ArticlePDF Available

CLOUD act agreements from an EU perspective

Authors:

Abstract

For many years, transatlantic cooperation between the EU and the US in the area of personal data exchange has been a subject of special interest on the part of lawmakers, courts – including supranational ones – NGOs and the public. When implementing recent reform of data protection law, the European Union decided to further strengthen guarantees of the protection of privacy in cyberspace. At the same time, however, it faced the practical problem of how to ensure compliance with these principles in relation to third countries. The approach proposed in the GDPR, which is based on a newly-defined territorial scope of application, clearly indicates an attempt to apply EU rules extraterritorially in relation to data processors in third countries. Irrespective of EU activity, the United States has also introduced its own regulations addressing the same problem. An example is the federal law adopted in 2018, specifying how to execute national court orders for the transfer of electronic data. The CLOUD Act was established in response to legal doubts raised in the Microsoft v United States case regarding the transfer of electronic data stored in the cloud by US obliged entities to law enforcement authorities, as well as in cases where this data is physically located in another country and its transfer could result in violating the legal norms of a foreign jurisdiction. The CLOUD Act also facilitates bilateral international agreements that enable the cross-border transfer of e-evidence for the purposes of ongoing criminal proceedings. Both the content of the new regulations and the model proposed by the US legislature for future agreements concluded on the basis of the CLOUD Act can be seen as an alternative to regulations arising from EU law. The purpose of this paper is to analyse the CLOUD Act and CLOUD Act Agreements from the perspective of EU law and, in particular, attempt to answer the question as to whether this new legal mechanism brings the EU and the USA closer to finding common ground with regard to a coherent model of exchange and protection of personal data.
computer law & security review 38 (2020) 105442
Available online at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/CLSR
CLOUD act agreements from an EU perspective
Marcin Rojszczak
Faculty of Administration and Social Sciences, Warsaw University of Technology, Warsaw, Poland
Article history:
Available online xxx
Key words:
Data protection
Cross-border data ow
CLOUD Act
GDPR
E-evidence
For many years, transatlantic cooperation between the EU and the US in the area of personal
data exchange has been a subject of special interest on the part of lawmakers, courts
including supranational ones –NGOs and the public. When implementing recent reform
of data protection law, the European Union decided to further strengthen guarantees of
the protection of privacy in cyberspace. At the same time, however, it faced the practical
problem of how to ensure compliance with these principles in relation to third countries.
The approach proposed in the GDPR, which is based on a newly-dened territorial scope of
application, clearly indicates an attempt to apply EU rules extraterritorially in relation to
data processors in third countries.
Irrespective of EU activity, the United States has also introduced its own regulations ad-
dressing the same problem. An example is the federal law adopted in 2018, specifying how
to execute national court orders for the transfer of electronic data. The CLOUD Act was es-
tablished in response to legal doubts raised in the Microsoft v United States case regarding
the transfer of electronic data stored in the cloud by US obliged entities to law enforcement
authorities, as well as in cases where this data is physically located in another country and
its transfer could result in violating the legal norms of a foreign jurisdiction. The CLOUD
Act also facilitates bilateral international agreements that enable the cross-border transfer
of e-evidence for the purposes of ongoing criminal proceedings. Both the content of the new
regulations and the model proposed by the US legislature for future agreements concluded
on the basis of the CLOUD Act can be seen as an alternative to regulations arising from EU
law.
The purpose of this paper is to analyse the CLOUD Act and CLOUD Act Agreements from
the perspective of EU law and, in particular, attempt to answer the question as to whether
this new legal mechanism brings the EU and the USA closer to nding common ground with
regard to a coherent model of exchange and protection of personal data.
© 2020 Marcin Rojszczak. Published by Elsevier Ltd.
This is an open access article under the CC BY-NC-ND license.
( http://creativecommons.org/licenses/by-nc-nd/4.0/ )
1. Introduction
One of the widely discussed problems in data protection law
is the search for legal mechanisms that will ensure adequacy
E-mail address: marcin.rojszczak@pw.edu.pl
of protection and, at the same time, will not create barriers to
the development of global digital services. The ability of leg-
islators to develop forms of protection that will achieve this
gold standard would appear key in determining the success of
the digital transformation of the entire economy. Therefore, in
discussing various models of the legal protection of personal
data, one should not ignore an assessment of whether, and
https://doi.org/10.1016/j.clsr.2020.105442
0267-3649/© 2020 Marcin Rojszczak. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license.
( http://creativecommons.org/licenses/by-nc-nd/4.0/ )
2 computer law & security review 38 (2020) 105442
to what extent, the solutions analysed support –rather than
block – different forms of cross-border data processing.
