This paper addresses an important practical topic – when does the EU General Data Protection Regulation (GDPR) act as a “blocking statute,” to prohibit transfers of personal data in response to requests by non-EU law enforcement agencies? Since the GDPR went into effect in 2018, there has been considerable discussion of this issue, most notably when there is a request from US law enforcement for emails and other records held by Internet and Cloud Service Providers.
This paper builds upon Théodore Christakis’ recent article on “Transfer of EU Personal Data to U.S. Law Enforcement Authorities After the CLOUD Act: Is There a Conflict with the GDPR?”[1] The Christakis article expertly analyzes specific provisions of the GDPR: Article 48, which sets limits on transfer of EU personal data to foreign governments, and Article 49, which lists “derogations” (exceptions) to Article 48, especially the derogation “for important reasons of public interest,” in Article. 49(1)(d).[2]
This paper expands the discussion by addressing the full set of GDPR legal provisions that govern such transfers of personal data from the EU to a non-member country. In brief, this paper concludes, in certain circumstances, that there is a “lawful basis” for transferring personal data out of the EU, without a blockage by Article 48. This article examines the text and legislative history of the GDPR, and provides an overall interpretation that is consistent with all of the GDPR provisions that govern such cross-border transfers. The Christakis article, by contrast, specifically declines to examine the effect of GDPR Articles 45 and 46, which along with Articles 48 and 49 are in Chapter V of the GDPR, governing cross-border transfers of personal data.[3] The European Data Protection Supervisor (EDPS) and European Data Protection Board (EDPB) similarly omitted any mention of GDPR Articles 45 and 46 from their “Initial legal assessment of the impact of the US CLOUD Act on the EU legal framework for the protection of personal data and the negotiations of an EU-US Agreement on cross-border access to electronic evidence” published on July 10, 2019.[4] The EDPS and EDPB “initial assessment” is thus incomplete, in the sense that it has not provided any explanation of multiple relevant provisions in GDPR.
Part 1 of this paper presents the relevant EU and US legal texts. Part 2 explains why an important example of current practice appears lawful under Article 48 – a US court order would be effective on a company headquartered in the US when the data is already in the US. Part 3 presents insights from the legislative history of Article 48. The GDPR narrowed the earlier proposed version of the blocking provision in at least five respects. Notably, Article 48 as adopted does not apply any blocking effect where there are “other grounds for transfer,” such as Standard Contract Clauses (SCCs), Binding Corporate Rules (BCRs), or an adequacy determination.
Although Article 48 provides for these “other grounds for transfer,” Part 4 explains one significant blocking effect that does exist under Article 48 as adopted. On the interpretation proposed in this article, where there is no pre-existing lawful basis for transfer, then Article 48 clearly acts as a blocking statute. That conclusion means that Article 48 would block third-country orders to the large majority of enterprises in the EU, who do not already have in place a lawful basis for routine transfer to third countries.
Part 5 provides a 2×2 table that summarizes the legal conclusions in this article for when Article 48 would block a US or other third-country court order, based on reasons of text, statutory interpretation, legislative history, and the purposes of the relevant legal instruments. Overall, the paper supports the conclusion that Article 48 likely blocks in situations where there is a lawful basis for transfer but the data is in the EU. By contrast, there are strong reasons why Article 48 does not block when there is a lawful basis for transfer but the data is in the US, including the lack of extra-territoriality when a US court orders a US company to produce evidence held in the US.
Part 6 examines a separate piece of the EDPS/EDPB initial legal assessment, concerning GDPR Article 6. That legal assessment took a surprisingly narrow view of what constitutes legal processing under GDPR with respect to transfers to third countries. The discussion here queries whether this narrow view is consistent with Article 6.
In short, this paper provides interpretations of Article 48 and other aspects of GDPR that differ significantly from those published to date. My conclusions here are based on over two decades of scholarly and government work on EU data protection law, as well as careful discussion with European experts.[5]
1. The Legal Texts
The two key legal texts, for purposes of this article, are the U.S. CLOUD Act and the GDPR.
A. The CLOUD Act and the Microsoft Ireland case.
In work published by the Cross-Border Data Forum, we have provided multiple articles that explain the 2018 Clarifying Lawful Overseas Use of Data Act, or “CLOUD Act.”[6] To summarize, the CLOUD Act was passed shortly before the U.S. Supreme Court was going to decide the so-called Microsoft Ireland case. In that case, the U.S. Department of Justice (DOJ) served on Microsoft a warrant under the Stored Communication Act (SCA), seeking an email stored by Microsoft in Ireland. The U.S. Court of Appeals for the Second Circuit ruled in favor of Microsoft, holding that warrants issued under the SCA only reached data held within the territorial borders of the United States.
Congress intervened after the Supreme Court argument, but before the Court’s decision was announced. In March, 2019 Congress passed the CLOUD Act, and President Trump signed it into law. The CLOUD Act made clear that the location of storage does not determine law enforcement access under US law. Pursuant to the CLOUD ACT, the legal obligations of a provider with “possession, custody, or control” of the sought-after data remain the same “regardless of whether such communication, record, or other information is located within or outside of the United States.”[7]
Passage of the CLOUD Act raised questions in Europe about the scope of DOJ access to evidence under the “possession, custody, or control” test. This topic raises issues of both U.S. and EU law.
