preliminary assessment on the implications of the US CLOUD ACT for the European data protection framework.
Requested by the European Parliament's Civil Liberties Committee (LIBE) last January (see EUROPE 12166/4), the main purpose of the evaluation was to clarify what service providers should do if they find themselves in a situation of conflict between the application of US law and the application of European law, namely the General Data Protection Regulation (GDPR).
US law provides that US service providers will be required to comply with data disclosure orders issued by US authorities, regardless of where the data is stored.
On the EU side, however, Article 48 of the GDPR Regulation on foreign investigations prohibits the transfer or disclosure of personal data, except under a mutual legal assistance treaty or other international agreement, for example the one that the European Commission will negotiate with the United States on cross-border access to electronic evidence held by a service provider in criminal proceedings (see EUROPE 12278/20).
In the document, the two authorities therefore confirm "that currently, unless a US CLOUD Act warrant is recognised or made enforceable on the basis of an international agreement, the lawfulness of such transfers of personal data cannot be ascertained, without prejudice to exceptional circumstances where processing is necessary in order to protect the vital interests of the data subject".
In addition, in cases where there is an international agreement such as a mutual legal assistance treaty, EU companies should generally refuse direct requests and refer the authority of the requesting non-Member State to an existing mutual legal assistance treaty or agreement, they write. In their view, this approach ensures that the data are disclosed in accordance with EU law and under the supervision of the European courts.
In addition, the document points out that the mutual legal assistance treaty already in force between the EU and the United States contains very few provisions relevant from the point of view of data protection. In doing so, both authorities call for the urgent implementation of a new generation of mutual legal assistance treaties that will enable requests to be processed much more quickly and safely.
The European Committee and the European Data Protection Supervisor also recall that any agreement between the EU and the United States on transatlantic access to electronic evidence must contain sufficient adequate data protection safeguards, comply with EU law and ensure reciprocity in the conditions under which both parties can access data.
See the document: https://bit.ly/2LUsH16 (Original version in French by Marion Fontana)