![\"\"](\"https:\/\/legrandcontinent.eu\/fr\/wp-content\/uploads\/sites\/2\/2020\/09\/Capture-decran-2020-09-14-a-00.02.21.png\")
<\/a>T\u00e9l\u00e9charger<\/a><\/div>\n\n\n\nPursuant to this Act, the order took the form of a SCA warrant issued by a federal judicial authority and based on reasonable evidence (\u201cprobable cause\u201d) that the user\u2019s email account was used in connection with unlawful activities. Microsoft was given two weeks to turn over the requested information and data. In addition to that, it had to wait 30 days before informing its client. As a matter of fact, the latter was not a US citizen, nor a resident alien ; however, this was not considered material in the course of the legal dispute.<\/p>\n\n\n\n
After disclosing the customer\u2019s data stored in the United States, Microsoft refused to hand over the contents of the email account that was stored in Ireland. Up until then, such requests, be they for content, user data or metadata <\/span>1<\/sup><\/a><\/span><\/span>, have never given rise to difficulties on the grounds of the relevant data being stored abroad. Nonetheless, Microsoft (supported more or less overtly by other GAFA <\/span>2<\/sup><\/a><\/span><\/span> companies) considered it was the right moment to question the scope of a legislation adopted in 1986 and barely revised ever since, despite the fact that in the past three decades the use of electronic data storage by external providers, once extremely costly and rare, soared, that data centers are disseminated worldwide, and that a growing share of clients are conscious about the place their data is stored and the protection it is afforded.<\/p>\n\n\n\n Several judicial proceedings followed the refusal to comply with the warrant. In short, Microsoft lost the first trial, but the Court of Appeals for the Second Circuit in New York ruled in its favor, stating that an SCA warrant cannot compel a provider of electronic communication, processing or storage services <\/span>3<\/sup><\/a><\/span><\/span> to communicate data stored abroad to the US administration. <\/span>4<\/sup><\/a><\/span><\/span> By deference to foreign sovereignty and in accordance with principles of private data protection, such discovery orders are to follow the process of international legal cooperation, that is, either a procedure laid down in a Mutual Legal Assistance Treaty (MLAT), or international letters rogatory.<\/p>\n\n\n\n Let it be said here : these procedures allow authorities seeking to retrieve electronic data to ask for the assistance of the officials of the country where such information is stored ; who then collect it, provided that certain conditions are met (legitimacy, lawfulness, precision of the request, purpose for which the information may be utilized, etc.), political and diplomatic considerations never being entirely absent. The duration (several months) and the cumbersomeness of these procedures are ill-suited to the needs of the fight against crime \u2013as the latter benefits from the facilitation provided by modern communication technologies.<\/p>\n\n\n\n The ruling of the Appellate Court for the Second Circuit relied on SCA\u2019s lack of extraterritorial reach in the absence of any explicit indication to that effect, as well as on a \u201cchange in circumstances\u201d theory according to which, nowadays, customers of online services providers store more data than ever before on cloud and are entitled to expect their data to benefit from the same protection against searches and seizures as if it were stored at the corporate headquarters or at their physical domicile. These customers are increasingly conscious about the place their data is stored and justified in thinking that the provisions ruling the disclosure of their data are set by the country where the information is stored or where the provider (to whom data is entrusted) is located. The notion of \u201clegitimate expectation\u201d is one of the criteria that the US Supreme Court applies in order to find the right balance between the tools available to law enforcement for criminal investigations (searches, seizures, wiretaps, GPS localization and other means of investigation\u2026), and the prohibition of unreasonable searches and seizures under the Fourth Amendment to the United States Constitution <\/span>5<\/sup><\/a><\/span><\/span>.<\/p>\n\n\n\n This ruling did not change the case law, as other courts continued to issue and recognize SCA warrants relating to data stored abroad ; even so, in the absence of a clearly established solution, GAFA companies started resisting such requisitions by relying on the Microsoft precedent.