Transfer of EU Personal Data to U.S. Law Enforcement Authorities After the CLOUD Act: Is There a Conflict with the GDPR?
Randal Milch and Sebastian Benthall (eds), “Cybersecurity and Privacy in a Globalized World - Building Common Approaches”, New York University School of Law, e-book (Forthcoming)
17 Pages Posted: 14 Jun 2019
Date Written: May 27, 2019
Since the adoption of the Clarifying Lawful Overseas Use of Data Act – CLOUD Act in March 2018 there have been a lot of discussions about whether a transfer of EU personal data by an Internet and Cloud Service Provider to U.S. Law Enforcement Authorities under the Stored Communications Act (SCA), could conflict with the EU General Data Protection Regulation (GDPR), in force since May 2018. Some commentators went as far as arguing that the CLOUD Act was “an American offensive in order to counter the GDPR”! However, to our knowledge, up to today, there is still no comprehensive study of the topic examining whether a transfer of EU personal data to U.S. LEAs under an SCA warrant could violate the GDPR. The objective of this paper is to contribute to this debate by focusing on the interaction between article 48 (which was introduced in the GDPR in order to limit transfer of EU personal data to foreign governments) and the permissible “derogations” under article 49 – and, especially, the most relevant among them which authorizes transfers “for important reasons of public interest” (art. 49(1)(d)).
The two first parts of this paper “set the scene” by presenting the relevant provisions of the GDPR and their legislative history. The third part examines how these provisions have been interpreted by different actors, including the EU Commission, during the proceedings in the U.S. v. Microsoft Case before the U.S. Supreme Court. The fourth part focuses on the guidance given on these issues by the European Data Protection Board. The paper ends with 10 conclusions and thoughts on the current situation which, as this study shows, is not clear.
Keywords: GDPR, CLOUD Act, E-Evidence, Data Protection, Privacy, Human Rights, Law Enforcement, International Law, Criminal Law, Extraterritoriality, Conflict of Laws
Suggested Citation: Suggested Citation