Although the EU data protection model is considered to be
the most comprehensive one in the world and exemplary for
other lawmakers, it cannot be overlooked that an increasing
number of doubts have been raised with regard to its applica-
bility to other legal systems. With the adoption of the Lisbon
reform,1 both privacy and personal data protection were in-
cluded in the EU’s catalogue of fundamental rights. In turn,
the entry into force of Regulation 2016/679 (GDPR)
2 has led
to a signicant extension of both the subjective and objective
scope of application of EU data protection regulations. There
were doubts as to whether the EU legislature, when adopt-
ing regulations with a de facto extraterritorial effect, actually
ensured that both data subjects and supervisory authorities
would have effective tools to apply this law to controllers and
data processors from third countries.3
Discussion about law applicable to resolving situations in
cyberspace has been going on for over thirty years. In the area
of data protection law, three main approaches can be distin-
guished. The rst is that such situations should be governed
by the norms of national law, complemented by international
regulations. The second, that international legal regulations
should be the basic mechanism for ensuring adequacy of pro-
tection. The third path –chosen by the EU – consists of building
a regional secure data processing space based on close eco-
nomic cooperation (the concept of the common market). Sup-
porters of the rst approach point out that the role of inter-
national law should be primarily to create a general frame-
work for cooperation, in particular through bilateral agree-
ments regulating the issue of cross-border transfers and data
protection.4 Concepts based on international law, inter alia ,
those relating to the development of a new multilateral legal
mechanism, have been formulated in contrast to these pro-
1 The Treaty of Lisbon amending the Treaty on European Union
and the Treaty establishing the European Community, signed at
Lisbon, 13 December 2007, OJ C 306/1.
2 Regulation (EU) 2016/679 of the European Parliament and of the
Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free move-
ment of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation), OJ L 119/1.
3 More about extraterritoriality in the context of EU data pro-
tection model in: Christopher Kuner, ‘Extraterritoriality and reg-
ulation of international data transfers in EU data protection law’,
(2015) 5 International Data Privacy Law 235; Benjamin Greze, ‘The
extra-territorial enforcement of the GDPR: a genuine issue and the
quest for alternatives’, (2019) 9 International Data Privacy Law 109.
4 This argument was discussed over 20 years ago, so at a time
when the Internet in its present form did not yet exist. For exam-
ple, Jack Goldsmith pointed out that “there is no general norma-
tive argument that supports the immunization of cyberspace ac-
tivities from territorial regulation. And there is every reason to be-
lieve that nations can exercise territorial authority to achieve sig-
nicant regulatory control over cyberspace transactions”. J. Gold-
smith, ‘A g a i n s t Cyberanarchy’, (1998) 65 University of Chicago Law
Review 1199, 1250. However, it should be noted that this argu-
ment had already been criticised at that time. See e.g. David G.
Post, ‘A g a i n s t ‘A g a i n s t Cyberanarchy’’, (2002) 17 Berkeley Technol-
ogy Law Journal 1363; Dan Jerker B Svantesson, ‘A n introduction to
jurisdictional issues in cyberspace’, (2004) 15 Journal of Law and
Information Science 50.
posals.5 It is true that currently none of these concepts has
led to the development of a universally acceptable mechanism
that could aspire to be a global data protection standard.6
Due to the ongoing reform of EU data protection regula-
tions, as well as the precedent-setting cases examined by the
ECJ regarding the understanding of key concepts in the inter-
pretation of GDPR, relatively little attention has been paid to
initiatives that aspire to create a supranational mechanism for
transferring personal data as an alternative to the EU mech-
anism. One such initiative was the reform
7
of the Council of
Europe Convention 108. Although it was initiated in 2012, the
Amending Protocol was not opened for signature until 2019.8
Another such initiative relates to the adoption of the CLOUD
Act by the US federal legislature.9
This regulation attempts to
dene the rules for sharing data on users for the purposes of
ongoing criminal proceedings by entities providing services
in the cloud computing model. One element of the Act de-
nes a general framework for the negotiation of bilateral in-
ternational agreements between the United States and foreign
partners that would lay down, among others, the principles
for issuing and executing e-evidence orders. As a result, the
CLOUD Act creates a framework for a cross-border model of
personal data transfer, in which the leading role is played by
the norms of national law, supplemented by bilateral interna-
tional agreements. As one of the agreements to be concluded
5 For years now, two leading proposals of that type have been
discussed: the rst, is that a modernised CoE Convention No. 108
should be adopted in the form of a new additional protocol to the
International Covenant on Civil and Political Rights, while the sec-
ond suggests making the International Standards on the Protec-
tion of Personal Data and Privacy ( < cli.re/GRke57 > ) a legally bind-
ing act. See note 6 at 15-18. Also: Graham Greenleaf, ‘The inuence
of European data privacy standards outside Europe: implications
for globalization of Convention 108’, (2012) 2 International Data
Privacy Law 68; Paul de Hert, Vagelis Papakonstantinou, ‘The Coun-
cil of Europe Data Protection Convention reform: Analysis of the
new text and critical comment on its global ambition’, (2014) 30
Computer Law & Security Review 633.
6 See generally : Marcin Rojszczak, ‘Does global scope guarantee
effectiveness? Searching for a new legal standard for privacy pro-
tection in cyberspace’, (2020) 29 Information & Communications
Technology Law 1.
7 Although the reform of Convention 108 is perceived as adaptat-
ing to the regulations of the EU data protection model to become
a ‘GDPR Mild’, as Greenleaf puts it, work on this reform was actu-
ally parallel to the creation of the GDPR. Cf. Cécile de Terwangne,
‘The work of revision of the Council of Europe Convention 108 for
the protection of individuals as regards the automatic process-
ing of personal data’, (2014) 28 Journal of International Review of
Law, Computers & Technology 118; Sylvia Kierkegaard et al., ‘Com-
ments to the CoE Convention 108 draft proposal on data protec-
tion’, (2012) 28 Computer Law & Security Review 368.
8 The modernised treaty is referred to as ‘Convention 108 + ’;
in fact it is Convention 108 amended by Protocol no. 223 of 10
October 2018 < https://www.coe.int/en/web/conventions/full-list/
-/conventions/treaty/223 > accessed 20 February 2020. Consoli-
dated text of Convention 108 as it will be amended by Protocol No.