<\/p>\n\n\n\n The US Government filed an appeal with the Supreme Court, which accepted to hear the case. Multiple Amicus curiae <\/span>6<\/sup><\/a><\/span><\/span> were submitted to the Court, including one from the European Commission. Yet before the Court\u2019s ruling, Congress passed the Clarifying Lawful Overseas Use of Data Act as a rider to an omnibus government spending bill for 2018. As its name suggests, this legislation clarifies the SCA and excludes location of data center as a ground for opposing the production of electronic data requested by the US administration from a US-based online services provider in the course of a criminal investigation. The law was enacted on March 23, 2018 and came immediately into effect. With the agreement of the parties involved, the Supreme Court acknowledged that the case was moot (the US administration could obtain a new warrant under the newly passed law, with which Microsoft would have to comply) and remanded it back to the Court of Appeals for the Second Circuit to draw the due consequences <\/span>7<\/sup><\/a><\/span><\/span>.<\/p>\n\n\n\n GAFA, which had supported Microsoft in its battle against the US administration, surprisingly welcomed the adoption of the CLoud Act, Microsoft included. In point of fact, economic players entertain the utmost aversion for legal uncertainty ; if there was one matter everyone could agree on \u2013including the judges of the Court of Appeals for the Second Circuit\u2013 it was that the best solution had to be a legislative undertaking.<\/p>\n\n\n\n The arguments exchanged between the parties during the Warrant case can help understand the scope of the CLOUD Act, which includes quite a few provisions beside the one that renders the matter of data location irrelevant. As is frequently the case, they are both legal and political in nature.<\/p>\n\n\n\n To oppose the communication of data stored outside the United States, Microsoft contended that :<\/p>\n\n\n\n The US administration argued that : <\/p>\n\n\n\n The US administration responded to these difficulties with the CLOUD Act.<\/p>\n\n\n\n Unhappy with simply using the law in order to invalidate the Court of Appeal\u2019s ruling, it went further by proposing solutions to US companies (i.e. GAFA) in case of a conflict of laws, and by offering its partners a framework for a more effective international police cooperation ; in return, the US administration hopes that countries will refrain from passing data localization policies, which would undermine the desired goal, that is, facilitating data access, as well as risk placing its companies at a competitive disadvantage. Its manifold objectives render this legal instrument quite complex.<\/p>\n\n\n\n What we have here is a four-time waltz :<\/p>\n\n\n\n 1. <\/strong>Every online services provider based in the United States must hand over to the US administration communication data requested through a SCA warrant, no matter where it is stored, as long as it is in the provider\u2019s possession, custody or control.<\/p>\n\n\n\n From a legal point of view, and as many authors put it, the CLOUD Act does not change the state of American law regarding the substantive conditions that such warrants shall meet to be lawful : the request must be addressed to an online services provider ; <\/span>12<\/sup><\/a><\/span><\/span> this provider must fall under the jurisdiction of the United States ; the data requested shall be in the provider\u2019s possession, custody or control ; <\/span>13<\/sup><\/a><\/span><\/span> the request must be justified by the needs of a criminal investigation ; it must be validated by an American judicial authority <\/span>14<\/sup><\/a><\/span><\/span>, which checks the merits (serious suspicion that an offense has been committed or is about to be committed), the relevance (the data sought are actually likely to be of interest to the investigation) and the proportionality.<\/p>\n\n\n\n Likewise, contrary to what has been often said, the CLOUD Act is not a genuinely extraterritorial piece of legislation : it applies to any US-based company, as well as to its subsidiaries \u2013even if registered abroad (see below). Yet, this is a broad understanding of the territorial scope of US law, but not, strictly speaking, an extraterritorial reach.<\/p>\n\n\n\n The novelty lies in the fact that, should the requested data be physically stored outside the United States, it is no longer an obstacle to its communication to the American authorities. Therefore, GAFA, which are tech companies registered in the United States, are to communicate any data stored in the US or in a foreign country upon request by the US authorities, even if said data belongs to a foreign company or individual and has been entrusted to a GAFA subsidiary registered abroad. As GAFA companies control the most part of the global cloud, and this is the point, critics of the CLOUD Act consider that the United States offered itself access to all data worldwide.<\/p>\n\n\n\n Moreover, the CLOUD Act does not affect the guarantees offered by the SCA. Based on the CLOUD Act, US officials can order the production of electronic data from online services providers only as part of a judicial procedure and with a warrant or a court order. In Europe, we were quick to conclude that the CLOUD Act was the means for the US administration to get hold of our companies\u2019 strategic data, pillage our knowledge or lock up our CEOs. This might be simple scaremongering. The CLOUD Act\u2019s first purpose is to obtain the communication of data from individuals or companies suspected of having committed misdemeanors or crimes. In principle, this is not the case for most of our companies.