According to the GDPR provisions, a US warrant does not constitute a legal basis for such a transfer outside the European Union.
After examination of the formulation and legislative process leading to the CLOUD (Clarifying Lawful Overseas Use of Data) Act, the CCBE has identified deficiencies, in particular relating to fundamental human rights and a lack of clarity on scope of surveillance measures, that are in conflict with EU norms.
Passed into law on 22 March last year, the CLOUD Act amends the United States code with provisions for the accessing by the US government of data stored outside the jurisdictions and the accessing by foreign governments of data stored within the US.
The CCBE points out that the Act was passed as an omnibus measure, without any real scrutiny.
The body wants sufficient safeguards and legal remedies against US surveillance measures, in particular in protection of legal professional privilege and professional secrecy.
“The CLOUD Act is in conflict with basic human rights, since it fails to provide the minimum standards set out by European Courts to restrict electronic surveillance by government.
“Both the European Court of Human Rights and the European Court of Justice have indicated a strong preference for prior judicial review and a requirement for a sufficient factual basis for any surveillance of an individual,” the CCBE says.
It has recommended to the EU that it take the following steps:
- Negotiate a mutual legal assistance treaty with the United States that explicitly refers to the CLOUD Act, provides precise requirements for the transfer of data and does not undermine the level of protection provided by the fundamental freedoms,
- Ensure that according to such mutual legal assistance treaty, in each case following a data request under the CLOUD Act, data will be transferred to the United States only after there has been a notification to a competent and independent European authority,
- Ensure that the affected service provider who is hosting the requested data is informed by the competent European authority about existing legal remedies in the United States,
- Ensure that, according to such mutual legal assistance treaty, legal professional privilege and professional secrecy constitutes an absolute ground of objection to the transfer of data to the United States under the CLOUD Act.
According to the jurisprudence of the European Court of Human Rights and the European Court of Justice, any interference with the right to privacy must be in accordance with law, for a legitimate purpose and limited to what is necessary in a democratic society, the CCBE states.
Where data privacy rights are concerned, both courts apply a “strict necessity” standard. Both the European Court of Human Rights (applying the European Convention) and the European Court of Justice (applying the European Charter) have established numerous safeguards for government monitoring of electronic communications.
The CCBE concludes that the CLOUD Act lacks a thorough system for protecting privacy by procedural and organizational standards.
“No notice is provided on any level,” it says and a notice is linked to the effectiveness of remedies.
The European Court of Human Rights has held that notification should be as soon as surveillance measures are terminated and the notification no longer jeopardises any investigations.
The CLOUD Act also undermines legal remedies established between the US and the EU on the protection of personal information in the investigation and prosecution of criminal offences under the Data Protection and Privacy Agreement.
Article 19 of the DPPA establishes and obligation for parties to provide in their domestic law specific judicial redress rights to each other’s citizens.