Dutch memo addresses US CLOUD Act reach in Europe

The controversial advice was contained in a new memo prepared for the Nationaal Cyber Security Centrum (NCSC) in the Netherlands (15-page / 417KB PDF), which the NCSC recently published and promoted.

The memo addresses the extra-territorial reach of the US CLOUD Act and related risks EU entities face in respect of the disclosure of data they are responsible for to US authorities.

The CLOUD Act has been trumpeted by US law enforcement bodies as a major tool in their arsenal for combatting serious crime and terrorism. It provides those agencies with scope to obtain a warrant forcing providers of electronic communication services or remote computing services to preserve, back-up or disclose customer or subscriber data in their possession, custody, or control, even if that data is stored outside of the US.

The memo highlighted circumstances in which EU businesses could face obligations to disclose data under the US CLOUD Act, which the NCSC warned could run contrary to their separate duties around privacy and security that they are subject to under EU data protection law. Examples include where an EU business is a subsidiary of a US parent company subject to the CLOUD Act, or where the EU business relies on US providers of cloud computing services to store data.

The NCSC memo said: “In order for an EU entity to completely avoid being subject to the CLOUD Act, it would need to process data using a non-US entity, which either does not have a corporate relation to any company with a presence in the US (such as a US subsidiary); or if it does have a corporate relationship with a company based in the US, the US company must not have possession, custody, or control over the data that is stored in the EU.”

“In no case can the EU entity have a US parent company, as the parent would be considered to have possession of or control over the data of its subsidiary,” it said.

The memo also warned EU technology companies that even if they take steps to avoid being subject to the CLOUD Act disclosure requirements directly, there are ways in which US authorities could still obtain disclosure of the data surreptitiously through the US nationals those companies employ.

According to the memo, while even if no warrant could be issued against a US national working for an EU business to force a CLOUD Act disclosure, the authorities could issue those individuals with a subpoena to require them to attend court or provide evidence. As a result, the memo said that “it is advisable not to employ US nationals who have access to relevant data”.

It said: “Although it is possible to challenge a subpoena in court, the government’s ability to subpoena information has few restrictions – especially outside of the criminal context. Of course, despite the government’s legal limitations, challenging a subpoena requires the subpoenaed individual to object. A US national is unlikely to object to a subpoena, especially in a situation where the US national is not permitted to disclose the existence of the subpoena to his or her employer (in which case the employer may be able to object to the subpoena on the employee’s behalf).”

“Practically speaking, the US national would need to understand that he or she is not required to comply with subpoena, independently retain legal counsel, and object to the demand. In the event the US national did not object to the subpoena, or failed in his or her objection, the US national may not distinguish between information saved locally and information available remotely (i.e., understand the scope of the data he or she is legally required to provide). As a result, there is a danger that an employee who is served with a subpoena may simply retrieve any amount of information from servers in the EU and turn it over in response to a government demand without ever notifying the EU employer,” it said.

Data protection law expert Wouter Seinen of Pinsent Masons in Amsterdam said: “The theoretical risks of compelled disclosure to US authorities cannot be ignored by data controllers and data processors in Europe and the UK. It is important to assess and document the practical risk of being exposed to such disclosure orders. This is becoming an ever more important aspect of building a case for compliant data transfers to group companies and other data recipients with a strong connection to the US, such as companies with a US majority shareholder, or US nationals in key positions.”

The NCSC said EU businesses should expect the use of extra-territorial legislation to continue to grow.

“Companies and organisations are actually less and less able to guarantee or ensure that the information they process is sufficiently protected against access by foreign, non-European, powers,” said Paul van den Berg of the NCSC.