<\/p>\n\n\n\n 2.<\/strong> If a SCA warrant places an online services provider in a conflict of laws situation because data is stored in a country whose law prohibits such data communication, it is for the court before which the case is brought to apply, if need be, common law principles of comity, that is, international courtesy principles recognized by US courts. This standard allows it to refrain from applying (or to apply in a more nuanced way) US law when major interests of foreign countries are at stake.<\/p>\n\n\n\n The purpose of this explicit reference to the common law principles of comity is to discourage partner countries from passing data localization policies, which would, for instance, require online services providers in said countries to register their parent companies outside the United States in order to avoid being subject to the CLOUD Act <\/span>15<\/sup><\/a><\/span><\/span> (an unlikely hypothesis, unless they want to get by without GAFA\u2019s services), or policies that would compel certain companies to entrust their data to only those sovereign clouds that have no connection to the United States. Without taking anti-GAFA measures, it is as of now sufficient that concerned countries adopt policies that seem necessary to them in order to protect data entrusted to the GAFA against the CLOUD Act\u2019s exorbitant effects by applying the principles of comity.<\/p>\n\n\n\n The inclusion of such a principle in the SCA appears to be a progress, as many authors doubted it was applicable to this piece of legislation ; on the other hand, the statute does not delineate the boundaries of this principle. Yet, US case law shows that US courts rarely agree to recognize the existence of a conflict between US law and European law \u2013often regarded as less binding (see below). In addition to that, the appropriate legal procedure in case a provider seeks to enforce common law principles of comity is not by way of an action, but as a defense to a contempt of court procedure following the refusal to execute the warrant. Thus, the provider would have to take a significant risk.<\/p>\n\n\n\n To put things differently, the explicit reference to the common law principles of comity in the law is progress, but its actual implementation remains unclear, uncertain and will depend on the determination of judges.<\/p>\n\n\n\n 3.<\/strong> Foreign governments may sign a bilateral treaty with the United States through which each administration could turn directly to providers in another jurisdiction to request relevant data without the need for a MLAT or international letters rogatory.<\/p>\n\n\n\n In practice, were France to sign such an agreement with the United States, French authorities could request directly tech companies registered in the US to provide data relevant to French investigations held under their control, without having to resort to the Department of Justice. US law would no longer hinder the disclosure of requested data, as is presently the case. Reciprocally, US authorities would be allowed to appeal directly to tech companies registered in France, for instance Orange, requesting the latter online services provider to hand over communication data under its control, without involving French authorities.<\/p>\n\n\n\n It is important to note, as of now, that the CLOUD Act prohibits explicitly such agreements from enabling foreign governments to retrieve data pertaining to US persons. This point is crucial and will be developed below.<\/p>\n\n\n\n Besides, in order to limit the disclosure of personal data to investigation services all around the world, the CLOUD Act states that warrants issued in virtue of such bilateral agreements can only target \u201cserious crimes\u201d.<\/p>\n\n\n\n These international agreements will take the form of executive agreements, i.e. agreements which do not require a 2\/3 majority vote in the Senate, or the passing of a law by both Houses of the US Congress. The agreement enters into force as long as both Houses do not vote against it by a joint resolution within 180 days after its notification to the Congress. Only countries that respect human rights and meet democratic standards are eligible to the signing of these agreements.<\/p>\n\n\n\n In reality, the CLOUD Act organizes on a world scale what the e-evidence regulation and directive projects attempt to set up at the European level, that is, the possibility for investigating authorities in each country to obtain the disclosure of communication data relevant to their criminal investigations, by appealing directly to online services providers which process or store such data, rather than going through the conventional international legal cooperation framework. The express intent is to match the rhythm of criminal investigations to that of crime itself.