Data Protection Authorities and EDPS Assess Impact of US CLOUD Act
Following a request to the European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE), the European Data Protection Board (EDPB), and the European Data Protection Supervisor (EDPS) adopted a joint initial legal assessment of the impact of the US CLOUD Act on the EU legal data protection framework and the mandate for negotiating an EU-US agreement on cross-border access to electronic evidence for judicial cooperation in criminal matters. The legal assessment focuses on compliance of the US CLOUD Act with the requirements of Arts. 6, 48, and 49 of the GDPR.
The CLOUD Act allows US law enforcement authorities to request the disclosure of data by service providers in the USA, regardless of where the data is stored (for details, see eucrim 1/2018, p. 36; 4/18 p. 207 and the article by J Daskal, eucrim 4/2018, pp. 220-225).
In their reply to the LIBE Committee, the EDPB/EDPS stress that a future international agreement between the EU and the USA, for which the Commission recently obtained a negotiation mandate, must contain the following guarantees:
- Strong procedural and substantive fundamental rights safeguards;
- The necessary level of protection for EU data subjects;
- Legal certainty for businesses operating in both jurisdictions.
Furthermore, an “EU-level approach” is needed, which, inter alia, requires that U.S. law enforcement authorities be put on an equal footing with EU law enforcement authorities to obtain e-evidence.
Ultimately, the EDPB/EDPS also emphasise that there is an urgent need for a new generation of mutual legal assistance treaties that contain strong data protection provisions, such as guarantees based on the principles of proportionality and data minimisation or the “criminality principle.”
The legal assessment also summarises the replies of the EDPS of 2 April 2019 to the Commission regarding the planned EU-US e-evidence agreement (see eucrim 1/2019, p. 41).