The CLOUD Act: Unveiling European Powerlessness
Emmanuelle Mignon
Responsable du département Public Réglementaire Environnement chez August DebouzyIssue
Issue #1Auteurs
Emmanuelle Mignon21x29,7cm - 134 pages Issue #1, septembre 2020 12,90€
La compliance, une idée européenne ?
The Warrant Case
In 2013, as part of an ordinary drug investigation, the US Federal administration asked Microsoft to produce data pertaining to one of its clients, as well as the content of his electronic mailbox. The order was based on the Stored Communications Act (SCA), a piece of legislation adopted when a fledgling Internet did not yet concern the general public, which provides that the principle of confidentiality of communications extends to electronically exchanged data, save for information useful to criminal investigations.
Pursuant to this Act, the order took the form of a SCA warrant issued by a federal judicial authority and based on reasonable evidence (“probable cause”) that the user’s email account was used in connection with unlawful activities. Microsoft was given two weeks to turn over the requested information and data. In addition to that, it had to wait 30 days before informing its client. As a matter of fact, the latter was not a US citizen, nor a resident alien; however, this was not considered material in the course of the legal dispute.
After disclosing the customer’s data stored in the United States, Microsoft refused to hand over the contents of the email account that was stored in Ireland. Up until then, such requests, be they for content, user data or metadata 1 , have never given rise to difficulties on the grounds of the relevant data being stored abroad. Nonetheless, Microsoft (supported more or less overtly by other GAFA 2 companies) considered it was the right moment to question the scope of a legislation adopted in 1986 and barely revised ever since, despite the fact that in the past three decades the use of electronic data storage by external providers, once extremely costly and rare, soared, that data centers are disseminated worldwide, and that a growing share of clients are conscious about the place their data is stored and the protection it is afforded.
Several judicial proceedings followed the refusal to comply with the warrant. In short, Microsoft lost the first trial, but the Court of Appeals for the Second Circuit in New York ruled in its favor, stating that an SCA warrant cannot compel a provider of electronic communication, processing or storage services 3 to communicate data stored abroad to the US administration. 4 By deference to foreign sovereignty and in accordance with principles of private data protection, such discovery orders are to follow the process of international legal cooperation, that is, either a procedure laid down in a Mutual Legal Assistance Treaty (MLAT), or international letters rogatory.
Let it be said here: these procedures allow authorities seeking to retrieve electronic data to ask for the assistance of the officials of the country where such information is stored; who then collect it, provided that certain conditions are met (legitimacy, lawfulness, precision of the request, purpose for which the information may be utilized, etc.), political and diplomatic considerations never being entirely absent. The duration (several months) and the cumbersomeness of these procedures are ill-suited to the needs of the fight against crime –as the latter benefits from the facilitation provided by modern communication technologies.
The ruling of the Appellate Court for the Second Circuit relied on SCA’s lack of extraterritorial reach in the absence of any explicit indication to that effect, as well as on a “change in circumstances” theory according to which, nowadays, customers of online services providers store more data than ever before on cloud and are entitled to expect their data to benefit from the same protection against searches and seizures as if it were stored at the corporate headquarters or at their physical domicile. These customers are increasingly conscious about the place their data is stored and justified in thinking that the provisions ruling the disclosure of their data are set by the country where the information is stored or where the provider (to whom data is entrusted) is located. The notion of “legitimate expectation” is one of the criteria that the US Supreme Court applies in order to find the right balance between the tools available to law enforcement for criminal investigations (searches, seizures, wiretaps, GPS localization and other means of investigation…), and the prohibition of unreasonable searches and seizures under the Fourth Amendment to the United States Constitution 5 .
This ruling did not change the case law, as other courts continued to issue and recognize SCA warrants relating to data stored abroad; even so, in the absence of a clearly established solution, GAFA companies started resisting such requisitions by relying on the Microsoft precedent.
The US Government filed an appeal with the Supreme Court, which accepted to hear the case. Multiple Amicus curiae 6 were submitted to the Court, including one from the European Commission. Yet before the Court’s ruling, Congress passed the Clarifying Lawful Overseas Use of Data Act as a rider to an omnibus government spending bill for 2018. As its name suggests, this legislation clarifies the SCA and excludes location of data center as a ground for opposing the production of electronic data requested by the US administration from a US-based online services provider in the course of a criminal investigation. The law was enacted on March 23, 2018 and came immediately into effect. With the agreement of the parties involved, the Supreme Court acknowledged that the case was moot (the US administration could obtain a new warrant under the newly passed law, with which Microsoft would have to comply) and remanded it back to the Court of Appeals for the Second Circuit to draw the due consequences 7 .
GAFA, which had supported Microsoft in its battle against the US administration, surprisingly welcomed the adoption of the CLoud Act, Microsoft included. In point of fact, economic players entertain the utmost aversion for legal uncertainty; if there was one matter everyone could agree on –including the judges of the Court of Appeals for the Second Circuit– it was that the best solution had to be a legislative undertaking.
