Transfer of EU Personal Data to U.S. Law Enforcement Authorities After the CLOUD Act: Is There a Conflict with the GDPR?
In his paper Transfer of Personal Data to U.S. Law Enforcement Authorities After the CLOUD Act: Is There a Conflict with the GDPR?, Prof. Christakis looks at how Section 103 of the CLOUD Act may conflict with the GDPR’s restrictions on transfers of personal data to outside the European Union.
Since the adoption of the Clarifying Lawful Overseas Use of Data Act – CLOUD Act in March 2018 there have been a lot of discussions about whether a transfer of EU personal data by an Internet and Cloud Service Provider to U.S. Law Enforcement Authorities under the Stored Communications Act (SCA), could conflict with the EU General Data Protection Regulation (GDPR), in force since May 2018. Some commentators went as far as arguing that the CLOUD Act was “an American offensive in order to counter the GDPR”! However, to our knowledge, up to today, there is still no comprehensive study of the topic examining whether a transfer of EU personal data to U.S. LEAs under an SCA warrant could violate the GDPR. The objective of this paper is to contribute to this debate by focusing on the interaction between article 48 (which was introduced in the GDPR in order to limit transfer of EU personal data to foreign governments) and the permissible “derogations” under article 49 – and, especially, the most relevant among them which authorizes transfers “for important reasons of public interest” (art. 49(1)(d)).
The two first parts of this paper “set the scene” by presenting the relevant provisions of the GDPR and their legislative history. The third part examines how these provisions have been interpreted by different actors, including the EU Commission, during the proceedings in the U.S. v. Microsoft Case before the U.S. Supreme Court. The fourth part focuses on the guidance given on these issues by the European Data Protection Board. The paper ends with 10 conclusions and thoughts on the current situation which, as this study shows, is not clear.
The full paper is available on SSRN.
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.