CCBE Assesses U.S. CLOUD Act
The Council of Bars and Law Societies in Europe (CCBE) scrutinised the U.S. CLOUD Act. It allows U.S. federal law enforcement to compel U.S.-based technology companies to provide requested data stored on servers via warrant or subpoena − regardless of whether the data are stored in the USA or on foreign soil. By means of “executive agreements,” it also foresees that law enforcement authorities from foreign “qualified countries” will have equal access to the data of U.S. companies (see eucrim 1/2018, p. 36, and the article by J.Daskal in eucrim 4/2018, pp. 220-225).
In a paper issued on 28 February 2019, the CCBE remarked positively that the CLOUD Act provides for a greater degree of legal certainty. Several concerns remain, however, in particular as regards its consistency with European law. The following issues are, inter alia, of general concern:
- Extraterritorial jurisdiction;
- Conflicts with the EU’s fundamental rights and the GDPR;
- Weak (judicial) review;
- Lack of post-authorisation supervision;
The CCBE also voiced specific concerns over the lack of protection of legal professional privilege and professional secrecy. The current approach of the CLOUD Act deprives European citizens of this important European right, and disclosures would run contrary to several domestic laws of EU Member States.
In addition, the CCBE identified a gap in the existing U.S.-EU data protection scheme, since the Privacy Shield does not cover the transatlantic transfer from a private entity to government authorities for law enforcement and prosecution purposes.
In conclusion, the CCBE recommends that the EU negotiate a mutual legal assistance (MLA) treaty with the United States that explicitly refers to the U.S. CLOUD Act. Such an MLA treaty would provide precise requirements for the transfer of data and would not undermine the level of protection provided by fundamental freedoms valid in the EU.
Furthermore, a notification scheme should be established by means of which an independent European authority would be informed prior to a data transfer from a private entity to U.S. agencies.
On the basis of such an MLA treaty, legal professional privilege and professional secrecy must be an accepted ground for refusing data transfers to the USA under the CLOUD Act.
Together with the opinion of the EDPS of 2 April 2019 on negotiations planned between the European Commission and the USA over how to handle the transfer of e-evidence between the EU and the USA under the CLOUD Act (see eucrim 4/2018, 207), the CCBE paper is the second important contribution to the discussion on the “external dimension” of future international rules on e-evidence. Both the EDPS and the CCBE have come to similar, critical conclusions.