The Competing Arguments
The arguments exchanged between the parties during the Warrant case can help understand the scope of the CLOUD Act, which includes quite a few provisions beside the one that renders the matter of data location irrelevant. As is frequently the case, they are both legal and political in nature.
To oppose the communication of data stored outside the United States, Microsoft contended that:
- A cloud is a virtual cabinet which cannot reasonably be treated differently than a physical cabinet. As the latter cannot be forced open without the consent and support of the authorities of the country where it is located, so it should be for the former, if the foreign country’s sovereignty is to be respected.
- Under US law, a statute cannot apply extraterritorially without an explicit indication to that effect. No such indication of extraterritorial reach exists in the SCA, or in its legislative history. In fact, the question was not relevant in 1986.
- The execution of the warrant puts –or risks putting– the online services provider in a conflict of laws situation. At the time, Irish law and European legislation concerning the protection of personal data banned the transfer of personal information stored in Ireland to US authorities outside an international legal cooperation procedure (as a reminder, and contrary to what is often written, the mechanisms provided for by the Privacy Shield agreements, adopted before the entry into force of the GDPR 8 , does not cover personal data transfers to governmental agencies; only transfers to US companies that self-certify as fully adhering to the principles laid down in the aforementioned agreement are concerned). This is still the case under the GDPR (see below). The request puts therefore the service provider in an untenable position, in that either it disregards Irish law in order to comply with the US warrant, or it infringes US law to fulfill Irish obligations.
- US authorities are particularly well aware of this concern, for US law prohibits the transferring abroad of data located in the United States outside international legal cooperation procedures, whether such data pertains to a US person 9 . A US person is a citizen of the United States, a permanent resident alien, a non-registered partnership whose members are predominantly US citizens (or permanent resident aliens), as well as companies registered in the United States. or not, even if it has no other connection to the United States than its storage location.
- GAFA made a selling point of data storage location, which becomes meaningless should US authorities have access to information through warrants targeting parent companies registered in the United States. A requirement, originating from the US government, that data stored abroad be communicated whenever it is controlled by a GAFA would harm US providers’ competitive position, particularly in Europe.
- The possibility for US authorities to obtain data stored outside the US by simply addressing warrants to US parent companies could lead affected countries to adopt data localization policies, which would reach an aim contrary to the US administration’s, as it would in fact isolate data in a particular storage location and force authorities to resort to international legal cooperation in order to obtain it. The goals pursued by the US authorities are valid, although the only way to reach them would be through an international agreement that provides democratic countries with investigative means adapted to an evolving criminality, on a reciprocal basis and in line with privacy protection imperatives.
The US administration argued that:
- The SCA warrant denounced by Microsoft had no extraterritorial reach, as it was issued in the United States, by a US court, to a US company and to be executed in the US as part of a criminal investigation involving the United States. This situation had nothing to do with, for instance, sanctioning European companies because of their financial ties with Iran by banning them from doing business in the United States.
- Assuming that the execution of the warrant entails an extraterritorial reach, because data is not stored in the United States, a mere “click” would suffice for Microsoft to repatriate it, thus purging the litigious warrant of its extraterritorial nature.
- Data distribution in storage locations all around the globe is partly random, depending more on technical constraints than on the residence of the user. Sometimes data of the same user is distributed in centers located in various countries. Moving data from one data center to another is frequent and sometimes automatic. Assuming that data location is dependent upon user location (as argued by Microsoft), the latter is declared by the customer and is not verified. The effectiveness of the fight against crime cannot be contingent on random data distribution mechanisms, even less on the possibility for every user to declare any residence in order to benefit from this or that location.
- A SCA warrant is a hybrid tool, something between a search warrant and a subpoena: it shares with search warrants the legal requirement that an independent judge issues it based on probable cause; however, it is similar to a subpoena, in that there is no physical coercion or search, as the subpoenaed documents are voluntarily handed over by the person holding them (though under the threat of contempt of court, should he or she not comply). Excluding a physical search, a SCA warrant is not required to specify a particular territorial application; it only matters whether the person from whom data is requested has it under his or her control.
- Were we to follow Microsoft’s argument, it would prevent the GAFA from producing not only data belonging to foreign individuals or companies stored outside the United States, but also data stored abroad and related exclusively to the US: US territory, a US victim and a US suspect –according to the US administration, the most common situation. US authorities cannot imagine having to resort to MLAT to retrieve from Ireland pictures of US victims of a US pedophile, who lives in the United States and sees them from his computer in Arkansas. During a Senate hearing, an official from the US administration endeavored to provide Senators with examples of criminal investigations 10 that, while having no extraterritorial aspect, were nonetheless deadlocked since the ruling of the Court of Appeals for the Second Circuit 11 .
- Potential conflict of laws situations invoked by Microsoft are in fact quite rare. The consequences of the Court of Appeal’s ruling are disproportionate with regards to the actual risk of such occurrences.
