US Cloud Act and Implications for Local Data Protection Compliance

The European Data Protection Supervisor (EDPS) recently published an ‘Initial legal assessment of the impact of the US CLOUD (Clarifying Lawful Overseas Use of Data) Act on the EU legal framework for the protection of personal data’.

There is significant concern from an EU-perspective that U.S. authorities might undermine the EU GDPR/Jersey Data Protection (Jersey) Law requirements by compelling U.S. providers to allow access to certain types of data stored outside the U.S.

The US Cloud Act – what is it?

On 23th March 2018 the U.S. Congress enacted the Clarifying Lawful Overseas Use of Data Act (U.S. Cloud Act). The main objective of the US CLOUD Act is to allow for investigations of US law enforcement authorities by;

ordering electronic communications services providers or remote computing service providers to preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within their possession, custody or control “regardless of whether such communication, record, or other information is located within or outside of the United States”.

How could US Cloud Act undermine the EU GDPR/Jersey Data Protection (Jersey) Law?

By choosing to create a legal avenue under US law for US law enforcement authorities to require disclosure of personal data directly from service providers who fall under US jurisdiction, irrespective of where the data is stored, the US Congress enacts into US law a practice of US governmental entities likely to bypass the Mutual legal assistance in criminal matters treaty (MLAT)2 in force between the European Union and the United States of America.

The implementation of the US CLOUD Act means there is the possibility that electronic communications or remote computer service providers could be compelled to answer a request by US law enforcement authorities for the disclosure of personal data that are subject to the provisions of the GDPR/Jersey Data Protection (Jersey) Law. 

Is there a conflict?

US authorities cannot legally rely on the CLOUD Act alone to force an entity in Jersey to disclose a person’s data. The disclosure must be handled in accordance with our local data protection law.

What does this mean for Jersey?
If you or your organisation receive a request from a US authority to disclose personal data citing the CLOUD Act, in the first instance you need establish if the request is lawful.

Consider seeking legal advice to answer these questions;

  1. Is your organisation legally bound to comply with a decision of a US court, as these do not automatically have legal force here?
  2. Is there a legal basis your organisation can rely on from Schedule 2 of The Data Protection (Jersey) Law, 2018 for you to disclose the personal data?
  3. Is there is a legitimate mechanism your organisation can rely on to transfer the data to the US as an unauthorised jurisdiction?

Should you have any questions or concerns please get in touch.