Transfer of EU Personal Data to U.S. Law Enforcement Authorities After the CLOUD Act: Is There a Conflict with the GDPR?

Privacy and Security, Networks, the Internet, and Cloud Computing and Cloud Computing

Article Snapshot


Theodore Christakis


Cybersecurity and Privacy in a Globalized World: Building Common Approaches, Randal Milch and Sebastian Benthall, eds., New York University School of Law (e-book), pp. 60-75, 2019


United States’ law requires firms to turn electronic evidence over to law enforcement even when the data is stored in another country. The law may conflict with European privacy law, which limits data transfers to foreign governments.

Policy Relevance

European Data Protection authorities should clarify application of European privacy law to criminal evidence.

Main Points

  • Before passage of the Clarifying Lawful Overseas Use of Data Act (CLOUD Act), Microsoft refused to turn over the emails of a criminal suspect to authorities in the United States, because the emails were stored in a data center located in Ireland.
  • The CLOUD Act amended the United States’ Stored Communications Act (SCA), requiring firms to transfer data in response to orders or warrants issued by authorities in the United States, regardless of whether the data is located within or outside of the United States.
  • The EU’s General Data Protection Regulation (GDPR), which took effect in May, 2018, limits the transfer of EU personal data to foreign governments, and may conflict with the SCA.
  • Under article 48 of the GDPR, the orders of non-EU courts and warrants are enforceable only according to processes established by international agreements such as mutual legal assistance treaties; however, article 49 also allows transfers “for important reasons of public interest.”
  • The European Commission (EC) suggests that serious criminal law enforcement efforts generally satisfy article 49; however, the European Data Protection Board (EDPB) takes a narrower view, suggesting that transfers of data under article 49 must be in the interest of the EU member state.
  • Ambiguous EC and EDPB statements leave Internet and Cloud Service Providers in an uncomfortable position.
    • Firms should not transfer EU data to the United States if the SCA warrant does not involve a serious crime.
    • Firms should ask courts to address the conflict between the SCA and the GDPR.
  • EU Legislators and the EDPB should provide clearer guidance in the future; an agreement between the EU and the United States on cross-border access to electronic evidence could resolve this issue.

Get The Article

Find the full article online

Search for Full Article