<\/p>\n\n\n\n The possibility of signing these international agreements in such an expedite fashion is a source of consternation for US human rights associations. In any case, US persons (notably, US citizens) have nothing to fear from these executive agreements, as they cannot cover data that belongs to US persons. On the contrary, an executive agreement with, say, China, would allow the latter to retrieve data concerning (as the case may be) political dissidents from GAFA, without any intervention from the US administration. Of course, this would not be possible unless China met the human rights protection standards outlined by the policy and conditioning the signing of an executive agreement by the United States. Still, human rights associations criticize precisely the power of the US administration to weight those standards without proper supervision from the Congress.<\/p>\n\n\n\n 4. <\/strong>Lastly, as a way to encourage foreign countries to sign executive agreements, the CLOUD Act states that any online services provider, American or foreign, required by the US authorities to communicate data stored in a country bound by such an agreement may, in a conflict of laws situation, request an exemption through a fast and direct special procedure (which should be less risky than defending a contempt of court case).<\/p>\n\n\n\n The statute extensively details the criteria that the court before which the matter is brought must take into account when deciding whether to quash or modify the warrant : serious risk of sanctions for the provider ; the interests of the United States in obtaining the litigious data ; the interests of the foreign government in preventing disclosure ; the location and nationality of the customer ; the nature of its ties with the United Stated ; the importance of the investigations already conducted and the importance to said investigations of the information to be disclosed ; the likelihood of proper access to requested information by means causing less negative consequences.<\/p>\n\n\n\n Without any precedent on this matter, the precise differences between the ordinary procedure (i.e. the common law principles of comity) and the special procedure (comity analysis) available only for the disclosure of information stored in countries that have signed an executive agreement, is hard to understand. As the US Government\u2019s objective is to encourage its partners to sign executive agreements, expressly enumerating the criteria of assessment in comity analysis should make them more effective, operational and trustworthy.<\/p>\n\n\n\n On April 2019, the US Department of Justice released a White Paper regarding the purpose and impact of the CLOUD Act <\/span>16<\/sup><\/a><\/span><\/span>. <\/p>\n\n\n\n The document mainly highlights the advantages of the CLOUD Act for the criminal investigations of foreign governments that would enter into an executive agreement with the US thanks to the Act. It also minimizes the scope of the Act by reminding that the statute does not change the substantive conditions under which the US law enforcement authorities may issue SCA warrants, except regarding the place where the date is stored, which become irrelevant.<\/p>\n\n\n\n More interestingly, the US government seems to have understood the commercial prejudice that the CLOUD Act may have created for the major US tech companies whose subsidiaries face, in various countries in the world, the reluctance of foreign corporations to keep entrusting US online services providers with their data. In order to mitigate this side effect of the CLOUD Act, the White Paper recalls that foreign tech companies are not necessarily out of the scope of the Act if they provide services in the US and have \u201csufficient contacts\u201d with the US to be subject to US jurisdiction (see below).<\/p>\n\n\n\n As with any legislation, the CLOUD Act contains several unknowns of unequal importance. Let us address two of them.<\/p>\n\n\n\n First, the CLOUD Act does not allow determining whether the European Union could sign an executive agreement with the United States on behalf of its member States. The law uses the words \u201cforeign government\u201d to designate the partners entitled to sign an executive agreement with the United States. Clearly, the European Union is not a government. It seems that, by using such terms, the United States indicates that it does not want to be involved with European Union countries whose compliance with democratic standards is not assured.<\/p>\n\n\n\n Admittedly, on September 25, 2019, the US and the EU started to negotiate an executive agreement on the basis of the CLOUD Act, which tends to prove that the CLOUD Act enables the US government to sign such agreement with that specific international organization that is the EU. However, it results from the report from the EU Commission on the first round of negotiations that the objective of the US is to negotiate a framework agreement with the EU, supplemented later by bilateral agreements with individual EU Member States. <\/span>17<\/sup><\/a><\/span><\/span> During the second round of negotiations, on November 6, 2019, the US highlighted its concerns on the rule of law situation in some EU Member States. <\/span>18<\/sup><\/a><\/span><\/span><\/p>\n\n\n\n Second, it is unclear to which extent the CLOUD Act could apply to companies registered outside of the US.