- Last, the US administration argued that Microsoft’s position was detrimental to foreign countries themselves. In practical terms, it also prevented foreign authorities from retrieving data from GAFA with the help of US authorities in the context of international legal cooperation. However, this was partly a bad faith argument: for instance, if France sought to obtain data stored by one of the GAFA in Rio de Janeiro, it could as well turn to Brazilian authorities.
The CLOUD Act
The US administration responded to these difficulties with the CLOUD Act.
Unhappy with simply using the law in order to invalidate the Court of Appeal’s ruling, it went further by proposing solutions to US companies (i.e. GAFA) in case of a conflict of laws, and by offering its partners a framework for a more effective international police cooperation; in return, the US administration hopes that countries will refrain from passing data localization policies, which would undermine the desired goal, that is, facilitating data access, as well as risk placing its companies at a competitive disadvantage. Its manifold objectives render this legal instrument quite complex.
What we have here is a four-time waltz:
1. Every online services provider based in the United States must hand over to the US administration communication data requested through a SCA warrant, no matter where it is stored, as long as it is in the provider’s possession, custody or control.
From a legal point of view, and as many authors put it, the CLOUD Act does not change the state of American law regarding the substantive conditions that such warrants shall meet to be lawful: the request must be addressed to an online services provider; 12 this provider must fall under the jurisdiction of the United States; the data requested shall be in the provider’s possession, custody or control; 13 the request must be justified by the needs of a criminal investigation; it must be validated by an American judicial authority 14 , which checks the merits (serious suspicion that an offense has been committed or is about to be committed), the relevance (the data sought are actually likely to be of interest to the investigation) and the proportionality.
Likewise, contrary to what has been often said, the CLOUD Act is not a genuinely extraterritorial piece of legislation: it applies to any US-based company, as well as to its subsidiaries –even if registered abroad (see below). Yet, this is a broad understanding of the territorial scope of US law, but not, strictly speaking, an extraterritorial reach.
The novelty lies in the fact that, should the requested data be physically stored outside the United States, it is no longer an obstacle to its communication to the American authorities. Therefore, GAFA, which are tech companies registered in the United States, are to communicate any data stored in the US or in a foreign country upon request by the US authorities, even if said data belongs to a foreign company or individual and has been entrusted to a GAFA subsidiary registered abroad. As GAFA companies control the most part of the global cloud, and this is the point, critics of the CLOUD Act consider that the United States offered itself access to all data worldwide.
Moreover, the CLOUD Act does not affect the guarantees offered by the SCA. Based on the CLOUD Act, US officials can order the production of electronic data from online services providers only as part of a judicial procedure and with a warrant or a court order. In Europe, we were quick to conclude that the CLOUD Act was the means for the US administration to get hold of our companies’ strategic data, pillage our knowledge or lock up our CEOs. This might be simple scaremongering. The CLOUD Act’s first purpose is to obtain the communication of data from individuals or companies suspected of having committed misdemeanors or crimes. In principle, this is not the case for most of our companies.
2. If a SCA warrant places an online services provider in a conflict of laws situation because data is stored in a country whose law prohibits such data communication, it is for the court before which the case is brought to apply, if need be, common law principles of comity, that is, international courtesy principles recognized by US courts. This standard allows it to refrain from applying (or to apply in a more nuanced way) US law when major interests of foreign countries are at stake.
The purpose of this explicit reference to the common law principles of comity is to discourage partner countries from passing data localization policies, which would, for instance, require online services providers in said countries to register their parent companies outside the United States in order to avoid being subject to the CLOUD Act 15 (an unlikely hypothesis, unless they want to get by without GAFA’s services), or policies that would compel certain companies to entrust their data to only those sovereign clouds that have no connection to the United States. Without taking anti-GAFA measures, it is as of now sufficient that concerned countries adopt policies that seem necessary to them in order to protect data entrusted to the GAFA against the CLOUD Act’s exorbitant effects by applying the principles of comity.
The inclusion of such a principle in the SCA appears to be a progress, as many authors doubted it was applicable to this piece of legislation; on the other hand, the statute does not delineate the boundaries of this principle. Yet, US case law shows that US courts rarely agree to recognize the existence of a conflict between US law and European law –often regarded as less binding (see below). In addition to that, the appropriate legal procedure in case a provider seeks to enforce common law principles of comity is not by way of an action, but as a defense to a contempt of court procedure following the refusal to execute the warrant. Thus, the provider would have to take a significant risk.
To put things differently, the explicit reference to the common law principles of comity in the law is progress, but its actual implementation remains unclear, uncertain and will depend on the determination of judges.
3. Foreign governments may sign a bilateral treaty with the United States through which each administration could turn directly to providers in another jurisdiction to request relevant data without the need for a MLAT or international letters rogatory.
In practice, were France to sign such an agreement with the United States, French authorities could request directly tech companies registered in the US to provide data relevant to French investigations held under their control, without having to resort to the Department of Justice. US law would no longer hinder the disclosure of requested data, as is presently the case. Reciprocally, US authorities would be allowed to appeal directly to tech companies registered in France, for instance Orange, requesting the latter online services provider to hand over communication data under its control, without involving French authorities.