223 upon its entry into force available at < rm.coe.int/16808ade9d >
accessed 20 February 2020.
9 Clarifying the Lawful Use of Overseas Data Act of 2018, Pub. L.
No. 115–141, 132 Stat. 348 (codied as amended in separate sec-
tions of 18 U.S.C.); available online at < https://cli.re/BwPk5Q > ac-
cessed 20 February 2020.
computer law & security review 38 (2020) 105442 3
under the CLOUD Act is currently being negotiated with the
EU, this example can also be used to discuss the differences
between the American and European data protection mod-
els, which are also apparent in the vision of building common
rules for cross-border data transfer.
2. Cloud computing and the origin of the
CLOUD Act
Discussion of the detailed provisions adopted in US federal
law rst requires a presentation of the legal problem that was
the direct cause of this legislation being enacted.
The dynamic development of services provided by the
cloud computing model has resulted in the use of this form
of services by a signicant number of users in the world.10
So-
cial media, e-mail services, le storage and streaming media
would not work without the possibility of mass data process-
ing based on virtualised IT resources located in many data
centres globally. Services of this type are often called SaaS
( Software-as-a-Service ) and are characterised by high scalabil-
ity, ensured in part by separation between infrastructure and
application layers.11 As a result, a user’s request to open an
e-mail message, for example, may be served each time by an
application server located in a different data centre in a differ-
ent country. That is why the concept of ‘data localisation’ in
the case of cloud services is difcult to dene. User data can be
simultaneously in only one or in many data centres, and deci-
10 It is worth noting that the term ‘users’ means not only indi-
viduals (home users) but also businesses of various sizes, as well
as public authorities. More and more often, public administration
uses cloud services, which means that the problem of cross-border
access to this data may affect all citizens whose data is being pro-
cessed. See : ‘Cloud computing services used by more than one out
of four enterprises in the EU’, Eurostat Press Release 13 December
2018, < cli.re/92bPdj > accessed 20 February 2020.
11 In fact, the term cloud services is used to describe many differ-
ent forms of service provision and related technologies. The most
common division is by the type of available resources: -Software
as a Service (SaaS) - in which the user receives access to a ready
service, running on the service provider’s hardware and software
infrastructure,-Platform as a Service (PaaS) –where the service pro-
vided is the CSP’s IT platform, which the user can use to create,
develop and use their own applications,-Infrastructure as a Service
(IaaS) - in which the user has access to the the service provider’s
IT environment, which offers previously agreed processing pa-
rameters (e.g. computing power, network bandwidth, disk storage,
as well as, for instance, guaranteed availability factors,).In addi-
tion, services provided by the cloud model can be made avail-
able to several exploitation models, the most common of which
are private, public and hybrid clouds.Further discussion presented
in this paper will focus on SaaS services provided by the public
cloud. These types of services include popular electronic mail ser-
vices (e.g. Google Gmail, Ya h o o Mail or Microsoft Outlook Web Ac-
cess), ofce application services (e.g. Microsoft Ofce 365 or Google
Apps), and le storage and sharing services (e.g. Dropbox, Google
Drive or Microsoft OneDrive). SaaS is undoubtedly the most com-
mon example of cloud service, especially from the perspective of
a home user, and thus has the greatest practical signicance. See
Peter Mell, Timothy Grance, ‘The NIST Denition of Cloud Comput-
ing’, National Institute of Standards and Technology 2011, Special
Publication 800-145, < https://cli.re/NMEpwb > accessed 20 Febru-
ary 2020.
sions regarding their distribution are made automatically by
advanced algorithms aimed at increasing service availability
indicators. Cloud computing services are, by denition, pro-
vided in a cross-border manner, and often in a way that in-
volves globally deployed resources.
Until recently, a signicant part of contracts under the SaaS
model, concluded with European users, included forum se-
lection clauses favouring law applicable to the Cloud Service
Provider (CSP). Due to the economic importance of US-based
entities in the global digital services market, local US law pre-
vailed with many such contracts. With the entry into force of
Regulation 2016/679, the largest CSPs (e.g. Microsoft, Google,
Facebook, Yahoo) had to amend their rules for provision of
services by making their European subsidiaries a party to con-
tracts concluded with users (thus becoming data controllers
within the meaning of EU regulations
12
).
Formally, however, such services are not provided by one
company, but by many related entities belonging to a common
capital group. The responsibility for ensuring provision of ser-
vice –that is, technical administration of the IT infrastructure
located in the local data centre –should be treated as sepa-
rate from the role of the service provider, i.e. the entity which
is party to the contract for the provision of services concluded
with the user. Both functions can be performed by the same
or different entities. For example, Google has several EU data-
processing centres administered by various companies,13
but
all contracts with users from the EEA are concluded by one
entity - Google Ireland Ltd.14
Pursuant to US federal law, any entity in “possession, cus-
tody or control” of data may be required to provide it as part of
ongoing criminal proceedings.15
Federal law outlines a num-
ber of detailed procedures for requesting disclosure that ap-
ply to different legal situations and to different types of infor-
mation.16
In this regard, it is particularly important to distin-
12 However, a different approach also applicable is one in which
the EU subsidiary and US-based parent company are joint con-
trollers. This concept seems particularly relevant in the light of
recent rulings by the ECJ dening the structure of joint adminis-
tration in the context of cases relating to use of the Facebook ser-
vice by professionals. See ECJ , Case C–210/16, Wirtschaftsakademie
(5 June 2018), EU:C:2018:388; ECJ , Case C–40/17, Fashi on ID (29 July
2019), EU:C:2019:629. Discussion of the joint controllership con-
cept is presented in: Charlotte Ducuing, Jessica Schroers and Els
Kindt ‘The Wirtschaftsakademie fan page decision: A landmark
on joint controllership - A challenge for supervisory authorities
competences’, (2018) 4 European Data Protection Law Review 547;
Susanna Lindroos-Hovinheimo, ‘Who controls our data? The legal
reasoning of the European Court of Justice in Wirtschaftsakademie
Schleswig-Holstein and Tietosuojavaltuutettu v Jehovan todista-
jat’, (2019) 28 Information & Communications Technology Law 225.
