US CLOUD Act: local implications

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published a preliminary report on 12 July highlighting a potential conflict between the US CLOUD Act and the EU’s data protection framework.

What is the CLOUD Act?
The US CLOUD (Clarifying Lawful Overseas Use of Data) Act was passed by Congress in early 2018. It is intended to enable US authorities to access personal data stored outside the USA, by bypassing any Mutual Legal Assistance Treaty (MLAT) in force. The Act’s provisions are wide in scope, covering personal data and metadata, the full range of governmental requests, including those that do not require judicial intervention, and real-time interception.

What is the conflict?
US authorities cannot legally rely on the CLOUD Act alone to force an entity in the Bailiwick to disclose a person’s data. The disclosure must be handled in accordance with our local data protection law.

What does this mean for the Bailiwick?
If you or your organisation receive a request from a US authority to disclose data about someone citing the CLOUD Act, you need to first establish whether this request is lawful.

You may wish to seek legal advice to answer these questions:

1. Are you legally bound to comply with a decision of a US court, as these do not automatically have legal force here?
2. Is there a legal basis you can rely on from Schedule 2 of The Data Protection (Bailiwick of Guernsey) Law, 2017 for you to disclose the personal data?
3. Is there is a legitimate mechanism you can rely on to transfer the data to the US as an unauthorised jurisdiction?

For more information please read the EDPS and EDPB report: Initial legal assessment of the impact of the US CLOUD Act on the EU legal framework for the protection of personal data and the negotiations of an EU-US Agreement on cross-border access to electronic evidence (July 2019).