It is important to note, as of now, that the CLOUD Act prohibits explicitly such agreements from enabling foreign governments to retrieve data pertaining to US persons. This point is crucial and will be developed below.
Besides, in order to limit the disclosure of personal data to investigation services all around the world, the CLOUD Act states that warrants issued in virtue of such bilateral agreements can only target “serious crimes”.
These international agreements will take the form of executive agreements, i.e. agreements which do not require a 2/3 majority vote in the Senate, or the passing of a law by both Houses of the US Congress. The agreement enters into force as long as both Houses do not vote against it by a joint resolution within 180 days after its notification to the Congress. Only countries that respect human rights and meet democratic standards are eligible to the signing of these agreements.
In reality, the CLOUD Act organizes on a world scale what the e-evidence regulation and directive projects attempt to set up at the European level, that is, the possibility for investigating authorities in each country to obtain the disclosure of communication data relevant to their criminal investigations, by appealing directly to online services providers which process or store such data, rather than going through the conventional international legal cooperation framework. The express intent is to match the rhythm of criminal investigations to that of crime itself.
The possibility of signing these international agreements in such an expedite fashion is a source of consternation for US human rights associations. In any case, US persons (notably, US citizens) have nothing to fear from these executive agreements, as they cannot cover data that belongs to US persons. On the contrary, an executive agreement with, say, China, would allow the latter to retrieve data concerning (as the case may be) political dissidents from GAFA, without any intervention from the US administration. Of course, this would not be possible unless China met the human rights protection standards outlined by the policy and conditioning the signing of an executive agreement by the United States. Still, human rights associations criticize precisely the power of the US administration to weight those standards without proper supervision from the Congress.
4. Lastly, as a way to encourage foreign countries to sign executive agreements, the CLOUD Act states that any online services provider, American or foreign, required by the US authorities to communicate data stored in a country bound by such an agreement may, in a conflict of laws situation, request an exemption through a fast and direct special procedure (which should be less risky than defending a contempt of court case).
The statute extensively details the criteria that the court before which the matter is brought must take into account when deciding whether to quash or modify the warrant: serious risk of sanctions for the provider; the interests of the United States in obtaining the litigious data; the interests of the foreign government in preventing disclosure; the location and nationality of the customer; the nature of its ties with the United Stated; the importance of the investigations already conducted and the importance to said investigations of the information to be disclosed; the likelihood of proper access to requested information by means causing less negative consequences.
Without any precedent on this matter, the precise differences between the ordinary procedure (i.e. the common law principles of comity) and the special procedure (comity analysis) available only for the disclosure of information stored in countries that have signed an executive agreement, is hard to understand. As the US Government’s objective is to encourage its partners to sign executive agreements, expressly enumerating the criteria of assessment in comity analysis should make them more effective, operational and trustworthy.
The White Paper from the US Department of Justice
On April 2019, the US Department of Justice released a White Paper regarding the purpose and impact of the CLOUD Act 16 .
The document mainly highlights the advantages of the CLOUD Act for the criminal investigations of foreign governments that would enter into an executive agreement with the US thanks to the Act. It also minimizes the scope of the Act by reminding that the statute does not change the substantive conditions under which the US law enforcement authorities may issue SCA warrants, except regarding the place where the date is stored, which become irrelevant.
More interestingly, the US government seems to have understood the commercial prejudice that the CLOUD Act may have created for the major US tech companies whose subsidiaries face, in various countries in the world, the reluctance of foreign corporations to keep entrusting US online services providers with their data. In order to mitigate this side effect of the CLOUD Act, the White Paper recalls that foreign tech companies are not necessarily out of the scope of the Act if they provide services in the US and have “sufficient contacts” with the US to be subject to US jurisdiction (see below).
Some Unknown Factors
As with any legislation, the CLOUD Act contains several unknowns of unequal importance. Let us address two of them.
First, the CLOUD Act does not allow determining whether the European Union could sign an executive agreement with the United States on behalf of its member States. The law uses the words “foreign government” to designate the partners entitled to sign an executive agreement with the United States. Clearly, the European Union is not a government. It seems that, by using such terms, the United States indicates that it does not want to be involved with European Union countries whose compliance with democratic standards is not assured.
Admittedly, on September 25, 2019, the US and the EU started to negotiate an executive agreement on the basis of the CLOUD Act, which tends to prove that the CLOUD Act enables the US government to sign such agreement with that specific international organization that is the EU. However, it results from the report from the EU Commission on the first round of negotiations that the objective of the US is to negotiate a framework agreement with the EU, supplemented later by bilateral agreements with individual EU Member States. 17 During the second round of negotiations, on November 6, 2019, the US highlighted its concerns on the rule of law situation in some EU Member States. 18
Second, it is unclear to which extent the CLOUD Act could apply to companies registered outside of the US.