13 Such subsidiaries operate in, among other countries, Bel-
gium, Denmark, the Netherlands, Finland and Ireland, see
< cli.re/wZvZM5 > accessed on 20 February 2020. It is worth not-
ing that more entities responsible for IT facility management are
listed in the subprocessor register < cli.re/bx3YD3 > .
14 See : ‘Google Term s of Service’, effective 22 January 2019, < https:
//policies.google.com/terms?hl=en > accessed 20 February 2020.
15 18 U.S.C. §2713.
16 A summary of legal procedures that could be used by US LEAs
to gain authorised access to data stored in the cloud: Paul M.
Schwartz, ‘Legal Access to the Global Cloud’ (2018) 118 Colum L
Rev 1681 at 1760-1763.
4 computer law & security review 38 (2020) 105442
guish between the use of electronic communication services
17
and remote computing services.18
With regard to cloud stor-
age services, each of the access modes may apply, depending
on whether the data stored as part of a given service or to be
transferred via it is to be forwarded. Signicantly, federal reg-
ulations contain different requirements for access by public
authorities to electronic information collected and transmit-
ted with the use of electronic communication services and re-
mote processing services.19
Due to the broad denition of obliged entities, US law en-
forcement authorities (LEAs) have requested information not
only in case the recipient was physically in possession of the
information requested, but also when they controlled data
stored on servers located in foreign jurisdictions and, notably,
in situations where the addressee of the request did not have
direct access to the data, but controlled through its capital
group the entities that had such access. An example of this is
the SCA warrant issued to Microsoft Corp in December 2013,
requiring the company to disclose data as part of a criminal
case regarding drug trafcking.20
Microsoft was obliged to pro-
vide data collected in relation to the specied e-mail account,
including the content of e-mails, within 14 days. Company
employees determined that, although some of this data (ex-
cluding e-mail content) was stored on servers in the United
States, the e-mail content was stored abroad. As a result, ex-
ecution of the warrant would clearly have involved a cross-
border transfer of data to US LEAs, bypassing relevant local
regulations –in this case, Irish ones; thus it carried the risk
of violating national provisions applicable to the place of data
processing.
Microsoft took legal steps to have the order quashed, and
the dispute was ultimately heard by the US Supreme Court.
This case became the direct cause of the legislative initia-
tive that nally led to the adoption of the CLOUD Act in 2018.
The purpose of the bill was, therefore, to clarify doubts re-
garding the access of US law enforcement authorities to elec-
tronic evidence owned or controlled by US entities yet phys-
ically stored in foreign data centres. The federal legislature
proposed a hybrid model in which directly effective norms
of national law were to be supplemented by optional inter-
national agreements concluded with the third countries con-
cerned. While working on the new regulations the legislature
also introduced mechanisms to challenge national warrants
to disclose data, the execution of which could lead to the vio-
lation of mandatory norms of a foreign jurisdiction.
17 As dened in 18 U.S.C. §2711(2), electronic communication ser-
vice „means any service which provides to users thereof the ability
to send or receive wire or electronic communications”
18 As dened in 18 U.S.C. §2510(15), remote computing service
„means the provision to the public of computer storage or process-
ing services by means of an electronic communications system”.
19 A broader discussion of the SCA was presented in: Orin S. Kerr,
‘A User’s Guide to the Stored Communications Act, and a Legisla-
tor’s Guide to Amending It’, (2004) 72 Geo. Wa sh. L. Rev. 1208 .
20 15 F. Supp. 3d 446 (S.D.N.Y. 2014); the background of the case
and proceedings before federal courts presented in: ‘In re War ra nt
to Search a Certain Email Account Controlled & Maintained by Mi-
crosoft Corp.’, (2015) 128 Harv. L. Rev 1019; Andrew Kirschenbaum,
‘Beyond Microsoft: A Legislative Solution to the SCA’s Extraterrito-
riality Problem’ (2018) 86 Fordham L Rev 1923 at 1939-1946.
The concurrence of work on the CLOUD Act
21
with the ap-
plication of GDPR
22
naturally led to an attempt to jointly anal-
yse both regulations – especially in the area of a possible col-
lision of procedures resulting from the CLOUD Act with obli-
gations imposed on data controllers by the GDPR.