Under U.S. law, an important topic is defining the scope of “possession, custody, or control.” Co-authors and I have recently completed the first detailed analysis of the meaning of that term under the Cloud Act.[8] In short, the term has been used for decades in U.S. criminal and civil litigation, with extensive judicial opinions that are highly fact-dependent. As a general theme, DOJ access will often have broad access under the “possession, custody, or control” test.[9]
B. GDPR and the Question of When Article 48 Blocks Access to Evidence
Under GDPR, the two key legal texts are Article 48 and 49. The overall task in the discussion is to assess whether, and to what extent, these texts block U.S. law enforcement access to evidence when there is “possession, custody, or control” of the evidence in the U.S.
Article 48
Transfers or disclosures not authorised by Union law
Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter. (emphasis supplied)
In short, Article 48 has three components that are relevant to the interaction with the Cloud Act: (i) a prohibition; (ii) an exception; and (iii) the “without prejudice” clause.
The prohibition applies to a wide range of government actors outside of the EU, known as “third countries.” The prohibition applies to “any judgment of a court or tribunal and any decision of an administrative authority” of a third country. That is, the prohibition applies to both criminal and administrative investigations. It applies to both transfers and disclosures.
The exception applies to a transfer or disclosure “if based on an international agreement, such as a mutual legal assistance treaty.” A mutual legal assistance treaty (MLAT) is a treaty, such as exists between the EU and US, which authorizes transfers of evidence for a criminal investigation where the conditions of the treaty are satisfied.[10] For instance, a proper court order issued by a US judge, based upon probable cause of a crime, would typically qualify under an MLAT. Article 48 clearly would permit the evidence to be produced from a Member State to the US through the MLAT procedure.
The “without prejudice” clause, by its text, is broad. The prohibition exists, “without prejudice to other grounds for transfer pursuant to this Chapter,” which is Chapter V of the GDPR, concerning transfers of personal data outside of the EU. A major focus of this article is to analyze the effect of this “without prejudice” clause.
Along with the prohibition in Article 48, Article 49 sets forth a number of derogations (exceptions) to Article 48. Article 49 begins:
Article 49
Derogations for specific situations
1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: […] (emphasis supplied)
Professor Christakis focused his analysis on Article 49 of GDPR, notably the derogation provided by Article 49(1)(b), the “important reasons of public interest” derogation. Professor Christakis explains that the interpretations by the EU Commission and the European Data Protection Board on the scope of that derogation are inconsistent, and he thus seeks clearer guidance as to the scope of that derogation.
Notably, Professor Christakis does not seek to define the scope of the introductory language of Article 49, which states that Article 49 applies only “in the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46.” With relevance to transfers to the US, the Privacy Shield is an adequacy decision under Article 45(3). Binding corporate rules (BCRs) and standard contractual clauses (SCCs) are named as appropriate safeguards pursuant to Article 46. Similarly, he does not seek to define the scope of the Article 48 language saying that the prohibition in Article 48 is “without prejudice to other grounds of transfer” pursuant to Chapter V, such as Privacy Shield, BCRs, and SCCs.
In short, both Articles 48 and 49 have language of the “notwithstanding” type – transfers can occur under the rest of Chapter V “without prejudice” to the prohibition in Article 48, and derogations may apply under Article 49 where there is “the absence” of authorization to transfer under Articles 45 and 46. Put another way, the scope of Professor Christakis’ analysis, and much of the other previous discussion of Articles 48 and 49, apply only to a subset of circumstances – the circumstances where there is no applicable other basis under Chapter V for lawful transfer to a third country.
It is especially noteworthy that the EDPS and EDPB entirely omitted these topics in their initial assessment of the impact of the Cloud Act.[11] Their analysis literally does not mention Articles 45 or 46, which are widely-used lawful bases for transfer of personal data to third countries. Similarly, they provide no analysis of the “without prejudice” text in Article 48, or of the provision in Article 49 referring to an adequacy decision under Article 45 or an appropriate safeguard under Article 46. The EDPS and EDPB “initial assessment” is thus incomplete, in the sense that it has not provided any explanation of multiple relevant provisions in GDPR.
2. Why Article 48 Appears Not to Block Access by Foreign Law Enforcement When the Data is in the Third Country and a Lawful Basis for the Transfer Exists
Before discussing the legal texts in more detail, it is helpful first to examine some simple factual examples of transfer to third countries. These factual categories will help clarify a workable and accurate interpretation of Chapter V GDPR.
The first examples are where there is a lawful basis for transfer to a third country, such as the US, and the relevant personal data is in fact transferred to the US in the normal course of business. Consider two examples:
1) ExampleCorpUS is a US-based corporation, with a minority of its employees in the EU. ExampleCorpUS has a lawful basis for transfer, such as BCRs, SCCs, or Privacy Shield, and it keeps its employee records at its global headquarters in the US.[12] There is a US criminal or administrative investigation of ExampleCorpUS’s employee practices.
2) ExampleWebsiteUS is a US-based corporation, with a minority of its online customers in the EU. ExampleWebsiteUS has a lawful basis for transfer, such as BCRs, SCCs, or Privacy Shield, and it keeps customer records at its global headquarters in the US. There is a US criminal or administrative investigation of ExampleWebsiteUS’s consumer practices.
In these examples, there is a lawful basis for personal data to be held in the US when the data is stored in the US. There is an investigation in the US, and US authorities expect the company to produce records in the US. These are not “extra-territorial” investigations as that term is commonly understood. US authorities expect compliance with lawful investigative orders under these circumstances.
EU authorities would similarly expect compliance with lawful investigative orders if the facts were reversed. Our recent article on the meaning of “possession, custody, or control” in the US included a detailed examination of the law in one Member State, Belgium, for lawful investigative orders.[13] In brief, the Belgian cases involving Yahoo! and Skype show that Belgian law is at least as broad as US law concerning the cross-border reach of lawful investigative orders.