Clearly, the CLOUD Act applies to data entrusted to foreign subsidiaries of companies registered in the US, either because the data is in reality under the parent company’s control, according to US authorities, or because, in any case, the CLOUD Act applies to every company under US jurisdiction: yet, US law includes companies registered in the United States, as well as their subsidiaries –even if they are registered in a foreign country.
The statute applies also to the US subsidiaries of companies registered outside the United States (say the US subsidiary of Orange). Indeed, such subsidiary is registered in the United States. It is therefore incontestable that this subsidiary is subject to the CLOUD Act and is consequently under the obligation to hand over data under its control, wherever it may be stored. One may assume that such data has been handed into its custody by US persons.
On the other hand, the question whether the CLOUD Act could apply to data processed or stored by companies registered outside the US, but doing business in the US, is controversial.
From a legal standpoint, the application of the CLOUD Act to foreign companies could take three paths:
The data sought by the American administration and stored outside the United States by a foreign company would be claimed from the US subsidiary of this company, which would be regarded as having “control” on this data. However, we find it difficult to consider that a US-based subsidiary of an online services provider registered outside the US could be seen as controlling the data entrusted to its parent or sister company’s custody, unless in case of technical control.
Under US law, any person in the United States is subject to the jurisdiction of the United States. Should the term “person” designate natural person and legal person such as companies, a French company doing business in the US might therefore be considered as subject to the jurisdiction of the US.
More convincingly, a company providing services in the United States may be considered by the US courts as subject to the jurisdiction of the United States if the importance of this activity justifies it (so-called “doctrine of sufficient contacts”). Indeed, the American courts consider that it would be unfair with regard to US companies to exempt companies doing business in the United States but registered elsewhere, from the application of American law. The importance of the activity/contacts that results in the submission of the concerned company to the jurisdiction of the United States is assessed by the court seized according to a case-by-case analysis.
Considering the fact that the foreign major competitors of the GAFA, such as Orange, usually do business in the US, otherwise they are “economic dwarves”, the application of the CLOUD Act to such companies would have significant consequences:
- The US administration would gain almost unlimited and worldwide access to data, despite it having no ties to the United States (e.g. a French company’s data entrusted to Orange in France and stored in France), save for a connection with a criminal offence involving the US, thus contradicting the considerations that motivated the passing of the CLOUD Act. Now, MLAT procedures serve precisely this purpose; if the CLOUD Act’s aim is to allow US administration to unchain itself, in some circumstances, from overly slow and cumbersome procedures, it would be unwarranted to disregard them altogether.
- Any policy aiming at creating sovereign clouds shielded from US interference would become useless, unless such clouds were entrusted to “digital dwarves” having no activities in the United States.
- Online services providers would be often placed in conflict of laws situations, for foreign States, unable to protect themselves through sovereign clouds, would likely retaliate by multiplying laws that ban the transfer of data stored on their territory.
The case law has not yet clarified this point.
The US-UK Agreement: First Executive Agreement Under the CLOUD Act
On October 3, 2019, the United States and the United Kingdom signed in Washington the first executive agreement under the CLOUD Act. Such executive agreement, named the US-UK Bilateral Data Access Agreement, is crucial since it should serve as a role model for other bilateral agreements.
The significant points of this agreement are the following:
- The agreement distinguishes the Issuing Party, that is to say the country that issues the request for the disclosure of data (the “order”) directly to the online services provider, from the Receiving Party, e.g. to put it simply the country in which the order is delivered.
- Each Party designated a governmental entity in charge of the implementation of the agreement and acting as a point of contact (the “designated authority”).
- The agreement applies only to investigations related to serious crime. Such notion was not defined in the CLOUD Act. Pursuant to the agreement, serious crime is an offense punishable by a maximum term of imprisonment of at least three years under the law of the Issuing Party.
- The agreement provides that each Party ensures that its domestic laws will not prevent the online services providers requested to disclose data (the “covered providers”) from complying with the orders issued by the Issuing Party. For the US, the CLOUD Act provides it already.
- The orders cannot target data from Receiving Party persons. For each Party, these persons are designated in the agreement and are mainly the citizens of the Parties and the companies incorporated in the Parties. Surprisingly, UK citizens are protected when they are in the UK, but not when they are abroad, 19 whereas US citizens are protected no matter where they are.
- The orders shall be issued in compliance with the domestic law of the Issuing Party. They shall comply with the basic principles of reasonable justification, credible facts, proportionality, and be reviewed by a court, judge or any other independent authority of the Issuing Party. Stricter constraints apply to real-time interception of wire or electronic communications. Some legal experts consider that the guarantees offered by US law for the issuance of the orders are more protective of fundamental rights than the procedures under UK law. Prior to transmission of an order, the designated authority in the Issuing Party shall review the order for compliance with the agreement.
- Any order involving the data of an individual in a third party country is subject to a notification to the government of that country, unless the Issuing Party considers that such notification would be detrimental to security, to the investigations or imperil human rights.