3. Cross-border data transfers according to
the CLOUD Act
An analysis of the detailed provisions introduced in the
CLOUD Act should take account of the fact that this Act is ac-
tually an amendment to the Stored Communications Act of
1986 (SCA)
23
, which has been functioning for over thirty years,
and the intention of Congress was to remove doubts regard-
ing interpretation, especially those concerning the extraterri-
torial effect of warrants issued on the basis of the SCA. The
CLOUD Act indicates that the entity in the possession, cus-
tody, or control of data is required to provide it, regardless
of whether this information is stored in the United States or
abroad. The scope of obliged entities and authorised entities
has remained unchanged, which in particular means that any
entity may be obliged –not only a CSP, as the title of the Act
might erroneously suggest. It should be remembered that the
CLOUD Act does not explicitly specify the legal procedure ac-
cording to which warrants to hand over electronic evidence
may be issued. Provisions introduced in the SCA apply in this
respect. However, as emphasised in the doctrine, a warrant is-
sued based on the provisions of the SCA (the so-called SCA
warrant ) combines the features of both a search warrant is-
sued in accordance with the federal criminal procedure and a
subpoena.24
As a result, its execution does not consist in con-
ducting a search by LEAs but in the obligation of the recipient
to provide the data and information indicated therein.
The obliged entity may le a motion to quash or modify the
SCA warrant, but only if two conditions are met jointly. The
rst is a reasonable suspicion that the warrant was issued in
relation to a non-US person that does not reside is the United
States. The second necessary condition is the material risk of
violation of third country law.
Assessing whether both conditions have been met is very
problematic. The rst condition requires the service provider
to have information not only about the status of their users’
residences but also about their current locations. On the other
hand, in the case of the second condition –relating to obliga-
tions under the law of the country in which the data is stored
–the concept of ‘qualifying foreign government’ was used.
The way in which this term is dened leads to the unavoid-
able conclusion that the concept covers only countries that
have concluded relevant bilateral agreements with the United
States (the topic is discussed in more detail in section 4), i.e.
the so-called CLOUD Act Agreements (CCA). Due to the fact
21 Effective as of 28 March 2018.
22 Applicable as of 25 May 2018.
23 The Stored Communications Act of 1986, Pub. L. No. 99-508, 100
Stat. 1848 (codied at 18 U.S.C. 2701–2712).
24 Thomas F. Brier Jr., ‘Dening the Limits of Governmental Access
to Personal Data Stored in the Cloud: An Analysis and Critique of
Microsoft Ireland’, (2017) 7 Journal of Information Policy 327 at 336.
computer law & security review 38 (2020) 105442 5
that by the end of 2019, such an agreement had been con-
cluded only with the United Kingdom, procedures allowing
CSPs to challenge orders requiring them to provide data lo-
cated abroad do not actually apply if the data is in the Euro-
pean Union (there is no relevant EU-US CCA in place).
However, even if both conditions were met in a particular
case, this would not mean that a complaint brought by the
service provider would be granted by the court. The CLOUD
Act provides that an order may be modied or quashed only if
“the interests of justice” are served.25
The legislature has in-
dicated that the interests of the United States, including the
applicant’s investigative needs, should be taken into account
rst when assessing this criterion. This means that an ensuing
violation of the law of a third country with which the United
States has concluded a bilateral agreement is not, under na-
tional law (the CLOUD Act), an independent ground for revok-
ing the warrant to hand over electronic data.
A separate problem is the possibility of warrants being is-
sued not only by LEAs in connection with ongoing criminal
proceedings but also by security services as part of preventive
measures taken. It is worth recalling that the imbalance and
lack of proportionality in terms of national security objectives
and protection of privacy were already the reason for the ECJ’s
repeal of the legal instrument that constituted the legal basis
for the implementation of the Safe Harbour framework.26
In this respect, the CLOUD Act does not introduce signif-
icant new safeguards that would change the critical assess-
ment of previous regulations. This is because, rstly, taking
legal action depends solely on the endeavours of the obliged
entity; the notication duty is not exercised in relation to data
subjects (also ex post ), as a result of which they are not able to
effectively protect their rights in court. Secondly, the ability to
protect individual rights depends on the existence of an ap-
propriate bilateral agreement linking the United States with
the country whose right would be violated as a result of the
warrant. It is difcult to nd a reasonable justication for why
counteracting unlawful interference with the privacy of an in-
dividual should be contingent on the existence of an interna-
tional instrument connecting the country which is interested
in obtaining specic data and the country where the data is
stored. For example, being a Pole who uses Google services, I
have no inuence on where Google collects and processes data
concerning me. I am informed about the processing places
and can terminate the contract, and delete the data, but I have
no inuence on the choice of the data centre in which my data
is processed. It is therefore difcult to understand why the le-
gal protection mechanisms available to users are dependent
on a decision taken by the CSP regarding the place of data
storage. It should be remembered that Google has several data
centres in the EU: not only in the United Kingdom (where there
25 Cf. 18 U.S. Code §2703(h)(2)(B)(ii).
26 Against this background, it is worth recalling the argument put
forward by the ECJ in the Schrems judgment, according to which the
establishing of a general derogation from the obligation to comply
with EU law based on, inter alia , “national security and public inter-
est requirements or on domestic legislation of the United States”
combined with a lack of effective legal protection cannot be rec-
onciled with the provisions of the Charter of Fundamental Rights
( see C–362/14, pp. 86-95).
is a UK-US CLOUD Act-type agreement in place) but also in
Belgium, the Netherlands and Denmark (the latter three hav-
ing no relevant agreements).