<\/p>\n\n\n\n Clearly, the CLOUD Act applies to data entrusted to foreign subsidiaries of companies registered in the US, either because the data is in reality under the parent company\u2019s control, according to US authorities, or because, in any case, the CLOUD Act applies to every company under US jurisdiction : yet, US law includes companies registered in the United States, as well as their subsidiaries \u2013even if they are registered in a foreign country.<\/p>\n\n\n\n The statute applies also to the US subsidiaries of companies registered outside the United States (say the US subsidiary of Orange). Indeed, such subsidiary is registered in the United States. It is therefore incontestable that this subsidiary is subject to the CLOUD Act and is consequently under the obligation to hand over data under its control, wherever it may be stored. One may assume that such data has been handed into its custody by US persons.<\/p>\n\n\n\n On the other hand, the question whether the CLOUD Act could apply to data processed or stored by companies registered outside the US, but doing business in the US, is controversial.<\/p>\n\n\n\n From a legal standpoint, the application of the CLOUD Act to foreign companies could take three paths :<\/p>\n\n\n\n The data sought by the American administration and stored outside the United States by a foreign company would be claimed from the US subsidiary of this company, which would be regarded as having \u201ccontrol\u201d on this data. However, we find it difficult to consider that a US-based subsidiary of an online services provider registered outside the US could be seen as controlling the data entrusted to its parent or sister company\u2019s custody, unless in case of technical control.<\/p>\n\n\n\n Under US law, any person in the United States is subject to the jurisdiction of the United States. Should the term \u201cperson\u201d designate natural person and legal person such as companies, a French company doing business in the US might therefore be considered as subject to the jurisdiction of the US.<\/p>\n\n\n\n More convincingly, a company providing services in the United States may be considered by the US courts as subject to the jurisdiction of the United States if the importance of this activity justifies it (so-called \u201cdoctrine of sufficient contacts\u201d). Indeed, the American courts consider that it would be unfair with regard to US companies to exempt companies doing business in the United States but registered elsewhere, from the application of American law. The importance of the activity\/contacts that results in the submission of the concerned company to the jurisdiction of the United States is assessed by the court seized according to a case-by-case analysis.<\/p>\n\n\n\n Considering the fact that the foreign major competitors of the GAFA, such as Orange, usually do business in the US, otherwise they are \u201ceconomic dwarves\u201d, the application of the CLOUD Act to such companies would have significant consequences :<\/p>\n\n\n\n The case law has not yet clarified this point.<\/p>\n\n\n\n On October 3, 2019, the United States and the United Kingdom signed in Washington the first executive agreement under the CLOUD Act. Such executive agreement, named the US-UK Bilateral Data Access Agreement, is crucial since it should serve as a role model for other bilateral agreements.<\/p>\n\n\n\n The significant points of this agreement are the following :<\/p>\n\n\n\n Last, pursuant to a specific proceeding, UK may oppose the use of the data collected through the agreement for the prosecution of offences for which the death penalty is sought ; the same applies for the US when the use of the data may concern freedom of speech.<\/p>\n\n\n\n Article 11 of the agreement also provides that it supplements, and does not replace, nor affect, the other legal mechanisms available to the Parties to obtain electronic data from tech companies resulting whether from domestic laws or international agreements, notably mutual legal assistance.<\/p>\n\n\n\n As mentioned above, in September 2019, the US and the EU started to negotiate a similar executive agreement (see below) ; and, in October 2019, the US announced that negotiations are also on their way with Australia.<\/p>\n\n\n\n Although we focus our analysis on the US-UK Agreement, this question concerns all the executive agreements likely to be signed under the CLOUD Act.<\/p>\n\n\n\n As underlined above, the CLOUD Act prohibits the executive agreements that would be signed by the US with its partners from enabling foreign law enforcement authorities to retrieve directly from US tech companies data pertaining to US persons, whether natural or legal. Logically, following the principle of reciprocity governing international conventions, the US-UK Agreement provides that, when applying this agreement, the UK cannot target US persons or companies and reversely.