- Should a covered provider receiving an order consider that the order does not comply with the agreement, it shall refer the question to the designated authority of the Issuing Party. If the question remains litigious, the provider may refer it to the designated authority of the Receiving Party. The designated authorities of both Parties shall strive to find a solution. If the Receiving Party’s designated authority concludes that the agreement has not been properly implemented, the order remains unexecuted. Such proceeding should not prevent covered providers from challenging the orders through traditional remedies.
Last, pursuant to a specific proceeding, UK may oppose the use of the data collected through the agreement for the prosecution of offences for which the death penalty is sought; the same applies for the US when the use of the data may concern freedom of speech.
Article 11 of the agreement also provides that it supplements, and does not replace, nor affect, the other legal mechanisms available to the Parties to obtain electronic data from tech companies resulting whether from domestic laws or international agreements, notably mutual legal assistance.
As mentioned above, in September 2019, the US and the EU started to negotiate a similar executive agreement (see below); and, in October 2019, the US announced that negotiations are also on their way with Australia.
The Critical Question of Reciprocity
Although we focus our analysis on the US-UK Agreement, this question concerns all the executive agreements likely to be signed under the CLOUD Act.
As underlined above, the CLOUD Act prohibits the executive agreements that would be signed by the US with its partners from enabling foreign law enforcement authorities to retrieve directly from US tech companies data pertaining to US persons, whether natural or legal. Logically, following the principle of reciprocity governing international conventions, the US-UK Agreement provides that, when applying this agreement, the UK cannot target US persons or companies and reversely.
However, from a practical point of view, the US keeps the possibility to collect data concerning UK citizens, residents or companies through the direct application of the CLOUD Act since it is highly likely that most of the data pertaining to these persons is under the custody or control of GAFA. Therefore, the agreement is practically not reciprocal and can never be, like the other future executive agreements. This irreducible imbalance is aggravated by the fact that data that may be requested on the grounds of executive agreements can only concern serious crimes, whereas the CLOUD Act allows the US administration to deal with all sorts of incriminations, regardless of their seriousness.
Admittedly, one has to keep in mind the great advantage of such executive agreements for the investigating and prosecuting authorities of the partners of the US, since they will allow them to collect data possessed or controlled by GAFA all around the world directly from the US tech companies, without requiring the assistance of the US Department of Justice. The recovery time would be reduced from several months to a few days. 20 Yet such retrieval shall not concern US persons, but it may concern any other natural person or legal entity, which is far from being insignificant.
In other words, foreign partners of the US, and especially European countries, which share with the US a joint attention towards human rights and a common will to fight crime, are placed, with the CLOUD Act and if they start negotiating an executive agreement, which is a diplomatic way of approving the Act, in the position of dropping the protection of their citizens and companies against US investigations and retrieval of data, in exchange for facilitated police investigations. This explains the difficulty met by their governments to reach a final opinion on the CLOUD Act, law enforcement departments thinking that it is a good piece of legislation, economic and data protection services being more circumspect.
It is up to each citizen to form an opinion as to whether this exchange of good practices (application of the CLOUD Act by the US to retrieve data belonging to nationals or companies of their partners, in exchange for the possibility for these partners to collect directly from GAFA data concerning their criminal investigations unless it pertains to US persons) is equivalent to swapping one’s birthright for a dish of lentils. Personally, I cannot prevent from thinking about this famous quote by Benjamin Franklin “Those who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety, and would loose both”, although the exact meaning of that quote may not be what we think it means.
It must also be agreed that the United States’ partners do not really have a choice, since the CLOUD Act would apply whether they like it or not. The only solution to redress the balance would be to obtain from the US the amending of the CLOUD Act and the prohibition for SCA warrants issued on the basis of this statute to target nationals or companies from countries that have signed an executive agreement with it, which is very unlikely.
State of Play of the US-EU Negotiations
On February 5, 2019, the European Union Commission released a proposal, to be adopted by the Council, for a mandate to negotiate with the US an executive agreement under the CLOUD Act. The proposal was amended following technical discussions with Member States and adopted by the Council on June 6, 2019. Three rounds of negotiations with the US have already taken place.
With respect to the US-UK Agreement, the points that deserve attention are the following:
- The negotiating mandate is full of general considerations on the principle of proportionality and the rights of the defence, but remains very imprecise on the concrete application of these principles.
- The issue of reciprocity, as set out above, is addressed nowhere, like a nose in the middle of the face that everyone refuses to see.
- The EU insists on the importance of aligning the procedures to be implemented under the executive agreement with those resulting from the e-evidence draft regulation and directive.
- EU would like to obtain the possibility to oppose the collection of data by the US not only in case the offence for which the data is requested is punished by death penalty, but also by life imprisonment without review.
- EU would like to get specific guarantees for data whose disclosure would be contrary to the essential interests of a Member State, that is to say a kind of blocking statute about which the Union does not give any details.
Last, and as abovementioned, it remains unclear whether the agreement will apply directly in all EU Member States or whether it will play the role of a framework, then followed by bilateral agreements between the US and each Member State (in which case the question that arises is whether the EU could accept that some of its Member States could not sign an agreement with the US).