A signicant imperfection of the model proposed by the
CLOUD Act concerns the complete omission of roles and re-
sponsibilities relating to the processing of personal data. The
SCA warrant may be directed to an entity which, due to its
technical role in the data processing process, has access to
this data but may not know the legal consequences of disclos-
ing information. What is more, it may not even be a data con-
troller, so its knowledge about the purpose of collecting data
and even about determining the identity of data subjects (in
order to determine whether there is a condition for lodging a
complaint) may be limited. Hence, the model resulting from
the CLOUD Act essentially legalises the possibility of extrater-
ritorial access to data from any jurisdiction, at the same time
providing very limited mechanisms to prevent these activities:
based solely on the willingness and involvement of the US CSP
to which the warrant is addressed.27
4. Bilateral agreements under the CLOUD Act
It looks likely that the perceived imperfections of the na-
tional legal mechanisms introduced in the CLOUD Act may
be largely offset by Congress’s consideration of the possibil-
ity of concluding bilateral agreements between the United
States and interested third countries. The purpose of such
agreements is to facilitate transnational judicial cooperation
in the collection and transmission of e-evidence. The assump-
tion is that these will be bilateral agreements (the so-called
congressional-executive agreement
28
), under which each of
27 In the draft of the International Communications Privacy Act
(H. R. 3718, 115
th
Congress), an earlier proposal to regulate the is-
sue of cross-border access to e-evidence, it was proposed that an
application for the warrant should indicate the nationality and lo-
cation of the user whose data would be provided by the CSP and,
in the event that this data is not known to the applicant, a “full
and complete” statement regarding steps taken to collect this in-
formation (Sec. 3(d) of the proposed bill). Adopting such a solution
would shift the burden of determining the user’s nationality from
the CSP to LEAs; moreover, the actions taken by the LEA would
be subject to judicial review at the initial stage of examining the
application (before approval and transfer to the CSP).
28 There are several legal mechanisms for concluding interna-
tional agreements in the United States; binding international legal
acts can be divided into two main categories: treaties concluded in
accordance with Art. 2(2) of the Constitution, and agreements con-
cluded by the executive branch. Among the agreements concluded
by the executive branch, there are several further types, depending
on the degree of prior knowledge or consent expressed by individ-
ual chambers of the US Congress. In principle, only ratied treaties
have the same power as federal law; agreements concluded by the
executive branch may have this effect in the domestic legal system
- particularly in the case of agreements concluded with the con-
sent of Congress or for the fullment of other treaty obligations.
Signicantly, even the treaties do not take precedence over federal
law –which is important because in the legal order of both the EU
and its member states, in the event of a conict of national law
with ratied international agreements, priority is given to inter-
national agreement standards. More information on the types of
international agreements operating in the US legal system and the
6 computer law & security review 38 (2020) 105442
the parties may address orders regarding the handover of elec-
tronic evidence directly to CSPs that operate under the law of
the other party.
The CLOUD Act denes the legal framework for future
agreements, specifying their most important boundary con-
ditions. They can be divided into three main groups regard-
ing: (i) the systemic requirements of a third country; (ii) le-
gal safeguards applying to electronic surveillance; and (iii)
the manner of cooperation in the execution of data trans-
fer orders. In the rst area, Congress has determined that the
legal model of a third country must be built in accordance
with the principles of the rule of law, including protection
against unauthorised discrimination and respect for interna-
tional standards in the area of human rights. The legal safe-
guards applied should provide for effective, substantive and
procedural mechanisms to protect privacy and fundamental
rights, including the right of assembly and freedom of expres-
sion. In addition, third country law should include adequate
safeguards for the collection of electronic evidence, such as
those resulting from the CoE Convention on Cybersecurity.29
As, in principle, orders are to be issued by the authorities
of the applicant party, it has been assumed that the process
of issuing them should be supervised by an independent body
(specically, a court), comply with relevant national regula-
tions, and take place only in legally justied cases. In addition,
orders should only be issued in cases relating to the preven-
tion, detection, investigation or prosecution of serious crime.
The Act does not dene this concept, indicating only that this
category includes terrorist activities.30 Paul Schwartz notes
that this lack of precision may pose a potential risk in terms
of the consistency of federal law, because the criteria for issu-
ing an order in a third country may differ from the standards
applied in the United States.31
However, the conditions set out for international agree-
ments in the CLOUD Act are not mandatory. Congress stip-
ulated that they should simply be considered, not necessarily
adopted, which may lead to the conclusion that even entering
priority rules in the event of a conict with internal law: Stephen P.
Mulligan, ‘International Law and Agreements - Their Effect upon
U.S. Law’, Congressional Research Service 2018, < cli.re/LvbD1M >
accessed 20 February 2020.
29 Convention No. 185 of the Council of Europe on Cybercrime
(adopted 23 November 2001, entered into force 1 July 2004).
30 The meaning of the term ‘serious crime’ is also important be-
cause of EU legislation on the so-called general obligation to re-
tain data. In particular, in a recent judgment in the Ministerio Fiscal
case, the ECJ pointed out that while the use of targeted surveil-
lance measures could be justied by the objectives of combating
common crime, the introduction of a general obligation must be
limited to the purposes of combating serious crime. See : ECJ, Case
C–207/16, Ministerio Fiscal (2 October 2018), EU:C:2018:788, pp. 57-
58. EU law does not contain a single denition of serious crime. A
list of forms of serious crime is provided in Annex 1 to Regulation
2018/1727. A different denition was introduced in the draft of the
new e-evidence regulation ( see note 70). In accordance with art.