Based on that review of Belgian law, law enforcement authorities in the EU would similarly expect compliance with lawful investigative orders if the facts were reversed:
3) ExampleCorpEU is an EU-based corporation, with a minority of its employees in the US. ExampleCorpEU keeps its employee records at its global headquarters in the EU. There is an EU criminal or administrative investigation of ExampleCorpEU’s employee practices.
4) ExampleWebsiteEU is an EU-based corporation, with a minority of its online customers in the US. ExampleWebsiteEU keeps customer records at its global headquarters in the EU. There is an EU criminal or administrative investigation of ExampleWebsiteEU’s consumer practices.
The law and practice within the EU expect ExampleCorp EU and ExampleWebsiteEU to respond to the investigation within the EU. The Commission’s E-Evidence proposal makes this especially clear – a company is expected to respond to an investigatory request in the broad range of circumstances where it is “offering services” within a Member State. The E-Evidence proposal does not provide that ExampleCorpEU and ExampleWebsiteEU should provide only the records they hold in the EU concerning EU citizens – they should provide the records they hold, with no mention in the E-Evidence proposals for different treatment based on citizenship or location of storage.
I discuss these simple examples at some length because they help clarify the language in GDPR Recital 115, which is text accompanying Article 48:
Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States…The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met.” (emphasis supplied).
The language of Recital 115 is consistent with US investigations getting the records from ExampleCorpUS and ExampleWebsiteUS, and with EU investigations getting the records from ExampleCorpEU and ExampleWebsiteEU. I would emphasize three points from the text of Recital 115:
i. Recital 115 expresses concern for the “extraterritorial” application of a nation’s laws. In the examples, the companies are holding data in a jurisdiction lawfully, and therefore comply lawfully with the investigation, without this being “extraterritorial.”
ii. Recital 115 expresses concern about access to evidence that “may be in breach of international law.” In the examples, there is no plausible claim I can see for breach of international law.
iii. Recital 115 echoes the “notwithstanding” parts of Article 48 and 49. It states: “Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met.” By definition, in the examples, there is a lawful basis for transfer. The existence of an investigation, after a lawful transfer, does not retroactively make the initial transfer unlawful.
To summarize the discussion thus far, there would seem to be an overwhelming legal case to support EU investigative access to ExampleCorpEU and ExampleWebsiteEU, as well as US investigative access to ExampleCorpUS and ExampleWebisteUS. Put another way, Article 48 appears consistent with such access. Further examination of the legislative history helps define what access would be prohibited by Article 48.
3. Insights from the Legislative History of Article 48
My discussion of the legislative history of Article 48 draws on Professor Christakis and previous writers.[14] In summary, the final version of Article 48 in GDPR contains at least five provisions that result in narrower blocking than in an earlier version.
What evolved into Article 48 was proposed and then passed in the European Parliament in the aftermath of the Snowden revelations, and was called the “anti-FISA” amendment.[15]
Article 43a – Transfers or disclosures not authorised by Union law
1. No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognised or be enforceable in any manner, without prejudice to a mutual legal assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.
2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller’s representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer or disclosure by the supervisory authority.
3. The supervisory authority shall assess the compliance of the requested disclosure with this Regulation and in particular whether the disclosure is necessary and legally required […]. Where data subjects from other Member States are affected, the supervisory authority shall apply the consistency mechanism referred to in Article 57.
4. The supervisory authority shall inform the competent national authority of the request. Without prejudice to Article 21, the controller or processor shall also inform the data subjects of the request and of the authorisation by the supervisory authority and, where applicable, inform the data subject whether personal data were provided to public authorities during the last consecutive 12-month period […].[16]
As Christakis writes: “article 43a was far-reaching: it would constitute a complete blocking statute for any transfer of all kinds of European personal data to foreign authorities outside the scope of MLATs or other relevant agreements, unless the ICSP could obtain prior authorization by the national Data Protection Authority.” The EU Council and others opposed this version, and Christakis reports that “the compromise found between the Council and the EU Parliament was to introduce article 48, which maintained only the first paragraph of article 43a, deleted all the procedural requirements concerning approval by DPAs and added the phrase: ‘without prejudice to other grounds for transfer pursuant to this Chapter’.”
Article 48 of GDPR, as enacted, is far narrower. As Christakis wrote: “The Council was thus successful in drastically limiting the scope of article 43a and the initial intentions of the EU Parliament.”[17] We can highlight at least five important changes, all in the direction of broader authorization for cross-border transfers:
1. Article 48 omits the requirement of prior authorization by the supervisory authority for transfer.
2. Article 48 similarly omits any required notice to the supervisory authority.
3. Article 48 omits the required notice to data subjects.
4. Article 48 added the important text discussed above, saying that the limits in Article 48 are “without prejudice to other grounds for transfer pursuant to this Chapter.”
5. Article 49 has new text saying that the limits on transfer apply only “In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46.”
In light of this legislative history, the interpretative task is to give effect to the text of Articles 48 and 49 as enacted in GDPR. The legislative history shows that some actors preferred a more categorical blocking regime. The five changes from earlier to later text show, however, that the article 43a approach was rejected, and did not become law. In considering current debates about the scope of Articles 48 and 49, it is possible that those inclined to support the earlier version are seeking to gain through interpretation what they lost in the drafting process.
4. Article 48 Generally Prohibits Transfers of Data Absent a Lawful Basis or a Derogation
Factual examples illustrate how Article 48, as enacted, provides protections for the personal data of EU citizens beyond what existed previously, when the 1995 Data Protection Directive lacked a similar provision. Let’s take the following ExampleCorpEU-Only factual example, in order to start the discussion that will be continued in the subsequent parts of this article.
