By Théodore CHRISTAKIS
Professor of International Law, University Grenoble Alpes
Deputy Director, Grenoble Alpes Data Institute
Member of the Institut Universitaire de France
Member of the French Digital Council (“Conseil National du Numérique”)
In a study published last December upon the request of CEIS and Microsoft, we highlighted the implications that the so called “Microsoft Ireland Warrant Case”, opposing the U.S. government to Microsoft before the US Supreme Court, could have for personal data protection of European citizens and national digital sovereignty. The Supreme Court’s decision was expected in June 2018 but the U.S. Congress came to the rescue of the American government by adopting in March 2018 the so called “CLOUD Act” (‘Clarifying Lawful Overseas Use of Data Act’). As a result, the case became moot and the Court decided to dismiss it after a joint request by the two parties. Yet, the legal questions raised by the “Microsoft Ireland” case still remain. The adoption of the “CLOUD Act” along with the “E-Evidence” project presented by the European Commission on 17 April 2018 mark the starting point of a ground-breaking legal work which will likely keep the USA, the EU and many States busy for the years to come.
The Microsoft Ireland case and the crucial issue of extraterritoriality
At the heart of the “Microsoft Ireland” case was the issue of access to electronic data by law enforcement authorities (“LEAs”). Technological evolutions and the “digitalisation” of people’s lives constitute a tremendous challenge for law enforcement and legal authorities as they need to access evidence located on servers or IT and Cloud systems that are often based abroad. Beyond “cybercriminality”, such evidence can be linked to any type of offence, be it terrorism and its financing, fraud and financial offences, money laundering, murders, aggressions and violent crimes, human trafficking, drug trafficking, child pornography and other forms of child abuse. Both the U.S. government and Microsoft agreed that there was a need to find solutions that would allow legal authorities to access digital evidence. However, they disagreed on how to do so and how to solve the numerous related legal challenges.
Another element on which Microsoft and the U.S. government seemed to agree was that the 1986 “Stored Communications Act” (SCA), under which the warrant of the case discussed here had been issued, could not have an extraterritorial reach. The U.S. Court of Appeals for the Second Circuit, which ruled in favour of Microsoft, had also concluded that “Congress did not intend the SCA’s warrant provisions to apply extraterritorially” and the majority of the judges had then called for the revision of “a badly outdated statute”, written well before the advent of emails and the cloud.
For Microsoft –and the Court of Appeals– things seemed therefore pretty simple: a warrant issued under the SCA could not be applied to data stored in Ireland insofar as this warrant could not have extraterritorial effects. If the U.S. government wished to access this data, it had to make a request to the Irish authorities within the existing framework of judicial cooperation – under the Mutual Legal Assistance Treaty (MLAT) between the two countries. In contrast, for the U.S. government, there was no “extraterritorial application of the law” to the extent that the data could be accessed from the United States (even though they were stored in Ireland). Somehow, the logic of the Department of Justice was that “everything was taking place on U.S. territory” and that there was therefore no “extraterritoriality”. For the U.S. government then, the only relevant criterion was the location from which the data could be accessed. In the study mentioned above, we had highlighted the controversial character of this argument that could be used by any government in the world, with the possible abuses that one can imagine. The CLOUD Act adopted last March brought these controversies between the U.S. government and Microsoft to an end by clearly giving an extraterritorial reach to U.S. law.
The CLOUD Act viewed from Europe
The legal issue is from now on solved from the U.S. law perspective. Nonetheless, it is far from being solved from the other countries’ perspective. The adoption of the CLOUD Act as such does not bring any solution to the many issues we had raised in our study: eventual conflict of laws; risks of compromising the digital sovereignty of other countries; and, mainly, human rights concerns including, but not limited to, risks related to privacy protection and respect of the General Data Protection Regulation (GDPR), which is now applicable.
Some welcomed the fact that the CLOUD Act introduced the possibility for Internet and Cloud Service Providers to request an American judge to quash or modify such warrant if the latter is in conflict with the laws of another country. In reality, and aside from the fact that these motions are subject to many conditions, there is no huge novelty here since companies could already, before the CLOUD Act, make similar requests to the judge. This is what Microsoft actually did. It is of course constructive that the CLOUD Act “formalises” into a specific and clear provision such an informally pre-existing right to request what we call, in U.S. Law, a “comity analysis”. On the other end, the CLOUD Act does not create any obligation for the judge to cancel or modify a warrant if such a conflict of laws is proven. An American judge could thus decide that the “national security considerations” of the United States (which are increasingly being interpreted in a broad way by the Trump administration, as seen in the legal basis invoked to justify the recent trade tariffs…) should win over the interests of third countries and their citizens.
