European data protection vs. US data collection
Posted: Thu Jan 30, 2025 10:07 am
Despite great panic and some initial difficulties, most companies have finally overcome the GDPR hurdle in recent weeks. But does this mean that the issue of data protection can be ticked off the list? No, unfortunately not. As we reported in April, there is also the US CLOUD Act, which stands for Clarifying Lawful Overseas Use of Data Act.
The CLOUD Act
This law was passed in March 2018 as part of the US budget bill. The goal: “Timely access to communications service providers’ electronic data is important to government efforts to protect public safety and combat serious crime, including terrorism.”
Unfortunately, the CLOUD Act does not only apply to people living in the USA, as the law also applies to personal data that is not stored in US data centers and also to non-US citizens. This means that the US authorities can also access data that is stored in a European data center, as the legislation can oblige US companies to hand it over immediately with a corresponding court order. The US government is thus trying to gain unhindered access to all kinds of data.
For people who do not live in the USA or are not US kuwait number dataset citizens, the provider still has the option of objecting to the release of personal data, but this is not a must. The US authorities can, for their part, file a lawsuit against the objection. The prospects that the courts will rule in favor of the authorities and then still obtain the data are relatively good. The legally required justification that it is in the interest of one's own country will probably be sufficient in many cases.
The problem is not only the possible release of data, but also that the people or companies affected may not even notice this. The provider is not obliged to inform them. In addition, the provider is no longer allowed to delete the data from the time of the authorities' request, even if the data is located outside the USA.
CLOUD Act vs. GDPR
It will quickly become clear that the US CLOUD Act does not fit with the recently introduced, stricter data protection regulations of the EU, the GDPR.
The main problem is that passing on personal data to US authorities under the CLOUD Act without the consent of a European court is a clear violation of European data protection law. This can be dangerous for companies, as data subjects have the right to take action against the controller and data processors under Article 82 of the GDPR. This can lead to claims for damages that not only cover material damage, but can also cover immaterial damage, i.e. a type of compensation for pain and suffering. In addition, it is likely to have negative consequences for a company's reputation if it becomes known that there are claims for damages in connection with the CLOUD Act.
The CLOUD Act
This law was passed in March 2018 as part of the US budget bill. The goal: “Timely access to communications service providers’ electronic data is important to government efforts to protect public safety and combat serious crime, including terrorism.”
Unfortunately, the CLOUD Act does not only apply to people living in the USA, as the law also applies to personal data that is not stored in US data centers and also to non-US citizens. This means that the US authorities can also access data that is stored in a European data center, as the legislation can oblige US companies to hand it over immediately with a corresponding court order. The US government is thus trying to gain unhindered access to all kinds of data.
For people who do not live in the USA or are not US kuwait number dataset citizens, the provider still has the option of objecting to the release of personal data, but this is not a must. The US authorities can, for their part, file a lawsuit against the objection. The prospects that the courts will rule in favor of the authorities and then still obtain the data are relatively good. The legally required justification that it is in the interest of one's own country will probably be sufficient in many cases.
The problem is not only the possible release of data, but also that the people or companies affected may not even notice this. The provider is not obliged to inform them. In addition, the provider is no longer allowed to delete the data from the time of the authorities' request, even if the data is located outside the USA.
CLOUD Act vs. GDPR
It will quickly become clear that the US CLOUD Act does not fit with the recently introduced, stricter data protection regulations of the EU, the GDPR.
The main problem is that passing on personal data to US authorities under the CLOUD Act without the consent of a European court is a clear violation of European data protection law. This can be dangerous for companies, as data subjects have the right to take action against the controller and data processors under Article 82 of the GDPR. This can lead to claims for damages that not only cover material damage, but can also cover immaterial damage, i.e. a type of compensation for pain and suffering. In addition, it is likely to have negative consequences for a company's reputation if it becomes known that there are claims for damages in connection with the CLOUD Act.