ExampleCorpEU-Only is an EU-based corporation. Its employees and customers are primarily in the EU, and its database is located at its EU headquarters. It has no established mechanism for transferring personal data to a third country such as the US.
In this example, suppose the US seeks evidence from ExampleCorpEU-Only. Article 48 would apply – there is no pre-existing lawful basis for transferring personal data, such as BCRs, Privacy Shield, or SCCs. Transfer would be permitted only if one of the derogations in Article 49 applies – the scenarios examined by Professor Christakis.
Despite the restrictions created by Article 48, there are at least two factual settings where US law might expect ExampleCorpEU-Only to provide evidence in response to a court order:
a) Jurisdiction in the US. To simplify somewhat, US jurisdiction exists when a company “purposely avails” itself of the US market. For instance, suppose that ExampleCorpEU-Only has a website with a significant number of US customers. Under US law, that would likely place ExampleCorpEU-Only under the jurisdiction of the US.
b) “Possession, custody, or control in the US.” As discussed in our article on the meaning of “possession, custody, and control,” the US law of criminal and civil procedure has long used those terms as a legal test for when a company must comply with a US court order or discovery request. The Cloud Act makes this “possession, custody, or control” test clearly applicable to court orders under the Stored Communication Act. For instance, suppose that ExampleCorpEU-Only is a wholly-owned subsidiary of ParentCorpUS. Although the facts in a given case would determine whether ParentCorpUS has “possession, custody, or control,” US law would quite possibly find that ParentCorpUS does have that control, and so is required to respond to a US court order.
What is the result in these two factual settings? I believe that a conflict of laws would exist. US law would expect production of the evidence. Article 48 would prohibit production of the evidence, unless one of the derogations applies under Article 49.
How would the conflict of laws be resolved? The Cloud Act provides two provisions that might apply. First, if an executive agreement comes into effect between the US and Member States of the EU, then there is a specific provision that applies when there is a material risk of a conflict of law. At that point the Member State has an opportunity to respond to the US court, which then must resolve the conflict of law, taking into account factors including the location and nationality of the data subject.[18] Second, if no executive agreement applies, the Cloud Act states that existing common law comity remedies exist unaltered.[19] That is, ExampleCorpEU-Only and ParentCorpUS maintain the same ability as prior to the Cloud Act to move to quash the US court order on grounds that EU law prohibits production.
Note that Article 48 has an important legal effect here. In the absence of Article 48, US law would require production, while there would be no similarly clear EU law forbidding production. Now, with Article 48, there would be a clear EU law forbidding production. Article 48 clearly establishes the conflict of law and the importance of the EU’s policy of not allowing the US investigation to receive the evidence absent an MLAT request.
5. Diagramming When Article 48 Blocks a US Court Order
Two more factual examples will fill out the picture for when Article 48 blocks a US court order. Table 1 provides a 2×2 table for understanding four different categories, with a different legal analysis for each category. The most important conclusion concerns Case 3, where there is a lawful basis for transfer but the data is not yet in the US. The analysis here shows there are significant arguments that support both positions, that GDPR blocks or does not block in such circumstances, but that the weight of arguments support the conclusion of a block.
Table 1: Does Article 48 Block US Access to Evidence?
Lawful Basis – Yes | Lawful Basis – No | |
Data in US – Yes | Case 1:
US gets evidence, in US |
Case 2:
Evidence illegally in US, so EU can enforce |
Data in US – No | Case 3:
The most complex case to determine, with arguments both ways
|
Case 4:
(1) Art. 48 clearly blocks (2) Clear conflict of US and EU law
|
To summarize the discussion thus far, we began with ExampleCorp-US, with headquarters in the US and data stored in the US, but with some personal data about EU persons. Case 1 in the table shows that there was a lawful basis for transfers from the EU to the US, and the data is actually stored in the US. Under long-standing law and practice, a US court order would get evidence stored in the US. Similarly, long-standing law and practice in the EU would allow Belgium (or another Member State) to gain access to evidence lawfully in Belgium and stored in Belgium.
On the other hand, Case 4 describes the facts for ExampleCorpEU-Only. There is no existing lawful basis for transfer to the US, and the data is stored in the EU. Under the plain language of Article 48, this transfer would be blocked (unless some exception applies under Article 49).
Table 1 also allows us to analyze Case 2, where the data is in the US but there was no lawful basis for the transfer. In this case, under both the Cloud Act and prior law, a US court order would be valid to gain access to the evidence stored in the US.[20] On the other hand, by definition, the transfer out of the EU was not lawful. At a minimum, the EU could bring an enforcement action against the entity that did the unlawful transfer. In addition, in a comity hearing, the claim by the US would be faced with a claim that EU law and policy against the transfer should be enforced.
Case 3 is the most complex case to determine:
ExampleCorp-LawfulTransfer is a corporation with extensive operations in both the EU and US. ExampleCorp-LawfulTransfer has a lawful basis for transfer, such as BCRs, SCCs, or Privacy Shield, and it routinely moves personal data between the EU and US. There is a US criminal or administrative investigation of ExampleCorp-LawfulTransfer’s employee or consumer practices.
Under US law, this case is simple. ExampleCorp-LawfulTransfer does extensive business in the US, so there is clearly jurisdiction. Based on its routine transfers to the US, the company has “possession, custody, or control” over the evidence. In addition, the Cloud Act applies “regardless of whether such communication, record, or other information is located within or outside of the United States.”[21]
For this Case 3, there are significant arguments that support an interpretation that GDPR does not block such transfers. Upon consideration, the arguments seem stronger that the GDPR does block such transfers, where there is a lawful basis but the personal data is in the EU.
