In practice, the chances of the U.S. government being able to see personal data of Europeans under the CLOUD Act are very small. This means that in principle it does not matter whether companies store their data with European or American suppliers. Whether the same applies to countries with their own extraterritorial laws has not been investigated.
So writes the National Cyber Security Center (NCSC) (1). The advisory asked law firm Greenberg Traurig to investigate the risk that information in Europe could be accessed by the U.S. government under the CLOUD Act.
The CLOUD Act is an acronym that stands for Clarifying Lawful Overseas Use of Data Act. In it, the U.S. government describes the ground rules for storing, transporting and processing information. The act also establishes agreements on data protection and information security. The CLOUD Act makes it possible for U.S. intelligence agencies to demand, via a warrant or subpoena, that tech companies hand over user data. It does not matter whether this data is stored in the U.S. or abroad.
In August, Greenberg Traurig published a study on how the CLOUD Act works for data storage in Europe. Many experts assumed that there is little to no risk when data is processed by a European service provider. In practice, this is much more nuanced, the law firm concluded.
One conclusion was that European companies can indeed be pressured by non-European regulations. "Even data and (personal) data that are processed and stored in Europe, and thus in principle are and remain in Europe, sometimes fall under U.S. law and can be requested by the U.S. government based on the CLOUD Act," Greenberg Traurig described in her analysis of the CLOUD Act (2).
Strange is not the law firm's conclusion. The General Data Protection Regulation (AVG) works the same way. European privacy laws apply not only within the European Economic Area (EEA), but also in other parts of the world. This is also known as extraterritorial legislation.
For example, the AVG requires that data storage and processing in countries outside the EU enjoy a similar level of protection. The European Court of Justice ruled in the summer of 2020 that this was not the case in the US. Therefore, the court drew a line under the Privacy Shield. Currently, there is an agreement in principle on the table. Negotiators are currently busy working out the final details of the agreement.
There are also similar laws and regulations outside the EU and US. The best known of these is the Chinese Data Security Law. This law not only regulates data processing and exchange in China, but also outside. The moment data is potentially important to China's national security or social interests, companies are required to hand over data to the government, secret service or the People's Liberation Army.
After Greenberg Traurig presented its findings, the NCSC was asked several times about the risk of information in Europe being requested by the U.S. government under the CLOUD Act. The advisory body again decided to engage the law firm to formulate an answer to this question.
The study shows that the U.S. government can use the CLOUD Act to access European personal data. In practice, however, that chance is very small. After all, on the other side of the ocean, an integral risk analysis must be made. In doing so, a sharp distinction must be made between hypothetical risks and actual risks. It is difficult to make that distinction crystal clear.
"This insight is important for organizations when making risk assessments around the deployment of certain digital services and facilities," the NCSC concludes. The agency says that "in principle, it does not matter whether organizations invest data processing and/or storage with U.S. vendors, or whether they do so with European vendors under U.S. jurisdiction."
The NCSC emphasizes that only the impact of the CLOUD Act's extraterritorial legislation on data processing and storage in Europe has been mapped. This says nothing about the risks of such legislation from other countries. More research is needed for that.
https://www.ncsc.nl/actueel/weblog/weblog/2022/kleine-kans-dat-amerikaanse-overheid-toegang-krijgt-tot-europese-gegevens-op-basis-van-de-cloud-act
https://www.ncsc.nl/actueel/weblog/weblog/2022/de-werking-van-de-cloud-act-bij-dataopslag-in-europa
