On July 10, 2019, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint assessment of the impact of the U.S. Clarifying Overseas Use of Data Act (“CLOUD Act”) on the legal framework for the protection of personal data in the EU.

The EDPB is an independent body composed of representatives from the EU Member States’ Supervisory Authorities for data protection, the national bodies enforcing EU data protection law, such as the General Data Protection Regulation (“GDPR”).  The EDPS is a separate European body whose primary role is to ensure that European institutions respect data protection law.  Though separate bodies, the EDPB and EDPS (hereafter “the institutions”) work jointly on some matters.  Opinions issued by the institutions are not legally binding, but may be influential and are indicative of the stance of European privacy regulators regarding certain issues.

The institutions note that the extraterritorial effect of the CLOUD Act could result in service providers being “susceptible to facing a conflict of laws between US law and the GDPR and other applicable EU or national law of the Member States.”

The institutions point out that Article 48 of the GDPR requires that any order from a non-EU authority requiring the transfer of personal data outside the EU must be recognized by an international agreement – such as a mutual legal assistance treaty (“MLAT”) – to be valid.  Therefore, according to the institutions, “EU companies should generally refuse direct requests and refer the requesting third country authority to an existing mutual legal assistance treaty or agreement.”

The institutions then proceed to consider whether there is any means by which the GDPR would permit a disclosure of personal data outside the EU pursuant to the CLOUD Act.  To do so, the institutions apply a two-step analysis which requires that any international transfer under the CLOUD Act (i) have a valid legal basis under Article 6 of the GDPR, and (ii) fall within one of the derogations provided for in Article 49 of the GDPR.

Step 1: Valid Legal Basis under Article 6 of the GDPR

The institutions consider the possible legal bases available under Article 6(1) of the GDPR and conclude that many are not suitable for purposes of the CLOUD Act.  In particular, some of these bases – e.g., Art. 6(1)(c) (“to comply with a legal obligation”) and Art. 6(1)(e) (“to perform a task in the public interest or in the exercise of an official authority”) – must be grounded in EU or Member State law.  Furthermore, the legal basis of “legitimate interest” under Art. 6(1)(f) cannot be relied on because, in the assessment of the institutions, “data subjects may be deprived from the protection afforded by the provision of Article 47 of the Charter, such as the right to an effective remedy, or that this right could not be exercised in practice.”

The only legal basis that the institutions see as potentially valid for purposes of the CLOUD Act is Article 6(1)(d), where the processing is necessary “to protect the vital interests” of an individual whose life or physical integrity is at risk.

Step 2: Applicable Derogation under Article 49 of the GDPR   

Similarly, the institutions also conclude that many derogations for transfers under Article 49 generally will not – in their opinion – suffice for purposes of the CLOUD Act.  Among other reasons, they indicate that these derogations must have a basis in EU or Member State law, or would be inappropriate for certain types of court orders under the CLOUD Act.  However, the institutions again permit one derogation: to protect the “vital interests” of an individual in line with Article 6(1)(d).

Conclusion

The institutions propose that the EU and U.S. enter into negotiations for a new international agreement that would contain strong procedural safeguards and protect fundamental rights while upholding the principle of “dual criminality.”  Alternatively, the institutions suggest that the U.S. and EU Member States could work to update their existing MLAT agreements to recognize and incorporate the CLOUD Act into these frameworks.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.

Nicholas is a member of the Bar of Texas and Brussels Bar (Dutch Section, B-List). District of Columbia bar application pending; supervised by principals of the firm.