A. Arguments Why Transfers Should Be Permitted for Lawful Transfers
This paper emphasizes the importance of giving some legal effect to text in Article 48 that enables transfers in response to a court or administrative order in a third country. First, by assumption, there is a “lawful basis” for transfer to the U.S. Second, the blocking effect of Article 48 exists “without prejudice to other grounds for transfer pursuant to this Chapter.” Purely as a textual matter, transfers are authorized consistent with Article 48 where there are “other grounds for transfer” such as those under Article 45 and 46. Third, there is similar language in Article 49. The prohibition on transfer exists only “in the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46.” This language in Article 49 explicitly says that the prohibition does not apply where such lawful basis for transfer exists.
Another reason that may support the lawfulness of a transfer is the legislative history discussed above. The original language, in article 43a, had a much broader prohibition on transfer than Article 48 as enacted in GDPR. The discussion above listed five different changes, all in the direction of reducing the blocking effect of Articles 48 and 49. The interpretation put forward here gives effect to the changes made during the process of finalizing GDPR. Other interpretations, such as the EDPS/EDPB initial legal assessment, have not similarly provided any explanation of how to reconcile their conclusion about blocking with the changes made to Article 48.
Going beyond the text and legislative history, there is an additional reason to believe that GDPR permits at least some third country court and administrative orders to be consistent with EU law. Consider the canon of interpretation, accepted both in the EU and the US, that language in a legislative text should be interpreted as having some meaning.[22] The reading put forward in this paper gives effect to the “without prejudice” language in Article 48: transfers with no lawful basis are blocked, but at least some transfers with a lawful basis are permitted. By contrast, for those who believe Article 48 blocks all transfers, what meaning would they give to “without prejudice to other grounds for transfer pursuant to this Chapter”? When would these words in the text have any effect? Perhaps a subsequent writer can propose an alternative interpretation that gives meaning to these words, while still finding that Article 48 blocks the transfer. Research to date has shown no such explanation.
In conclusion, reasons of text, legislative history, and statutory interpretation all support the lawfulness under GDPR of at least some court or administrative access by third countries. These reasons support the view that at least Case 1 should be lawful under GDPR. Where records are lawfully already in the third country, a court or administrative order there is not extra-territorial in the sense contemplated by GDPR Recital 115, which condemns “the extraterritorial application of those laws, regulations and other legal acts [that] may be in breach of international law.” As examined next, there are stronger arguments for a blocking effect for Case 3, where there is a lawful basis for transfer, but the personal data remains within the EU.
B. Arguments Why Transfer Should be Blocked for Case 3
Significant arguments would justify blocking transfers under Case 3 (where data is in the EU), even if transfers are lawful for Case 1 (where data is already in the US or other third country).
First, as a textual matter, Article 48 generally has the purpose of authorizing transfer or disclosure of personal data only “if based on an international agreement.” Second, this approach of blocking in general is supported by a teleological, or purpose-based, interpretation. A principal overall goal for GDPR is to protect the individual, fundamental right to privacy. More specifically, the “anti-FISA” initial purpose of Article 43a is fulfilled to the extent that Article 48 blocks US judicial orders under FISA.
These points could support a comprehensive blocking effect for Article 48, even for Case 1 (data is in the US). Other arguments, however, are considerably stronger to create a blocking effect for Case 3 but not for Case 1. First, enabling court orders for Case 1 does give some effect to the “without prejudice” language in Article 48, which otherwise could be interpreted to have no effect at all. Second, the case for the “extra-territorial” effect of the third country request is much stronger for Case 3. Under Case 1, the data is held by an entity in the U.S., for data already in the U.S., subject to court or administrative order in the U.S. By contrast, the Recital 115 concern about extra-territorial effect in Case 3 applies to personal data located in the EU. Indeed, it is the EU that can be accused of extra-territorial effect if Article 48 governs data lawfully in the US, for a company responding to a US court or administrative order. Third, Article 48 may seem like an empty shell unless it blocks third country access to data held in the EU, even where a lawful basis exists. After all, major targets of evidence requests are US-based service providers, who generally have a lawful basis in place for transfers out of the EU. Article 48 would have little effect on data held by these service providers if Case 3 (data held in the EU) permits third country access. Fourth, concerns about excessive blocking are mitigated by the continuing ability of a third country, such as the US, to use MLATs to gain access to the requested evidence.
To these points I would add discussion of an increasingly important component of the law of cross-border access to data – preservation of the rule of law. Thus far, this article has focused on when Article 48 enables a lawful response to a third country order, for a country with functioning judicial review and the rule of law, the United States. Although some in Europe have criticized the US for its alleged lack of protections against government access, extensive scholarship shows that the US safeguards are often as strong or stronger than exists in many EU member states, both for criminal[23] and foreign intelligence[24] investigations. By contrast, other government requests for evidence may come from countries lacking such rule-of-law protections. One important example is China, where the protections against government access are far weaker than in the EU or US.[25] These considerations about the rule of law support blocking third country access for Case 3, where the data is stored in the EU. Otherwise, a country such as China could gain nearly pervasive access, often without rule-of-law protections, to data held by any company that does business in China. There would remain concerns about such access in Case 1, where the data is already lawfully in China, but the multiple reasons stated above support the conclusion that third country access would be permitted where the data is already lawfully in that country.
