month day, 2019 between a rock and a hard place: competing ...€¦ · netwroking. storage....
TRANSCRIPT
Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). Latham & Watkins operates in South Korea as a Foreign Legal Consultant Office. We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2019 Latham & Watkins. All Rights Reserved.
Month day, 2019
Between a Rock and a Hard Place: Competing Obligations Under the CLOUD Act
Fiona Maclean, Serrin Turner and Myria Saarinen
1
SOFTWAREAS A SERVICE
PLATFORM AS ASERVICE
INFRASTRUCTURE AS ASERVICE
Cloud computing: Three main types commonly referred to as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)
“By itself,(IaaS) infrastructure isn’t useful - it just sits there waiting for someone to make it productive in solving a particular problem. Imaginethe Interstate transportation system in the U.S. Even with all these roads built, they wouldn’t be useful without cars and trucks to transportpeople and goods. In this analogy, the roads are the infrastructure and the cars and trucks are the platform (PaaS) that sits on top of theinfrastructure and transports the people and goods. These goods and people might be considered the software (SaaS) and information in thetechnical realm”…
Source: Rackspace Support Network October2013
2
Cloud computing: Three main types commonly referred to as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)
OnPrem IaaS PaaS SaaSApplications Applications Applications Applications
Data Data Data Data
Middleware Middleware Middleware Middleware
Operating System Operating System Operating System Operating System
Virtualization Virtualization Virtualization Virtualization
Server Server Server Server
Storage Storage Storage Storage
Network Network Network Network
Own Responsibility Cloud ProviderResponsibility
3
Cloud computing: Expect healthy adoption of public Cloud in the future as enterprises shift their existing workloads and companies adopt a Cloud-first mentality
0
100
200
300
400
500
600
700
Public Cloud (IaaS, PaaS, SaaS)Private Cloud
Global Cloud Computing market size, $bn
3.7%
11.8%
12.4%
12.6%
14.4%
14.7%
15.2%
15.3%
Management Tools /API
Services /Consulting
PaaS
Compute
Other
Netwroking
Storage
Database
Percentage Cloud spend by category, 2018
Geographic view: Enterprises in the west prefer AWS, Azure, Google & IBM over the Chinese Tech Cloud vendors
US UK / Germany China
15%
17%
37%
44%
45%
60%
10%
11%
29%
40%
44%
48%
17%
24%
25%
34%
34%
37%
76% of companies have adopted Cloud computing, public and/or private
71% are currently using IaaS – 17% planning to adopt in the future
65% are currently using PaaS – 21% planning to adopt in the future
79% of companies have adopted Cloud computing, public and/or private
68% are currently using IaaS – 21%planning to adopt in the future
71% are currently using PaaS – 21% planning to adopt in the future
74% of companies have adopted Cloud computing, public and/or private
72% are currently using IaaS – 17% planning to adopt in the future
63% are currently using PaaS – 28% planning to adopt in the future
Source: UBS, Latham & Watkins Tactical Opportunities Analysis % Cloud users with allocated budget to the following vendors
Competing Compliance Obligations
CLOUD Act & US LegalProcess Data Privacy &
Localization Requirements
History of the CLOUD Act
• Microsoft challenged email search warrant on basis that email contents were stored outside US• Issue was whether term “warrant” as used in
Stored Communications Act should be construed to apply only to data located in US
• Case was mooted out before final decision• District court ruled for US• Appeals court ruled for Microsoft• Mooted by CLOUD Act while pending in Supreme Court
CLOUD Act – Key Provisions
Control, Not Location, Is the Test• Act clarifies that SCA obligations apply regardless of whether data is located within or
outside the US
Reciprocality for “Qualifying Foreign Governments”• QFGs w/ executive agreements can issue orders directly to US providers• But they must lift any of their own blocking restrictions on providers
Right to Seek Relief Based on Conflict of Laws• Provides new statutory remedy for conflicts with QFG’s laws• But also preserves common-law remedies
Statutory vs Common-Law “Comity” Test
CLOUD Act Test• Court may quash/modify order if
• Disclosure would cause provider to violate QFG’s laws
• Balance of interests weighs against enforcement, e.g.:
• US and QFG’s competing interests• Penalties facing provider• Customer’s connection to US• Provider’s connection to US• Availability of data via other means
• Customer is not a US person or resident
Common-Law Test• Court may quash/modify order if
• Disclosure would present a “true conflict” with foreign law
• Balance of interests weighs against enforcement, e.g.:
• US and foreign govt’s competing interests • Importance of info requested• Specificity of the request• Whether info originated in US• Availability of data via other means
• [ No requirement that customer is not a US person / resident ]
Comity Challenge Precedents
Courts traditionally have rejected comity challenges to law enforcement orders• United States v. Davis, 767 F.2d 1025, 1033-34 (2d Cir. 1985) (finding interest in enforcing criminal
laws outweighed interest of Cayman Islands in privacy of its banking customers)• In re Grand Jury Proceedings, 532 F.2d 404 (5th Cir. 1976) (upholding grand jury subpoena against
comity challenge based on foreign banking privacy laws)• United States v. First City Nat’l City Bank, 396 F.2d 897 (2d Cir. 1968) (same)
But they have granted comity challenges where severe foreign penalties were likely
• Compare, e.g., First City Nat’l City Bank, 396 F.2d at 905 (compelling disclosure where “risk of civil damages [being imposed under German law] was slight and speculative”) with
• Tiffany (NJ) LLC v. Qi Andrew, et al., 276 F.R.D. 143, 159 (S.D.N.Y. 2011) (declining to compel where history of prosecutions under Chinese banking statute demonstrated that “statute has been used to prosecute individuals and that violations can result in serious punishment”).
