CLOUD Act v. GDPR

US authorities can demand data being handed over

Since 2013, Microsoft has been consistently refusing  to release data stored in Ireland to US federal authorities, their long-running legal battle ending up recently before the US Supreme Court. The Court has now closed the case because in the meanwhile a new law, the CLOUD Act (Clarifying Lawful Overseas Use of Data), got signed into law. It gives US authorities the right to request data from US cloud providers even if it is stored outside the US.

Objection possible, but stands very little chance of succeeding

The cloud operator may object, but only if the disclosure is in violation of local law and if the data does not originate from a US citizen, a US resident or a US company. In addition, the competent US courts must consider so many factors that they will hardly ever be able to grant the appeal. In addition, bilateral agreements are to be negotiated which also undermine these possibilities for objection.

De facto access to all data in the cloud

It must therefore be assumed that US authorities will have access to all data from US cloud providers, regardless of where these are being stored. People who are affected by such a claim have no possibility to defend themselves and usually do not even know about it.

Will customers of US cloud services be violating the GDPR?

What are the consequences for companies that process or store data of their European customers in the cloud with providers such as Amazon, Microsoft, or Google? Do they automatically violate the GDPR and must therefore expect fines of up to 20 million Euros or 4% of their annual sales? In short: yes, if the data is transferred or disclosed to U.S. authorities. Art. 48 of the GDPR prohibits the surrender of data to third countries if no MLAT (mutual legal assistance treaty) or other international agreement agreement exists - which, for the time being, remains the case. The bottom line is that, if you want to be on the safe side, you had better think twice where you store your customers' data.

Read more on the case:

• Microsoft vs. USA: Supreme Court entscheidet nicht über internationalen Datenzugriff
• Cloud Act
• Supreme Court punts on Microsoft email seizure decision after Cloud Act passes US Congress
• Official text of the GDPR
• The CLOUD Act, Explained