C. Summarizing When Article 48 Blocks Evidence Where There is a Lawful Basis
The discussion thus far has shown important reasons to interpret Article 48 to act as a blocking statute in Case 3, where the evidence is held in the EU. Despite the concerns about all non-treaty-based access by third countries, the arguments remain strong that judicial and administrative orders are lawful in Case 1, when the data is already in the third country. In addition to the points already made, there are teleological arguments in favor of giving some effect to the “without prejudice” language in Article 48. Notably, the Council and the Commission did not accept the Parliament’s draft text in Article 43a. Such changes to enable third party orders can be justified, for instance, by multiple provisions in Article 8 of the European Convention of Human Rights (“ECHR”), which lists permissible purposes as “national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.” For instance, third-country orders may assist national security and crime prevention, including for cross-border crimes such as terrorism that can have effects within the EU. Prevention of such crimes would help protect “the rights and freedoms” of other persons in the EU. Similarly, a bank supervisory order in a third country such as the U.S. can benefit the “economic well-being of the country” by reducing the risk of banking collapse and providing the global, unified bank supervision expected of EU Member States under the Basle Committee.[26]
Along with these justifiable purposes under Article 8 of the ECHR, permitting third country access in Case 1 would also reduce international conflicts, and especially would enable third-country access where the evidence is within the third country’s territory, and not apply EU law extra-territorially to orders issued within that third country. In short, there are strong purposes supporting the proposed interpretation of Article 48 as enacted in GDPR, and not giving sole consideration to the purpose of privacy protection, reflected in the earlier draft of Article 43a.
6. Assessing whether GDPR Article 6 renders the text of Article 48 irrelevant
As a summary of the analysis thus far, the discussion of the 2×2 table supports a large effect for Article 48 as a blocking statute, including where there is no legal basis and/or when the data is located in the EU. On the other hand, the analysis above concludes that Article 48 does not act as a blocking statute for Case 1, where there is a lawful basis for transfer and the data is located in the US.
The EDPS/EDPB initial legal assessment stressed a different legal reason why GDPR may block US and other third country law enforcement orders – Article 6 of GDPR, which states that processing “shall be lawful only if and to the extent that at least one of” the listed purposes applies. Article 6(1)(c) applies where “processing is necessary for compliance with a legal obligation to which the controller is subject.”
EDPS/EDPB gave a narrow reading to Article 6(1)(c), based significantly on their view that Article 48 has a very broad blocking effect. They write: “As per Article 48 GDPR, a request from a US law enforcement authority may only be recognised or made enforceable if based on an international agreement, such as a mutual legal assistance treaty.” This stated need for an MLAT or other international reading relies on the EDPS/EDPB interpretation of Article 48, which omits any reference or effect to Article 48’s text “without prejudice to other grounds for transfer pursuant to this Chapter.” In other words, the EDPS/EDPB assessment states that a foreign law enforcement request “may only be recognized or made enforceable if based on an international agreement,” even though the text of Article 48 appears to enable transfers in Case 1.
A similar analysis applies to the EDPS/EDPS analysis of Article 6(3), which provides that that “the basis for the processing referred to in [Article 6(1)(c)] shall be laid down by (a) Union law; or Member State law to which the controller is subject.” The EDPS/EDPB discussion concludes that Article 6(1)(c) does not allow a controller to respond a non-EU legal obligation, because: “Under Article 6(3) GDPR, such legal basis for processing should have a basis in Union or Member State law.” Although EDPS/EDPB assume there is no legal basis in Union law, Article 48 provides such a basis – transfer remains lawful under the other provisions in Chapter V, such as for SCCs, BCRs, and adequacy.
Along with the apparent lawfulness of responding where “necessary for compliance with a legal obligation,” the EDPS/EDPB reading of Article 6(f) appears oddly narrow. That provision permits processing where it “is necessary for the purposes of the legitimate interests pursued by the controller or third party.” Specifically, they adopt a reading of “legitimate interest” under Article 6 that appears considerably narrower than was true under the Data Protection Directive which went into effect in 1998, even though the text concerning “legitimate interest” is essentially the same. The Article 29 Working Party issued an opinion in 2006 on SWIFT data transfers, and did not find categorically that “legitimate interest” is inapplicable in the case of a foreign authority.[27] Both the 1995 Directive and GDPR are laws expressly designed for international interaction, supporting a view that lawful transfers under GDPR may, depending on the facts, provide a legitimate basis.
In conclusion on the effect of Article 6, the EDPS/EDPB approach appears to warrant careful attention by all those seeking to interpret this fundamental component of GDPR – defining the lawful bases for processing. First, for reasons explained throughout this article, there is a textual basis in Union law for a controller to respond to compulsory legal process in a third country, at least for Case 1. Second, the strikingly narrow interpretation of “legitimate interests” of the controller seems unexplained by any textual change from the Directive to GDPR, and so its legal persuasiveness may need to be evaluated by a broader range of experts in the relevant law.
6. Conclusion
This paper has examined the extent to which the GDPR blocks judicial and administrative orders in third countries, including the US and China. A goal has been to add greater detail to the somewhat complex legal arguments relevant to reaching conclusions, in differing factual scenarios. For at least one scenario, the paper differs from the initial legal assessment of the EDPS and EDPB – where a US or other third country order exists for a company under US jurisdiction and with the data residing in the US. The paper also examines whether additional nuance may be possible as relevant parties examine the scope of blockage under Article 6 of the GDPR, concerning what constitutes a legitimate basis for processing.