5(4) of the draft regulation, the issuance of a European e-evidence
order may take place, inter alia, in respect of offences punishable
by imprisonment with an upper limit of at least three years.
31 See note 16 at 1750.
into an agreement with an undemocratic state is theoretically
possible and would not violate the provisions of the Act.32
It would therefore appear that the mechanism of bilateral
agreement cannot be the basis for transferring bulk data from
electronic surveillance. Such a conclusion stems from the re-
quirement that each order should specify the person or per-
sons covered by it, as well as the device, address or other in-
formation enabling precise indication of the scope of data to
be transmitted. The CLOUD Act also provides for the possibil-
ity of directing court orders to the CSP, the execution of which
would be related to wiretapping electronic communications.
In such a case, the applicant party must demonstrate compli-
ance with the principles of necessity and proportionality, and
specify the duration of the action adequate to gain reasonable
evidentiary needs.
In some cases, the boundary conditions set out in the
CLOUD Act signicantly limit the negotiating freedom of gov-
ernments and also introduce an asymmetrical model of both
parties’ rights. For example, requests made by a third country
must not intentionally involve US persons and persons resid-
ing in the United States. However, applications directed by the
US party were not restricted in the same way. The ofcial ex-
planations of the Department of Justice indicated that such an
arrangement should be subject to negotiations preceding the
conclusion of the agreement.33
The CLOUD Act also stipulates
the need to grant the US party the right to refuse to execute
any of the orders approved by the authorities of a third coun-
try.
In addition, most requirements limiting the applicability of
the order pertain only to applications submitted by third coun-
try authorities and per se do not cover the US party. This shape
of the CLOUD Act seems understandable, bearing in mind that
equivalent restrictions result directly from other regulations
functioning in the US legal system.34
One element that should be noted, however, in relation to
the use of bilateral agreements, is the lack of restrictions im-
posed on the US party in respect of choosing which data ac-
cess procedure will apply: the one arising directly from the
CLOUD Act (i.e. addressing an order to a US entity and resolu-
tion of possible complaints before federal courts) or the use of
the mechanism based on the bilateral agreement (thus send-
32 Secil Bilgic, ‘Something old, something new, and something
moot: The Privacy Crisis under the CLOUD ACT’, (2018) 32 Harvard
Journal of Law & Technology 322, 336-337.
33 According to the position of the Department of Justice: “The
foreign government is free in negotiations to seek similar re-
strictions that would prevent the United States from using or-
ders subject to the agreement to target data of its nationals
or residents”; See Frequently Asked Questions published as part
of the CLOUD Act-related materials, < www.justice.gov/dag/page/
le/1153466/download > accessed 20 February 2020, p. 12.
34 This reasoning contains some simplication. It should be re-
membered that disclosure of information under SCA provisions
may be achieved using three different legal measures: a search
warrant, a court order or a subpoena. Other safeguards and le-
gal procedures relate to the authorisation of each of them. While
a court is obliged to examine the probable cause test in the case
of a search warrant, the criteria for applying the other measures
may be less restrictive. See Jennifer Daskal, ‘The Un-Territoriality
of Data’, (2015) 125 Yale L J 326 at 361-362.
computer law & security review 38 (2020) 105442 7
ing the order to the state party with whom the agreement has
been signed).
From a third country perspective, failure to enter into a CAA
will mean that US entities will be prevented from complain-
ing about warrants they receive by alleging that these war-
rants violate the law of a foreign jurisdiction. Conclusion of
the agreement, however, does not eliminate the asymmetry
of the parties’ rights, because US LEAs can still direct warrants
to US entities on the basis on national law, without following
the CAA procedure. Since the CLOUD Act does not contain the
obligation to inform third-country authorities about a com-
plaint led by an US obliged entity, the benets of concluding
a CAA agreement for the protection of a third country’s legal
order would seem to be illusory in this case.
It seems reasonable to attempt to apply the above conclu-
sions to a case closer to the one analysed in United States v. Mi-
crosoft , that is, a situation in which a US parent company pro-
vides global SaaS services through, among others, an entity
based in the EU. In this case, even if the existence of an EU-
US agreement were assumed, this agreement would de facto
mainly serve American interests rather than protect the EU
legal order. It can be reasonably assumed that if US LEAs had
the choice of addressing a warrant to a US-based entity (in
the analysed case - Microsoft Corp.) or –through CAA mech-
anisms –to an Irish entity (Microsoft Ireland), they would de-
cide on the path that was easier and faster from their perspec-
tive, specically, one involving only national legal procedures.
Assuming that the controller of the data to be made available
is Microsoft Ireland, the obligation to inform this entity could
be based, at most, on contractual obligations arising from the
contract concluded with the processor, i.e. Microsoft Corp. At
the same time, it should be remembered that from the per-
spective of EU law, data processing entrustment agreements,
including those concluded with entities based in third coun-
tries (which include the United States from the perspective of
EU law), must be subject to EU or member state law.35
More-
over, the GDPR imposes obligations relating to ensuring secu-
rity of processing not only on controllers but also processors
(including subprocessors). A special provision in this respect
is Article 48 of the GDPR, according to which a court judgment
or an administrative decision of a third country requiring a
processor to transfer or disclose personal data can only be en-
forced if it is based on an international agreement. Undoubt-
edly, a CAA can be regarded as such an agreement, so this type
of data transfer has grounds in the GDPR provisions. The sit-
uation is different in the case of cross-border data transfer
by a US-based processor, the sole basis of which is a national
warrant obtained by local LEAs. In this case, the basis for the
transfer of data is not a CAA, and therefore the norm arising
from Article 48 seems to exclude the legality of such a transfer.