Will GDPR Lead to Comity Challenges?
No comity challenges based on GDPR have been brought yet • Microsoft case did not present true comity challenge
Prospect of large GDPR fines is potential factor under comity analysis• As is potential criminal enforcement of national laws implementing GDPR
But there must be true conflict with foreign laws• Even where provider and data are subject to GDPR, disclosure based on order issued
under SCA may be permissible under GDPR
GDPR Article 48
Article 48 of the GDPR is a new provision specifically addressing foreign requests for personal data:
• any foreign judicial or administrative order requiring production of personal data is only enforceable through an MLAT or other international agreement
• i.e., a foreign order by itself does not make a transfer lawful under the GDPR• BUT the provision is without prejudice to other permissible grounds for transfer
outside the EU recognized by the GDPR
European Data Protection Board has taken restrictive interpretation of this provision:
• Where MLAT exists, EU company “should generally refuse direct requests” for data from foreign authority and refer it to the MLAT process instead
Cloud Providers and GDPR
Apple“This year, [the EU has] shown the world that good policy and political will can come together to
protect the rights of everyone. It’s time for the rest of the world, including my home country, to follow your lead. We at Apple are in full support of a comprehensive federal privacy law in the United States.”
- Tim Cook, CEO
Amazon Web Services“AWS welcomes the arrival of the GDPR. The
new, robust requirements raise the bar for data protection, security, and compliance, and will push the industry to follow the most stringent controls, helping to make everyone more secure […] all AWS services will comply with the GDPR when it becomes enforceable on May 25, 2018.”
- Stephen Schmidt, Vice President and CISO
Microsoft“GDPR is an important step forward for privacy rights in Europe and around the world, and we’ve been enthusiastic supporters of GDPR since it was first proposed in 2012. It sets a strong standard for privacy and data protection by empowering people to control their personal information [...] We are committed to making sure our products and services comply with GDPR.”
- Julie Brill, Corporate VP and Deputy General Counsel
GDPR Legal Defense Derogation
• “Legal defense” derogation allows for transfer outside EU if “necessary for the establishment, exercise, or defense of legal claims”
• Guidance from European Data Protection Board:• Transfer must relate to formal proceedings or legal process (mere possibility
of future legal proceedings not sufficient)• Derogation applies to criminal or administrative investigation, where
transferred data is needed to defend oneself or avoid penalty (not clear if it applies to third-party subpoena—particularly if served on non-EU entity)
• A “close and substantial connection” between legal defense and transferred data is required (obtaining “good will” of foreign authorities is insufficient)
GDPR Public Interest Derogation
• “Public interest” derogation permits transfer outside EU if “necessary for important reasons of public interest”
• But the public interest must be recognized under EU law or the law of the data controller’s member state
• Guidance from European Data Protection Board indicates that derogation is unlikely to apply to US law enforcement request:• not enough if transfer serves public interest of third country that is
shared in “abstract” sense with EU/member state• derogation only appears applicable where EU member states have
specific information-sharing arrangements in place with third country (e.g., AML, terrorist-financing)
GDPR Compelling Interests Derogation
• “Compelling interests” derogation can be invoked if no other derogation is applicable and:• transfer is necessary for compelling legitimate interests that are not
outweighed by interests of data subject• controller ensures transfer is made with suitable privacy safeguards
based on assessment of all the circumstances• the data subject and relevant data protection authority must be notified
of the transfer
• This derogation is likely to be impractical in context of confidential law enforcement investigation
• On legitimate interest test:• “the transfer could potentially qualify as ‘necessary for the purposes of the
legitimate interests pursued by the controller’—namely, the interest in not being subject to legal action in a non-EU state”
• But only if this interest is not overridden by fundamental rights and freedoms of data subject
• On grounds for transfer:• Article 48 makes clear that a foreign court order does not, as such, make a
transfer lawful under the GDPR; but its requirements are without prejudice to other grounds for transfer
• Other grounds might be public interest, including “the fight against serious crime,” or compelling legitimate interests, but these derogations must be strictly construed
16
European Commission Amicus Brief in Microsoft Case
French Focus
Article 1 bis of the 1968 French Blocking Statute as amended in 1980 provides that:“Subject to Treaties or International Agreements and to currently applicable laws and regulations, it is prohibited for any person to request, seek or disclose, in writing, orally, or in any other form, documents or information of an economic, commercial, industrial, financial or technical nature directed toward establishing evidence in view of foreign judicial or administrative proceedings or in relation thereto.”
March 2019: a draft report requested by the government would recommend to strengthen the French Blocking Statute (draft report by Mr. Gauvain, not published yet).
In reaction to the Cloud Act, a fine of 4% of the turnover could be imposed to any intermediary which has access to, stores, hosts and transmits sensitive data to US judicial authorities.
Practical Tips
Due Diligence Vendors• Understand the geography of their operations and the locations from which they exercise ‘control’• Update Vendor questionnaires accordingly
For companies with a US subsidiary:• Ensure that the US subsidiary has no possession, custody or control over EU data• Implement technical and operational controls as well as policies and procedures, e.g. access controls
For companies with a US parent:• Diligence the existence of executive agreements and/ or comity principles of the countries in which subs with
access are located• Put in place a Law Enforcement Access Policy describing the steps taken in response to a US Law
Enforcement Request – escalation processes should be clearly documented
Understand the steps taken by your Vendors upon receipt of a LEA from US law enforcement• Secure contractual terms setting out the vendor’s process upon receipt of a request, including steps to unseal
requests etc
19
Contact Information
Serrin TurnerPartner, New [email protected]
Fiona MacleanPartner, [email protected]
Myria SaarinenPartner, [email protected]