In the US, President Donald Trump just signed the Cloud Act, a law that leads to violations of the GDPR of the EU. The abbreviation stands for the Clarifying Lawful Overseas Use of Data Act (CLOUD), which complements the existing Stored Communications Act (SCA).
The new law requires Internet companies in the US to give US security agencies access to users' data - even if the data is not stored in the US.
Conversely, the CLOUD Act also provides foreign security agencies with the ability to access US user data directly and interested states can conclude a bilateral agreement with the USA to get access.
One of the reasons for this is said to be Microsoft's refusal to provide customer data stored in Ireland to US security authorities, which started a long-running legal battle between the United States and Microsoft Corp. The conflict ended at the US Supreme Court, the highest US court, and Microsoft has been dismissed by the Supreme Court by now. However, the question that arises now is how the Supreme Court will deal with the fact that the new law now expressly permits something to be judicially decided upon first.
In circles of experts, the verdict has been expected for a long time, since it has a huge impact on data protection. If data stored outside the United States really must be releases by US companies to US authorities at any time, this is a clear violation of the provisions of the General Data Protection Regulation (GDPR) that protects the data of EU citizens - wherever they are stored - even from access by public authorities.
The consequence of this is that a US online service can no longer legally be used by an EU company, as a breach of EU law, the GDPR, is inevitable. Nor are the effects on the US-EU Privacy Shield yet foreseeable. So far, EU data can be transmitted to US companies that have joined the ‘Shield’ because the level of data protection has been aligned with that of the EU. But the CLOUD Act means that the level no longer corresponds to that of the EU.
Consequently, the CLOUD must lead to online-based US services being regarded as insecure and not in compliance with data protection. To our knowledge, the EU has not responded, yet, but is expected to do so and we will see how the topic evolves. Tech companies, advocates and lawmakers worldwide are impatiently watching.
By Daniela La Marca