This conclusion can be conrmed by the Commission’s posi-
tion that Article 48 makes clear that a foreign court order does
not, as such, make a transfer lawful under GDPR”.36
In this case, one could consider the application of Article
49(1)(d) of the GDPR, according to which a transfer that is not
admissible on the basis of other formal grounds may still be
35 Art. 28(3) of the GDPR.
36 See European Commission’s Amicus Curiae brief in USA v. Mi-
crosoft Corporation , 14, < cli.re/Rnm4jP > accessed 20 February 2020.
carried out if “the transfer is necessary for important reasons
of public interest”. However, it should be remembered that the
public interest referred to in this provision must be recognised
in EU law or in the law of the Member State to which the con-
troller is subject.37
On this basis, the European Data Protection
Board (EPDB) and European Data Protection Supervisor (EDPS)
have indicated in their common position that pursuit of the
public interest of a third country cannot constitute a suf-
cient condition for data transfer pursuant to Article 49(1)(d)
of the GDPR.38
Alternatively, data may also be transferred to
a third country if it “is necessary for the purposes of com-
pelling legitimate interests pursued by the controller”.39
The
EC pointed out that the legitimate interest in this case “could
be the interest of the controller in not being subject to legal
action in a non-EU state”.40
This argument, however, was not
supported by the EDPB and EDPS.41
Nevertheless, even if the
Commission’s position is accepted, it should be remembered
that this provision is addressed only to the controller, which
means that it does not provide a basis for the transfer of data
by a foreign processor.42
This example illustrates the area of dissimilarity of proce-
dures arising from US (CLOUD Act) and EU (GDPR) legislation,
which results in the imposition of conicting legal norms on
the same entity. It should be remembered that violation of
obligations under the GDPR may be a premise for seeking com-
pensation from both the controller and the processor (at the
choice of the data subject
43
), as well as a reason for submitting
a complaint to the supervisory authority of a member state.44
As a result, in the most common model of providing cloud
computing services, where the entity controlling the capital
group is located in the United States and the European com-
pany is the data controller for clients from the EU, the execu-
tion of a warrant received from US authorities by the parent
company could lead to a violation of EU law, which would, in
turn, result in liability for damages on the part of both the US
entity (the parent company) and the European company (the
data controller). It seems that implementation of the CLOUD
Act does not signicantly reduce this risk: although an US
entity may complain about a decision in court, it would be
37 See Art. 29(7) of the GDPR.
38 See Annex to the EDPB-EDPS Joint Response to the LIBE
Committee on the impact of the US Cloud Act on the Eu-
ropean legal framework for personal data protection, 6,
< https://cli.re/15WnnA > accessed 20 February 2020.
39 Art. 49(1) para 2.
40 See note 36 at 15.
41 See note 38 at 7: The EDPB and the EDPS consider that Article 49(1)
last paragraph cannot provide a valid lawful ground to transfer personal
data on the basis of US CLOUD Act requests ”.
42 More on controversies related to Art. 48 and Art. 49 of the GDPR
in the context of data transfers to US LEAs: Theodore Christakis,
‘Transfer of EU Personal Data to U.S. Law Enforcement Authorities
After the CLOUD Act: Is There a Conict with the GDPR?’ in Randal
Milch and Sebastian Benthall (eds), Cybersecurity and Privacy in a
Globalized World - Building Common Approaches (New Yo r k University
School of Law, Forthcoming), < https://cli.re/mNBmno > accessed
20 February 2020.
43 See Art. 82(1) of the GDPR.
44 It should be noted, however, that this is a simplication, and
determination of liability would require consideration of other
specic conditions for data transfer, such as Art. 82(3) of the GDPR.
8 computer law & security review 38 (2020) 105442
reasonable for this entitlement to be primarily vested in the
data controller. Otherwise, his responsibility for the entire pro-
cessing process becomes void, which signicantly reduces the
effectiveness of the guarantees arising from the EU privacy
model.
5. The case of the UK-US agreement
The CLOUD Act creates a general competence framework for
the executive regarding conditions that must be met for a CAA
to be concluded. Obviously, an analysis of the only agreement
of this type that has been concluded –that is, the agreement
between the United States and the United Kingdom of 3 De-
cember 2019
45 –may be helpful in assessing the extent to
which the imprecise conditions inherent in the CLOUD Act
could be claried and applied to an intergovernmental agree-
ment.
The agreement species the rights of each party in terms of
requesting electronic evidence and the procedure relating to
the issuing, handling and execution of such orders. In contrast
to the denitions used in the CLOUD Act, it was claried that
the orders may cover activities related to combating most seri-
ous crimes, which in turn were dened as crimes which in the
domestic law of the state parties carry a maximum penalty of
at least 3 years. The scope of persons who may be covered by
the orders was dened differently. In the case of orders issued
by the British authorities, they cannot be persons who are US
citizens, have the right of residence in the USA or who stay
in the USA, as well as legal persons registered in the United
States or largely controlled by US persons. In turn, the US au-
thorities must not intentionally issue orders regarding per-
sons residing in the United Kingdom, as well as