by Everett Monroe, Attorney at Hanson Bridgett LLP & Adjunct Professor at the University of San Francisco School of Law
The issue that United States v. Microsoft was going to address was a narrow one: did Microsoft have to obtain personal data stored by its Irish subsidiary in order to comply with a search warrant issued by a United States court. With the CLOUD Act’s passage, the issue on appeal was mooted by Congress’ explicit requirement that U.S. companies preserve and disclose personal data held overseas. But Microsoft raised an additional issue in the litigation leading up to the Supreme Court granting certiorari in the case which still remains unresolved after the CLOUD Act’s passage: If the Government’s interpretation of the warrant requirement was true, it could lead to companies having to violate the laws of the foreign country to satisfy a U.S. warrant. Ireland argued in its amicus brief in Microsoft that the proper way to seek the information was through the use of the US – Ireland Mutual Legal Assistance Treaty. Given that Ireland’s Data Protection Act however did not explicitly prevent the disclosure of personal data to U.S. authorities, Microsoft’s conflict of laws question remained merely hypothetical. However, with the implementation of the General Data Protection Regulation (GDPR) this week on May 25, that issue may now arise, and it could have serious consequences for companies that face conflicting legal obligations.
The CLOUD Act requires communication service providers to preserve and disclose data held overseas when served with a valid warrant or other appropriate court order, and only allows a service provider to quash or modify the order if (1) the customer or subscriber is not a U.S. person that is not in the U.S. at the time, and (2) the required disclosure would violate the laws of a foreign government that has entered into an executive agreement with the United States.
We will have to wait and see what those executive agreements look like. While Mutual Legal Assistance Treaties could have been used in Microsoft, the process for obtaining data through this process often takes months (or even years) to complete. What we do know is that without an executive agreement, there almost certainly will be a problem when the GDPR enters into force. Article 48 of the GDPR requires that judgments of non-EU courts requiring the transfer of data to the non-EU countries will only be recognized when a relevant international agreement is in force.
The fact that the data sought may be that of a person in the United States makes no difference to the GDPR; its territorial scope is quite broad. Once a company stores personal data in a data center located in the EU, it is arguably subject to the GDPR and Article 48, even if the data sought pertains to a U.S. person.
This leaves companies with establishments or operations in both the U.S. and the EU in a bind, at least until executive agreements are in place between the U.S. and the EU or its member states. If a company in the U.S. receives a court order to disclose personal data stored in the EU after the GDPR goes into effect, it will have to choose between violating EU law by disclosing it in the absence of an international agreement or potentially finding itself in contempt of a U.S. court without a means to quash the subpoena due to the conflict of law issues.
Any executive agreement would theoretically need to incorporate the protections of the GDPR. Some of the groundwork for that was laid through the signing of the U.S. – EU Umbrella Agreement, which sets conditions for, but does not authorize, data transfers between law enforcement agencies in the U.S. and EU. But those are not, by themselves, sufficient grounds for challenging the court order when the disclosure is for a U.S. person. The CLOUD Act only allows a communications service provider to challenge the order when the data pertains to a non-U.S. person not currently in the United States. If a U.S. Attorney obtains an order for the data of a U.S. person that does not conform to the conditions of the executive agreement, the company still cannot challenge it, even though it would not meet the requirements of Article 48. Given the new penalty structure of the GDPR that authorizes fines of up to four percent of global revenue, many companies in the U.S. may find it cheaper to not upset EU Data Protection Authorities than to risk contempt of court in the United States.