<\/p>\n\n\n\n However, from a practical point of view, the US keeps the possibility to collect data concerning UK citizens, residents or companies through the direct application of the CLOUD Act since it is highly likely that most of the data pertaining to these persons is under the custody or control of GAFA. Therefore, the agreement is practically not reciprocal and can never be, like the other future executive agreements. This irreducible imbalance is aggravated by the fact that data that may be requested on the grounds of executive agreements can only concern serious crimes, whereas the CLOUD Act allows the US administration to deal with all sorts of incriminations, regardless of their seriousness.<\/p>\n\n\n\n Admittedly, one has to keep in mind the great advantage of such executive agreements for the investigating and prosecuting authorities of the partners of the US, since they will allow them to collect data possessed or controlled by GAFA all around the world directly from the US tech companies, without requiring the assistance of the US Department of Justice. The recovery time would be reduced from several months to a few days. <\/span>20<\/sup><\/a><\/span><\/span> Yet such retrieval shall not concern US persons, but it may concern any other natural person or legal entity, which is far from being insignificant.<\/p>\n\n\n\n In other words, foreign partners of the US, and especially European countries, which share with the US a joint attention towards human rights and a common will to fight crime, are placed, with the CLOUD Act and if they start negotiating an executive agreement, which is a diplomatic way of approving the Act, in the position of dropping the protection of their citizens and companies against US investigations and retrieval of data, in exchange for facilitated police investigations. This explains the difficulty met by their governments to reach a final opinion on the CLOUD Act, law enforcement departments thinking that it is a good piece of legislation, economic and data protection services being more circumspect.<\/p>\n\n\n\n Foreign partners of the US, and especially European countries, which share with the US a joint attention towards human rights and a common will to fight crime, are placed, with the CLOUD Act and if they start negotiating an executive agreement, which is a diplomatic way of approving the Act, in the position of dropping the protection of their citizens and companies against US investigations and retrieval of data, in exchange for facilitated police investigations.<\/p>emmanuelle mignon<\/cite><\/blockquote><\/figure>\n\n\n\n It is up to each citizen to form an opinion as to whether this exchange of good practices (application of the CLOUD Act by the US to retrieve data belonging to nationals or companies of their partners, in exchange for the possibility for these partners to collect directly from GAFA data concerning their criminal investigations unless it pertains to US persons) is equivalent to swapping one\u2019s birthright for a dish of lentils. Personally, I cannot prevent from thinking about this famous quote by Benjamin Franklin \u201cThose who would give up essential liberty to purchase a little temporary safety, deserve neither liberty nor safety, and would loose both\u201d, although the exact meaning of that quote may not be what we think it means.<\/p>\n\n\n\n It must also be agreed that the United States\u2019 partners do not really have a choice, since the CLOUD Act would apply whether they like it or not. The only solution to redress the balance would be to obtain from the US the amending of the CLOUD Act and the prohibition for SCA warrants issued on the basis of this statute to target nationals or companies from countries that have signed an executive agreement with it, which is very unlikely.<\/p>\n\n\n\n On February 5, 2019, the European Union Commission released a proposal, to be adopted by the Council, for a mandate to negotiate with the US an executive agreement under the CLOUD Act. The proposal was amended following technical discussions with Member States and adopted by the Council on June 6, 2019. Three rounds of negotiations with the US have already taken place.<\/p>\n\n\n\n With respect to the US-UK Agreement, the points that deserve attention are the following :<\/p>\n\n\n\n Last, and as abovementioned, it remains unclear whether the agreement will apply directly in all EU Member States or whether it will play the role of a framework, then followed by bilateral agreements between the US and each Member State (in which case the question that arises is whether the EU could accept that some of its Member States could not sign an agreement with the US).<\/p>\n\n\n\n Finally, and though it is sad to say, the CLOUD Act reveals European Union\u2019s weaknesses.<\/p>\n\n\n\n First weakness : the lack of European sovereign clouds. Yet, the issue has been on the table for at least 15 years : 15 years of dithering, procrastination, lack of ambitions, and lack of decisions. The European Union is supposed to empower each Member State, yet here is another area in which it has taken no action. France has not been standing still, for it tried to foster French sovereign clouds. For lack of stimulus, resources, continuity of effort, economic patriotism and, more seriously, conviction, not much came out of it ; meanwhile, GAFA\u2019s clouds conquered the market.