The real breakthrough of the CLOUD Act is of a different nature: it gives the U.S. government the possibility to conclude bilateral agreements on data sharing with a limited number of countries. These agreements would enable to avoid conflicts of law but could also –and this is a major incentive for European countries– enable them to ask Internet and Cloud Service Providers to provide (limited categories of) data stored in the United States, which is today impossible on the basis of the SCA (Americans want to access European data but forbid Internet and Cloud Service Providers from disclosing data stored in the US…). A series of conditions are provided for in the CLOUD Act to conclude such agreements, including the respect by the contracting countries of human rights requirements set in U.S. law. It is interesting to note that these agreements would come into force through a simple signature from the American Executive. It would therefore not need to go through the risky procedure of Congress ratification, even if the latter will retain veto power for 180 days.
An agreement between the United States and the European Union?
Ideally then, things would be simple: the United States would conclude with the European Union a bilateral agreement that would prevent conflicts of laws and also set up, on equal and reciprocal terms, a cooperation that would be both fruitful and respectful of human rights. “Simple?” Not really.
The main issue is that the United States does not seem so inclined to concluding an agreement with the European Union. The United States seem to consider that some of the 28 Member States of the European Union do not provide a level of protection equivalent to that of the United States with regards to human rights. The United States would certainly not see any obstacle to concluding an agreement with France, Germany or other countries, such as the United Kingdom. With the latter, negotiations of a bilateral agreement are actually well underway. The situation is rather different nonetheless with countries such as Poland or Hungary, which seem to crystallise American frustrations. The United States would therefore prefer to conclude an agreement with a selection of Member States of the European Union rather than with the Union itself. This is evidenced in the CLOUD Act itself, which only provides the possibility to conclude agreements with “Qualifying Foreign Governments” but not with international organisations such as the EU.
E-Evidence steps in
Nevertheless, the European Union does not seem to see eye to eye. Indeed, the Commission introduced on 17 April 2018 an important legislative package called “E-Evidence”, which is a kind of European “CLOUD Act” aimed at facilitating access to electronic evidence by European police and judicial authorities. Unlike the CLOUD Act -which was adopted quietly and without any real debate in Congress as an annex to the Omnibus Spending Bill- the E-Evidence project is the fruit of an important work that took many years. It is composed of a 68-page draft regulation (yes, it is lengthy, as usual, but at least it is 20 pages shorter than the GDPR…), a draft directive (22 pages) and a 283-page impact assessment study. While the legal process in the European Union is still at the early stages –the project will now be reviewed by the Council and the Parliament– we should already highlight at least two of its aspects.
First, the E-Evidence project, even though it can certainly be further improved, already grants significant prominence to human rights and the European acquis in this field while taking into account the privileges and immunities and fundamental interests of the third countries concerned.
A second aspect worth mentioning is that the E-Evidence project states its extraterritorial effect as clearly as the CLOUD Act… This would arguably put Europe and the United States on an equal footing in the negotiation of bilateral agreements.
Conclusion: Future challenges
This takes us back to the issue of concluding bilateral agreements. Now that the European Union has clearly stated its competence in this field with the introduction of the E-Evidence package, it is politically and legally sensitive for the Member States of the European Union to start or pursue bilateral negotiations with the United States in order to conclude the agreements envisioned in the CLOUD Act. In fact, the European Union seems willing to undertake this negotiation with the United States. Yet, how can this highly difficult equation be solved while the United States prefer to negotiate with the Member States themselves? One solution would be for the United States and the European Union to conclude a framework agreement that could be followed, if necessary, by the conclusion of bilateral agreements with Member States. Whichever form these agreements take, three things seem important in that regard:
1) Things need to be fast. As it is, the CLOUD Act has clearly given an extraterritorial reach to U.S. law. This could create several conflicts of laws for Internet and Cloud Service Providers if we consider that article 48 of the GDPR (and domestic member States laws) in principle do not allow, with the exception of rare derogations (under for example article 49 of the GDPR), for Internet and Cloud Service Providers to hand over to the U.S. authorities European data stored in Europe (for an interpretation of articles 48 and 49 of the GDPR see our aforementioned study). In that light, it would be desirable that the European Data Protection Board, an authority that gathers together the EU national data protection authorities, removes any ambiguity on that particular issue. A clear position of the Board on the contrariety of such transfer of personal data with the GDPR could actually put pressure on the United States to enter into negotiations with the European Union. Otherwise, the United States could think that there is no reason to rush and conclude international agreements when the current situation is advantageous for them.
2) It would be desirable for E-Evidence to be quickly adopted, before the end of the current term of office of the European Parliament. This entails a meticulous work to improve this legislative project, generally well thought and prepared, and fix some remaining problematic issues.
3) Finally, the bilateral agreements that could be concluded with the United States have to match the requirements of the Charter of Fundamental Rights of the European Union and the European Convention of Human Rights, as well as those set by the case law of the Court of Justice of the European Union and the European Court of Human Rights. An agreement between the United States and the European Union could be subject (most probably upon request of the European Parliament itself) to review by the European Union’s Court of Justice. Yet, we know what happened over the last few years with other transatlantic agreements on data transfers (such as the Safe Harbor with the United States or the PNR agreement with Canada…) subject to review by the Court. It will thus be necessary to comply with all human right requirements in order to avoid further disappointments…
 The views expressed in this article are those of the author and do not engage any Institution.