Transfer of EU Personal Data to U.S. Law Enforcement Authorities After the CLOUD Act: Is There a Conflict with the GDPR?

Randal Milch and Sebastian Benthall (eds), “Cybersecurity and Privacy in a Globalized World - Building Common Approaches”, New York University School of Law, e-book (Forthcoming)

17 Pages Posted: 14 Jun 2019

See all articles by Theodore Christakis

Theodore Christakis

University Grenoble-Alpes, CESICE, France; Institut Universitaire de France

Date Written: May 27, 2019

Abstract

Since the adoption of the Clarifying Lawful Overseas Use of Data Act – CLOUD Act in March 2018 there have been a lot of discussions about whether a transfer of EU personal data by an Internet and Cloud Service Provider to U.S. Law Enforcement Authorities under the Stored Communications Act (SCA), could conflict with the EU General Data Protection Regulation (GDPR), in force since May 2018. Some commentators went as far as arguing that the CLOUD Act was “an American offensive in order to counter the GDPR”! However, to our knowledge, up to today, there is still no comprehensive study of the topic examining whether a transfer of EU personal data to U.S. LEAs under an SCA warrant could violate the GDPR. The objective of this paper is to contribute to this debate by focusing on the interaction between article 48 (which was introduced in the GDPR in order to limit transfer of EU personal data to foreign governments) and the permissible “derogations” under article 49 – and, especially, the most relevant among them which authorizes transfers “for important reasons of public interest” (art. 49(1)(d)).

The two first parts of this paper “set the scene” by presenting the relevant provisions of the GDPR and their legislative history. The third part examines how these provisions have been interpreted by different actors, including the EU Commission, during the proceedings in the U.S. v. Microsoft Case before the U.S. Supreme Court. The fourth part focuses on the guidance given on these issues by the European Data Protection Board. The paper ends with 10 conclusions and thoughts on the current situation which, as this study shows, is not clear.

Keywords: GDPR, CLOUD Act, E-Evidence, Data Protection, Privacy, Human Rights, Law Enforcement, International Law, Criminal Law, Extraterritoriality, Conflict of Laws

Suggested Citation

Christakis, Theodore, Transfer of EU Personal Data to U.S. Law Enforcement Authorities After the CLOUD Act: Is There a Conflict with the GDPR? (May 27, 2019). Randal Milch and Sebastian Benthall (eds), “Cybersecurity and Privacy in a Globalized World - Building Common Approaches”, New York University School of Law, e-book (Forthcoming) . Available at SSRN: https://ssrn.com/abstract=3397047

Theodore Christakis (Contact Author)

University Grenoble-Alpes, CESICE, France ( email )

151 Rue des Universités
BP 47
GRENOBLE, 38040
France

HOME PAGE: http://cesice.upmf-grenoble.fr/le-centre/theodore-christakis-173840.htm?RH=1265280570220

Institut Universitaire de France ( email )

103, bld Saint-Michel
75005 Paris
United States

HOME PAGE: http://cesice.upmf-grenoble.fr/le-centre/theodore-christakis-173840.htm?RH=1265280570220

Register to save articles to
your library

Register

Paper statistics

Downloads
212
Abstract Views
1,481
rank
141,915
PlumX Metrics