<\/p>\n\n\n\n Second weakness : the absence of relevant and effective policies allowing GAFA to object to the disclosure of strategic European data to US authorities in the framework of the CLOUD Act \u2014 the notable exception being the GDPR.<\/p>\n\n\n\n As for the French \u201cBlocking Statute\u201d <\/span>21<\/sup><\/a><\/span><\/span>, which bans, under certain conditions, the communication abroad of sensitive economic data, it is of little importance for US courts, insofar as the acts it prohibits are never prosecuted. This is why, in its ruling Soci\u00e9t\u00e9 nationale industrielle a\u00e9rospatiale v. US District Court<\/em> (n\u00b085-1695) of June 15, 1987, the US Supreme Court refused to take into account this statute for releasing a French company from its obligations under US law, arguing that, in fact, French companies that disclose information in violation of the blocking statute are never sanctioned. <\/span>22<\/sup><\/a><\/span><\/span><\/p>\n\n\n\n For its part, in its 60 years of existence, the European Union has never managed to find the means to protect its companies\u2019 data by adopting a comparable but effective system. Even worse, several countries, among which France, never adopted the implementing provisions of Council Regulation n\u00b02271\/96 of 22 November 1996 (the \u201cEuropean Blocking Statute\u201d) protecting against the effects of the extra-territorial application of legislation adopted by a third country, and actions based thereon or resulting therefrom. The statute was intended to deter European companies from submitting to the demands of US embargos. Either such pieces of legislation are useful and therefore must be applied, or they are not and must be removed. Nothing is worse for our credibility than their existence in an inert state.<\/p>\n\n\n\n In its 60 years of existence, the European Union has never managed to find the means to protect its companies\u2019 data by adopting a comparable but effective system.<\/p>emmanuelle mignon<\/cite><\/blockquote><\/figure>\n\n\n\n Likewise, the European Union has recently passed a legal provision seeking to protect confidential business information. <\/span>23<\/sup><\/a><\/span><\/span> From now on, this provision, which has been transposed in Member States\u2019 national law, prohibits disclosure of data covered by business confidentiality to US authorities outside an international agreement \u2013 i.e. on the sole basis of a unilateral request which would be the case of a request issued in accordance with the CLOUD Act by the US administration to a US tech company \u2013 where the latter committed to the company that entrusted to it its data to protect its confidentiality. The eventual liability being civil (rather than criminal), it is however far from clear that US courts, in applying the common law principles of comity or the comity analysis procedure, would consider that failure to comply with EU rules protecting business confidentiality is so serious a ground as to place the GAFA in a conflict of laws situation releasing them from their obligations under the CLOUD Act.<\/p>\n\n\n\n In fact, only the GDPR may place a GAFA company under such a conflict of laws situation in case it is urged by US officials to produce personal data stored in Europe.<\/p>\n\n\n\n Indeed, Articles 44 et seq. of the GDPR establish the conditions under which personal data can be transferred to a third country or to an international organization. Pursuant to these articles, transfers are permitted under the following alternative conditions :<\/p>\n\n\n\n Thus, the transfer of personal data by a GAFA company to US authorities would not comply with the GDPR if it were based on a CLOUD Act warrant and not on a MLAT-like international agreement, an international rogatory letter, or an executive agreement negotiated with the United States. Such a GDPR violation could result in an administrative fine of up to 20.000.000 euros, or, in the case of a company, of up to 4 % of the annual worldwide total revenue for the previous year. Considering the magnitude of these sanctions, we may hope that US courts will find that the principles of international comity rule out a company having to violate the GDPR in order to abide by its CLOUD Act obligations.<\/p>\n\n\n\n That being said, it should be noted that the GDPR applies only to data concerning physical persons and not companies.<\/p>\n\n\n\nThe Competing Arguments<\/h2>\n\n\n\n
The CLOUD Act<\/h2>\n\n\n\n
The White Paper from the US Department of Justice<\/h2>\n\n\n\n
Some Unknown Factors<\/h2>\n\n\n\n
The US-UK Agreement : First Executive Agreement Under the CLOUD Act<\/h2>\n\n\n\n
The Critical Question of Reciprocity<\/h2>\n\n\n\n
State of Play of the US-EU Negotiations<\/strong><\/h2>\n\n\n\n
Unveiling European Powerlessness<\/strong><\/h2>\n\n\n\n