New law allows the United States to access data from companies and users located in the European Union.
While in Europe parties focus on the entry into force of the General Data Protection Regulation, on March 23, there was another legislative novelty in the United States that will have a great impact on the privacy of citizens and businesses in the European Union: the approval of the Cloud Act.
The Cloud Act is also known as the Law of the Cloud, and allows the United States to effectively spy on European individuals and companies. The law was included in the vote related to the general budgets presented by Donald Trump.
What exactly is the Cloud Act?
Its acronym in English corresponds to the Act of Legal Use of Data Abroad and its objective is to update privacy laws and electronic surveillance in force in the United States, some of which dated from 1986.
This law has gone far beyond its competences, because it allows North American authorities, anyone from local police to federal agencies, to ask technology companies for data from users and companies from other countries housed in data centres located outside its territory, for example in Europe.
To understand what exactly this means, it is best to see it with a true example. In 2013, the Department of Justice asked Microsoft to deliver emails from an account allegedly related to drug trafficking in the United States.
The company rejected this claim because the data was hosted on servers located in Ireland. Therefore, the request had to be processed through the Irish authorities, which are those that have jurisdiction over personal data in their country.
In 2016, an appeals court agreed with Microsoft. However, after the approval of the Cloud Act, in a similar case, Microsoft would be obliged to provide this information.
These extraterritorial prerogatives that the Cloud Act grants to US authorities, even without the intervention of a judge, clash head-on with the provisions set forth in Article 46 of the General Data Protection Regulations, turning GDPR obsolete.
This section stipulates that the data controller can only transmit personal data to a third country or international organisation if it has offered adequate guarantees and provided that the interested parties have enforceable rights and effective legal actions.
Article 48 of the same regulation states that “any judgment of a court or decision of an administrative authority of a third country that requires a data controller to transfer or communicate personal data will only be recognised or enforceable if it is based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other reasons for the transfer under this chapter “.
In addition, the Cloud Act can mean the end of the Privacy Shield, the agreement reached between the EU and the United States in 2016 to allow the transfer of personal data.
A resolution presented in the European Parliament this June calls for the suspension of the Privacy Shield until the impact of the Cloud Act is clarified and the respect of privacy by the US is guaranteed.
Apart from the possible infringement of privacy rights of European citizens, the Cloud Act can also become a powerful weapon for the “economic war” that President Trump seems determined to declare to the European Union, which he recently qualified as a “commercial enemy”.
For example, a government agency could ask a technology company, such as Google or Facebook, to access emails or files of a European company hosted outside the United States to check, for example, if it has business relations with Iran or participates in any business in which American companies concur.
It may sound paranoid, but do not forget that between 2008 and 2009 the National Security Agency of the United States asked the German intelligence services to provide 40,000 data files on European companies that had nothing to do with terrorism, as reported by the parliamentary commission organised in Germany following the revelations of former analyst Edward Snowden.
The best way for European citizens and companies to protect their privacy from interference from the United States was to choose to host their personal data in services in the cloud of suppliers that are located in the territory of the European Union and belong to European companies.
Keep in mind that US cloud service providers operating in the European Union, although they have their data centers in European territory and comply with European laws, are subject to the dictates of the Cloud Act. So they could have to reveal data from European users and companies if requested by the North American authorities.