Unveiling European Powerlessness
Finally, and though it is sad to say, the CLOUD Act reveals European Union’s weaknesses.
First weakness: the lack of European sovereign clouds. Yet, the issue has been on the table for at least 15 years: 15 years of dithering, procrastination, lack of ambitions, and lack of decisions. The European Union is supposed to empower each Member State, yet here is another area in which it has taken no action. France has not been standing still, for it tried to foster French sovereign clouds. For lack of stimulus, resources, continuity of effort, economic patriotism and, more seriously, conviction, not much came out of it; meanwhile, GAFA’s clouds conquered the market.
Second weakness: the absence of relevant and effective policies allowing GAFA to object to the disclosure of strategic European data to US authorities in the framework of the CLOUD Act — the notable exception being the GDPR.
As for the French “Blocking Statute” 21 , which bans, under certain conditions, the communication abroad of sensitive economic data, it is of little importance for US courts, insofar as the acts it prohibits are never prosecuted. This is why, in its ruling Société nationale industrielle aérospatiale v. US District Court (n°85-1695) of June 15, 1987, the US Supreme Court refused to take into account this statute for releasing a French company from its obligations under US law, arguing that, in fact, French companies that disclose information in violation of the blocking statute are never sanctioned. 22
For its part, in its 60 years of existence, the European Union has never managed to find the means to protect its companies’ data by adopting a comparable but effective system. Even worse, several countries, among which France, never adopted the implementing provisions of Council Regulation n°2271/96 of 22 November 1996 (the “European Blocking Statute”) protecting against the effects of the extra-territorial application of legislation adopted by a third country, and actions based thereon or resulting therefrom. The statute was intended to deter European companies from submitting to the demands of US embargos. Either such pieces of legislation are useful and therefore must be applied, or they are not and must be removed. Nothing is worse for our credibility than their existence in an inert state.
Likewise, the European Union has recently passed a legal provision seeking to protect confidential business information. 23 From now on, this provision, which has been transposed in Member States’ national law, prohibits disclosure of data covered by business confidentiality to US authorities outside an international agreement – i.e. on the sole basis of a unilateral request which would be the case of a request issued in accordance with the CLOUD Act by the US administration to a US tech company – where the latter committed to the company that entrusted to it its data to protect its confidentiality. The eventual liability being civil (rather than criminal), it is however far from clear that US courts, in applying the common law principles of comity or the comity analysis procedure, would consider that failure to comply with EU rules protecting business confidentiality is so serious a ground as to place the GAFA in a conflict of laws situation releasing them from their obligations under the CLOUD Act.
In fact, only the GDPR may place a GAFA company under such a conflict of laws situation in case it is urged by US officials to produce personal data stored in Europe.
Indeed, Articles 44 et seq. of the GDPR establish the conditions under which personal data can be transferred to a third country or to an international organization. Pursuant to these articles, transfers are permitted under the following alternative conditions:
- They are based on a decision of adequacy, that is, after the EU Commission has assessed by way of decision that the third country in question ensures an adequate level of protection of personal data (article 45 of the GDPR). No decision establishing general adequacy has been issued by the Commission for data transfers towards US public authorities so far. Or
- Data transfers are accompanied by appropriate safeguards and the people whose data is involved can protect their rights through enforceable rights and effective legal remedies (article 46 of the GDPR). Without an agreement between the European Union and the United States, these safeguards are inexistent.
- In certain specific situations (article 49 of the GDPR), none of which apply to the transfer of personal data to US authorities under the CLOUD Act –contrary to what the European Commission claimed in its aforementioned Amicus curiae to the Supreme Court. Specifically, the exception contained in article 49, paragraph 1, point d) of the regulation (“the transfer is necessary for important reasons of public interest”) concerns only the public interests of an EU Member State or of the European Union itself according to the Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 produced by the European Data Protection Board on March 25, 2018, and not the common public interests shared by all States. 24
Thus, the transfer of personal data by a GAFA company to US authorities would not comply with the GDPR if it were based on a CLOUD Act warrant and not on a MLAT-like international agreement, an international rogatory letter, or an executive agreement negotiated with the United States. Such a GDPR violation could result in an administrative fine of up to 20.000.000 euros, or, in the case of a company, of up to 4% of the annual worldwide total revenue for the previous year. Considering the magnitude of these sanctions, we may hope that US courts will find that the principles of international comity rule out a company having to violate the GDPR in order to abide by its CLOUD Act obligations.
That being said, it should be noted that the GDPR applies only to data concerning physical persons and not companies.
