On July 10, 2019, the European Data Protection Board (“EDPB”) and the European Data Protection Supervisor (“EDPS”) issued a joint assessment of the impact of the U.S. Clarifying Overseas Use of Data Act (“CLOUD Act”) on the legal framework for the protection of personal data in the EU.

The EDPB is an independent body composed of representatives from the EU Member States’ Supervisory Authorities for data protection, the national bodies enforcing EU data protection law, such as the General Data Protection Regulation (“GDPR”).  The EDPS is a separate European body whose primary role is to ensure that European institutions respect data protection law.  Though separate bodies, the EDPB and EDPS (hereafter “the institutions”) work jointly on some matters.  Opinions issued by the institutions are not legally binding, but may be influential and are indicative of the stance of European privacy regulators regarding certain issues.

The institutions note that the extraterritorial effect of the CLOUD Act could result in service providers being “susceptible to facing a conflict of laws between US law and the GDPR and other applicable EU or national law of the Member States.”

The institutions point out that Article 48 of the GDPR requires that any order from a non-EU authority requiring the transfer of personal data outside the EU must be recognized by an international agreement – such as a mutual legal assistance treaty (“MLAT”) – to be valid.  Therefore, according to the institutions, “EU companies should generally refuse direct requests and refer the requesting third country authority to an existing mutual legal assistance treaty or agreement.”

The institutions then proceed to consider whether there is any means by which the GDPR would permit a disclosure of personal data outside the EU pursuant to the CLOUD Act.  To do so, the institutions apply a two-step analysis which requires that any international transfer under the CLOUD Act (i) have a valid legal basis under Article 6 of the GDPR, and (ii) fall within one of the derogations provided for in Article 49 of the GDPR.

Step 1: Valid Legal Basis under Article 6 of the GDPR

The institutions consider the possible legal bases available under Article 6(1) of the GDPR and conclude that many are not suitable for purposes of the CLOUD Act.  In particular, some of these bases – e.g., Art. 6(1)(c) (“to comply with a legal obligation”) and Art. 6(1)(e) (“to perform a task in the public interest or in the exercise of an official authority”) – must be grounded in EU or Member State law.  Furthermore, the legal basis of “legitimate interest” under Art. 6(1)(f) cannot be relied on because, in the assessment of the institutions, “data subjects may be deprived from the protection afforded by the provision of Article 47 of the Charter, such as the right to an effective remedy, or that this right could not be exercised in practice.”

The only legal basis that the institutions see as potentially valid for purposes of the CLOUD Act is Article 6(1)(d), where the processing is necessary “to protect the vital interests” of an individual whose life or physical integrity is at risk.

Step 2: Applicable Derogation under Article 49 of the GDPR   

Similarly, the institutions also conclude that many derogations for transfers under Article 49 generally will not – in their opinion – suffice for purposes of the CLOUD Act.  Among other reasons, they indicate that these derogations must have a basis in EU or Member State law, or would be inappropriate for certain types of court orders under the CLOUD Act.  However, the institutions again permit one derogation: to protect the “vital interests” of an individual in line with Article 6(1)(d).

Conclusion

The institutions propose that the EU and U.S. enter into negotiations for a new international agreement that would contain strong procedural safeguards and protect fundamental rights while upholding the principle of “dual criminality.”  Alternatively, the institutions suggest that the U.S. and EU Member States could work to update their existing MLAT agreements to recognize and incorporate the CLOUD Act into these frameworks.