Peter Swire is the Elizabeth and Tommy Holder Chair of Law and Ethics, Georgia Tech Scheller College of Business; Senior Counsel, Alston & Bird LLP. The views expressed in this article are entirely the author’s. For helpful comments on earlier drafts of this paper, I thank Théodore Christakis, Jennifer Daskal, and Ken Propp. For assistance during the research, I thank Justin Hemmings and DeBrae Kennedy-Mayo. My research on this topic has been supported by my Andrew Carnegie Fellowship, the Cross-Border Data Forum, the Georgia Tech Institute for Information Security and Privacy, and the Hewlett Foundation Cyber Project.
This paper will be published as a chapter in Randal Milch, Sebastian Benthall & Alexander Potcovaru (eds), “Cybersecurity and Privacy in a Globalized World – Building Common Approaches”, New York University School of Law, e-book (Forthcoming).
[1] Théodore Christakis, Transfer of Personal Data to U.S. Law Enforcement Authorities After the CLOUD Act: Is There a Conflict with the GDPR? (May 27, 2019). Randal Milch, Sebastian Benthall & Alexander Potcovaru (eds), “Cybersecurity and Privacy in a Globalized World – Building Common Approaches”, New York University School of Law, e-book (Forthcoming). Available at SSRN: https://ssrn.com/abstract=3397047.
[2] “The objective of this paper will be to contribute to this debate by focusing on the interaction between article 48 (which was introduced in the GDPR in order to limit transfer of EU personal data to foreign governments) and the permissible “derogations” under article 49 – and, especially, the most relevant among them which authorizes transfers “for important reasons of public interest” (art. 49(1)(d)).” Id.
[3] “This paper will not discuss these situations which could be relevant for companies who regularly transfer and store data in the U.S. on such legal basis.” Id. (emphasis in original).
[4] European Data Protection Supervisor & European Data Protection Board, “Initial legal assessment of the impact of the US CLOUD Act on the EU legal framework for the protection of personal data and the negotiations of an EU-US Agreement on cross-border access to electronic evidence.” (2019) https://edpb.europa.eu/sites/edpb/files/files/file2/edpb_edps_joint_response_us_cloudact_annex.pdf.
[5] I have worked extensively on EU data protection issues since writing a book on the subject in 1998. Peter Swire & Robert Litan, None of Your Business: World Data Flows, E-Commerce, and the European Privacy Directive (Brookings 1998). I have specifically focused on legal issues governing transfers of personal data out of the EU. As the Clinton Administration’s Chief Counselor for Privacy, I was the White House representative for negotiations of the EU/US Safe Harbor. After the Schrems 1 decision, the Belgium Privacy Agency invited me as the only non-government US expert for its conference on the effects of that decision. In 2018, I became Research Director for the Cross-Border Data Forum, which focuses especially on issues concerning cross-border law enforcement access, especially under EU and US law.
[6] E.g., Peter Swire & Jennifer Daskal, Frequently Asked Questions about the U.S. CLOUD Act, (Apr. 16, 2019), https://www.crossborderdataforum.org/frequently-asked-questions-about-the-u-s-cloud-act/.
[7] 18 U.S.C. § 2713.
[8] Justin Hemmings, Sreenidhi Srinivasan & Peter Swire, “Defining the Scope of ‘Possession, Custody, or Control’ for Privacy Issues and the Cloud Act” (Oct. 7, 2019). Journal of National Security Law and Policy (forthcoming) https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3469808.
[9] The article documents my view, after review of the decades of US jurisprudence, that the Cloud Act essentially codified previous U.S. law, rather than being the expansion of Department of Justice authority that others claimed. As discussed there, the large majority of US courts that examined the issue prior to the Cloud Act agreed with the DOJ interpretation; the only exception was the Court of Appeals panel in the Microsoft Ireland case.
[10] Co-authors and I have written extensively on MLAT issues. E.g., Peter Swire, Justin Hemmings & Suzanne Vergnolle, A Mutual Legal Assistance Case Study: The United States and France, 34 WISC. INT’L L. REV. 323 (2017). Peter Swire & Justin Hemmings, Mutual Legal Assistance in an Era of Globalized Communications: The Analogy to the Visa Waiver Program, 71 NYU Ann. Survey Am. L. 687 (2017); Peter Swire & Justin Hemmings, Stakeholders in Reform of the Global System of Mutual Legal Assistance, in Bulk Collection: Systematic Government Access to Private-Sector Data (Fred H. Cate & James X. Dempsey ed.) (Oxford University Press 2017).
[11] The EDPS and EDPB do write, at 3: “We recall that in cases where service providers are directly addressed by US law enforcement authorities, the related transfer of personal data would not be subject to the provisions of the EU-US Privacy Shield adequacy decision, nor to the EU-US Umbrella Agreement. Neither instrument is applicable to transfers in this context and they are therefore not taken into account in this analysis”.
Although the EDPS and EDPB do not cite to any particular provision, the Privacy Shield has two potentially relevant provisions. Under Principle 4(a), “Internet Service Providers (“ISPs”), telecommunications carriers, and other organizations are not liable under the Privacy Shield Principles when on behalf of another organization they merely transmit, route, switch, or cache information.” It is possible that the EDPS and EDPB are referring to this provision, which clarifies that an ISP is not liable if a Privacy Shield participant illegally transfers personal data out of the EU. https://www.privacyshield.gov/servlet/servlet.FileDownload.
The second reference is Principle 9a, concerning human resources data: “Where an organization in the EU transfers personal information about its employees (past or present) collected in the context of the employment relationship, to a parent, affiliate, or unaffiliated service provider in the United States participating in the Privacy Shield, the transfer enjoys the benefits of the Privacy Shield.” This language could be read to apply to the actions of ExampleCorpUS, where it transfers employee data to the US. If so, then ExampleCorpUS would seemingly “enjoy the benefits of the Privacy Shield.” As discussed in this paper, those benefits would seemingly include protection under the language of Article 48, as having a lawful basis for transfer from the EU to the US.