Third weakness: poor understanding of the underlying matters. One EU official out of two does not perceive the imbalance that is inherent in the CLOUD Act, between data the US administration can get access to on the basis of the CLOUD Act and data that would fall within the reach of EU authorities were the European Union to sign an executive agreement. This misconception is glaringly revealed by the repeated use of the expression “European CLOUD Act” to designate the e-evidence regulation and directive projects. Yet these two pieces of legislation have nothing in common beyond the pursuit of a similar goal. The former unilaterally allows a country to retrieve data necessary to its criminal investigations, due to the dominant position of its companies on the global data marketplace. The latter is an agreement negotiated between the authorities of various countries in order to gain access to data essential to criminal investigations, on an egalitarian and reciprocal basis. As Camus would have put it, “mal nommer les choses, c’est ajouter au malheur du droit”. 25
Fourth weakness: the lengthiness of the European decision-making process and EU’s inability to define strong common positions. Who grasped EU authorities’ stance on the Warrant Case? The European Commission addressed an Amicus curiae lacking any strategic vision and merely offering an interpretation of the GDPR which manifestly contradicted the letter of the Regulation and which, in any case, the European Data Protection Board immediately refuted (see above). Similarly, the EU has been discussing the e-evidence package for two years, while it took less than six months in the US to adopt the CLOUD Act. Now it is obliged to specify, at each round of negotiations with the US on the future US-EU executive agreement, that these texts are subject to modification.
Finally, having been unable to protect its strategic data through its investments or its laws, the European Union finds itself obliged to negotiate an executive agreement with the United States under obvious conditions of economic and diplomatic imbalance. Although, as mentioned above, the risk must not be overestimated, our fundamental economic interests may suffer as a result. This is unfortunately recurrent on many issues.
Notes
- Metadata are “data about data”, i.e. number, type, size, etc. For simplicity’s sake, this term often refers to information about the user; they nevertheless are two different types of data.
- By “GAFA” we designate the main American providers of electronic data communication, processing or storage services.
- The SCA, and now the Cloud Act that amends it, applies to “electronic communication services” (viz. telecom operators or internet access providers), as well as to “remote computing services” (viz. both electronic data processing services –software that elaborate, modify, edit or collect, etc. data– and electronic data storage services –the “clouds”). According to U.S. authorities themselves, these definitions are abstruse (a troubling fact considering that the legal regimes applicable to these providers are not entirely the same). “Online services providers” or, more journalistically, “Tech companies” will be used in this article as generic terms encompassing this variety.
- Microsoft v. United States 829 F.3d 197 (2d Cir. 2016).
- “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”
- In the United States, an Amicus curiae is a voluntary intervention. In France, an Amicus curiae is a request for an opinion issued by the court to an individual or institution likely to enlighten the court.
- US v. Microsoft Corp., 138 S. Ct. 1186, 584 U.S., 200 L. Ed. 2d 610 (2018).
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- A US person is a citizen of the United States, a permanent resident alien, a non-registered partnership whose members are predominantly US citizens (or permanent resident aliens), as well as companies registered in the United States.
- Statement of Brad Wiegmann, Deputy assistant attorney general, Department of justice, before the Subcommittee on crime and terrorism committee on the judiciary United States Senate, May 24, 2017.
- “While the most obvious impact of the Microsoft decision may be to frustrate investigations of foreign nationals targeting U.S. victims, these examples make clear that the Microsoft decision also thwarts or delays investigations even where the victim, the offender and the account holder are all within the United States” (aforementioned statement).
- This is rarely the case since data remains usually the property of customers.
- Such control being of a legal or technical nature.
- With some exceptions that are not crucial in the framework of this article.
- Regarding the sensitive question whether foreign companies may fall within the scope of application of the CLOUD Act, see below.
- Promoting Public Safety, Privacy, and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act, White Paper April 2019, www.justice.gov/CLOUDAct.
- Report from the Commission on the opening of negotiations in view of an agreement between the European Union and the United States of America on cross-border access to electronic evidence for judicial cooperation in criminal matters, September 25, 2019, Note from Commission services to Delegations, 12524/19.
- Report of the Commission services on the second round of negotiations in view of an agreement between the European Union and the United States of America on cross-border access to electronic evidence for judicial cooperation in criminal matters, November 6, 2019, Note from Commission services to Delegations, 13713/19.
- Regarding natural persons, Article 1.12 of the agreement provides that UK persons are only « person[s] located in its territory”.
- From 10 months to 10 days for EU Member States according to the EU Commission.
- Law n°68-678 dated July 26, 1968.
- Since this ruling, one criminal sanction on the basis of the Blocking Statute has been imposed by a French court and upheld by the Cour de cassation (Cass. crim December 12, 2007 n°07-83.228 Christopher X); this led to a slight softening of the US courts’ stance (see In re Activision Blizzard, Inc., 86 A.3d 531 (Del. Ch. 2014)). The exact scope of this change remains however uncertain.
- Directive (EU) 2016/943 of the European Parliament and of the Council of June 8, 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.
- Any other interpretation of art49 1 d) would be incompatible with art 48 of the Regulation according to which “[a]ny judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter”.
- “To name things wrongly, is to add to the misfortune of the law”.
citer l'article
Emmanuelle Mignon, The CLOUD Act: Unveiling European Powerlessness, Groupe d'études géopolitiques, Juil 2021, 108-116.