Data Localization Under the CLOUD Act and the GDPR

Abstract

On March 23, 2018, the U.S. Congress enacted the CLOUD Act to resolve the highly anticipated question before the Supreme Court in Microsoft Ireland, regarding the U.S.’s ability to access international cloud data. In one of the most far-reaching changes to U.S. surveillance law in decades, the CLOUD Act establishes the extraterritorial reach of the Stored Communications Act (SCA) in two main steps. Its immediate effect occurs in the law’s “Step One,” which confirms that the SCA extends internationally. In “Step Two,” the CLOUD Act sets up a process for the creation of bilateral executive agreements between the U.S. and foreign governments to provide reciprocal authority to make direct requests for information from cloud providers in the other’s jurisdiction. Under both circumstances, the cloud provider may move to quash the order, and the court is to assess the enforceability under a multi-factored comity analysis. These two steps of the CLOUD Act raise important policy issues and point to a need for more coordinated efforts between the EU and the U.S. The CLOUD Act may encourage governments to engage in an arms race for stricter data protection laws and sanctions. It may also encourage companies to localize data storage in the EU. Moreover, the CLOUD Act may be on a collision course with the GDPR. This Article proposes that the most sensible and efficient path to legal certainty for cloud providers would be an accord between the U.S. and the EU itself.