[12] Under EU law, ExampleCorp offers its EU employees the option of keeping their records within the EU. The example applies to the EU employees who do not choose that option.
[13] Justin Hemmings, Sreenidhi Srinivasan & Peter Swire, “Defining the Scope of ‘Possession, Custody, or Control’ for Privacy Issues and the Cloud Act” (Oct. 7, 2019). Journal of National Security Law and Policy (forthcoming) https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3469808.
[14] Christakis, supra; D. Kessler, J. Nowak, S. Khan, “The Potential impact of Article 48 of the General Data Protection Regulation on Cross Border Discovery from the United States”, The Sedona Conference Journal, vol. 17, 2016 available in https://www.nortonrosefulbright.com/-/media/files/nrf/nrfweb/imported/20170126–the-potential-impact-of-article-48-of-the-general-data-protection-regulation-on-cross-bord.pdf.
[15] FISA is the Foreign Intelligence Surveillance Act of 1978, as amended, referred to as “FISA.” As Kessler and co-authors explained it: “The purpose of its introduction was to avoid mass surveillance and other overly broad monitoring by third countries, e.g., the NSA or the Foreign Intelligence Surveillance Court were able to request personal data from EU companies without arguably going through the proper legal channels under international laws.”
To the extent the goal of the provision was to prevent mass surveillance, especially for surveillance purposes, it is relevant to understand how the Cloud Act does not constitute the same type of government access. The Cloud Act applies only to a targeted investigative order for law enforcement purposes, to investigate “serious crimes.”
[16] http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+TA+P7-TA-2014-0212+0+DOC+XML+V0//EN (emphasis supplied).
[17] Christakis, supra (emphasis in original).
[18] 18 U.S.C. § 2713(h)(2)(A).
[19] 18 U.S.C. § 2713(h)(2)(C).
[20] The conclusion that the US would be able to get a valid court order is based on the assumption that the US has personal jurisdiction over the entity, and the entity has “possession, custody, or control” in the US.
[21] 18 U.S.C. § 2713.
[22] The canon of “verba cum effectu accipienda sunt” is defined as “Words must be taken so as to have effect.” (Black’s Law Dictionary, 9th ed. 2009). Richard Posner discussed the “canon that every word of a statute must be given significance; nothing in the statute can be treated as surplusage.” Richard A. Posner, Statutory Interpretation – in the Classroom and in the Courtroom, 50 U. Chi. L. Rev. 800, 812 (1983). Posner pointed out that legislatures are not omniscient, and therefore mistakes might exist in a statute. With that said, the inclusion of the entire phrase of “without prejudice to other grounds for transfer pursuant to this Chapter” is not some accident in drafting; it should be given some meaning.
In European and international law, the equivalent canon is called the “effet utile,” translatable as “giving a useful effect.” For instance, one academic study examined almost 100 cases of tribunals of the International Centre for the Settlement of Investment Disputes (ICSID), interpreting the Vienna Convention on the Law of Treaties. This study found that: “ICSID tribunals made quite frequent use of effet utile arguments. They almost always used such arguments in order to reject interpretations that would make specific provisions of the treaty useless.” Ole Kristian Fauchald, The Legal Reasoning of ICSID Tribunals – An Empirical Analysis, 19 Eur. J. Int. L. 301 (2008).
[23] Peter Swire & DeBrae Kennedy-Mayo, How Both the EU and the U.S. are “Stricter” than Each Other for the Privacy of Government Requests for Information, 66 Emory L.J. 617 (2017); Peter Swire, Justin D. Hemmings & Suzanne Vergnolle, A Mutual Legal Assistance Case Study: the United States and France, 34 Wis.In’tl L.J. 323 (2017).
[24] Peter Swire, Expert Report to the Irish High Court in Irish Data Protection Commissioner v. Facebook and Max Schrems (Feb. 7, 2017), available at https://www.alston.com/en/resources/peter-swire-irish-high-court-case-testimony.
[25] Peter Swire, “The US, China, and Case 311/18 on Standard Contractual Clauses,” European Law Blog, July 15, 2019; Peter Swire, “Interdire le transfert de données seulement vers les Etats-Unis serait une aberration,” Le Monde, July 11, 2019.
[26] In the wake of the 1991 failure of the Bank of Credit and Commerce International, the Basle Committee on Banking Supervision adopted Principle 23 in its 1997 “Core Principles for Effective Banking Supervision.” That principle states that “Banking supervisors must practice global consolidated supervision over their internationally active banking organisations.” Basle Committee on Banking Supervision, “Core Principles for Effective Banking Supervision,” at 40 (1997) (emphasis supplied), at https://www.bis.org/publ/bcbs30a.pdf. The Basle Committee, which is the leading institution for coordinating among national financial services regulators, has stated: “Banking supervisors must adequately monitor and apply appropriate prudential norms to all aspects of the business conducted by their banking organisations worldwide including at their foreign branches, joint ventures and subsidiaries.” Id. (emphasis supplied).
The Core Principles for Effective Banking Supervision were last updated in 2012. Principle 12, on “Consolidated Supervision,” has language very similar to the 1997 version. Basle Committee on Banking Supervision, “Core Principles for Effective Banking Supervision,” at 35 (2012), at https://www.bis.org/publ/bcbs230.pdf.
[27] Article 29 Working Party, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), (Nov. 22, 2006), https://iapp.org/media/pdf/resource_center/wp128_SWIFT_10-2006.pdf.
These statements are attributable only to the author, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.