Latham & Watkins is the business name of Latham & Watkins (London) LLP, a registered limited liability partnership organised under the laws of New York and authorised and regulated by the Solicitors Regulation Authority (SRA No. 203820). Latham & Watkins operates in South Korea as a Foreign Legal Consultant Office. We are affiliated with the firm Latham & Watkins LLP, a limited liability partnership organised under the laws of Delaware. © Copyright 2019 Latham & Watkins. All Rights Reserved.

Month day, 2019

Between a Rock and a Hard Place: Competing Obligations Under the CLOUD Act

Fiona Maclean, Serrin Turner and Myria Saarinen

1

SOFTWAREAS A SERVICE

PLATFORM AS ASERVICE

INFRASTRUCTURE AS ASERVICE

Cloud computing: Three main types commonly referred to as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)

“By itself,(IaaS) infrastructure isn’t useful - it just sits there waiting for someone to make it productive in solving a particular problem. Imaginethe Interstate transportation system in the U.S. Even with all these roads built, they wouldn’t be useful without cars and trucks to transportpeople and goods. In this analogy, the roads are the infrastructure and the cars and trucks are the platform (PaaS) that sits on top of theinfrastructure and transports the people and goods. These goods and people might be considered the software (SaaS) and information in thetechnical realm”…

Source: Rackspace Support Network October2013

2

Cloud computing: Three main types commonly referred to as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS)

OnPrem IaaS PaaS SaaSApplications Applications Applications Applications

Data Data Data Data

Middleware Middleware Middleware Middleware

Operating System Operating System Operating System Operating System

Virtualization Virtualization Virtualization Virtualization

Server Server Server Server

Storage Storage Storage Storage

Network Network Network Network

Own Responsibility Cloud ProviderResponsibility

3

Cloud computing: Expect healthy adoption of public Cloud in the future as enterprises shift their existing workloads and companies adopt a Cloud-first mentality

0

100

200

300

400

500

600

700

Public Cloud (IaaS, PaaS, SaaS)Private Cloud

Global Cloud Computing market size, $bn

3.7%

11.8%

12.4%

12.6%

14.4%

14.7%

15.2%

15.3%

Management Tools /API

Services /Consulting

PaaS

Compute

Other

Netwroking

Storage

Database

Percentage Cloud spend by category, 2018

Geographic view: Enterprises in the west prefer AWS, Azure, Google & IBM over the Chinese Tech Cloud vendors

US UK / Germany China

15%

17%

37%

44%

45%

60%

10%

11%

29%

40%

44%

48%

17%

24%

25%

34%

34%

37%

76% of companies have adopted Cloud computing, public and/or private

71% are currently using IaaS – 17% planning to adopt in the future

65% are currently using PaaS – 21% planning to adopt in the future

79% of companies have adopted Cloud computing, public and/or private

68% are currently using IaaS – 21%planning to adopt in the future

71% are currently using PaaS – 21% planning to adopt in the future

74% of companies have adopted Cloud computing, public and/or private

72% are currently using IaaS – 17% planning to adopt in the future

63% are currently using PaaS – 28% planning to adopt in the future

Source: UBS, Latham & Watkins Tactical Opportunities Analysis % Cloud users with allocated budget to the following vendors

Competing Compliance Obligations

CLOUD Act & US LegalProcess Data Privacy &

Localization Requirements

History of the CLOUD Act

• Microsoft challenged email search warrant on basis that email contents were stored outside US• Issue was whether term “warrant” as used in

Stored Communications Act should be construed to apply only to data located in US

• Case was mooted out before final decision• District court ruled for US• Appeals court ruled for Microsoft• Mooted by CLOUD Act while pending in Supreme Court

CLOUD Act – Key Provisions

Control, Not Location, Is the Test• Act clarifies that SCA obligations apply regardless of whether data is located within or

outside the US

Reciprocality for “Qualifying Foreign Governments”• QFGs w/ executive agreements can issue orders directly to US providers• But they must lift any of their own blocking restrictions on providers

Right to Seek Relief Based on Conflict of Laws• Provides new statutory remedy for conflicts with QFG’s laws• But also preserves common-law remedies

Statutory vs Common-Law “Comity” Test

CLOUD Act Test• Court may quash/modify order if

• Disclosure would cause provider to violate QFG’s laws

• Balance of interests weighs against enforcement, e.g.:

• US and QFG’s competing interests• Penalties facing provider• Customer’s connection to US• Provider’s connection to US• Availability of data via other means

• Customer is not a US person or resident

Common-Law Test• Court may quash/modify order if

• Disclosure would present a “true conflict” with foreign law

• Balance of interests weighs against enforcement, e.g.:

• US and foreign govt’s competing interests • Importance of info requested• Specificity of the request• Whether info originated in US• Availability of data via other means

• [ No requirement that customer is not a US person / resident ]

Comity Challenge Precedents

Courts traditionally have rejected comity challenges to law enforcement orders• United States v. Davis, 767 F.2d 1025, 1033-34 (2d Cir. 1985) (finding interest in enforcing criminal

laws outweighed interest of Cayman Islands in privacy of its banking customers)• In re Grand Jury Proceedings, 532 F.2d 404 (5th Cir. 1976) (upholding grand jury subpoena against

comity challenge based on foreign banking privacy laws)• United States v. First City Nat’l City Bank, 396 F.2d 897 (2d Cir. 1968) (same)

But they have granted comity challenges where severe foreign penalties were likely

• Compare, e.g., First City Nat’l City Bank, 396 F.2d at 905 (compelling disclosure where “risk of civil damages [being imposed under German law] was slight and speculative”) with

• Tiffany (NJ) LLC v. Qi Andrew, et al., 276 F.R.D. 143, 159 (S.D.N.Y. 2011) (declining to compel where history of prosecutions under Chinese banking statute demonstrated that “statute has been used to prosecute individuals and that violations can result in serious punishment”).

Will GDPR Lead to Comity Challenges?

No comity challenges based on GDPR have been brought yet • Microsoft case did not present true comity challenge

Prospect of large GDPR fines is potential factor under comity analysis• As is potential criminal enforcement of national laws implementing GDPR

But there must be true conflict with foreign laws• Even where provider and data are subject to GDPR, disclosure based on order issued

under SCA may be permissible under GDPR

GDPR Article 48

Article 48 of the GDPR is a new provision specifically addressing foreign requests for personal data:

• any foreign judicial or administrative order requiring production of personal data is only enforceable through an MLAT or other international agreement

• i.e., a foreign order by itself does not make a transfer lawful under the GDPR• BUT the provision is without prejudice to other permissible grounds for transfer

outside the EU recognized by the GDPR

European Data Protection Board has taken restrictive interpretation of this provision:

• Where MLAT exists, EU company “should generally refuse direct requests” for data from foreign authority and refer it to the MLAT process instead

Cloud Providers and GDPR

Apple“This year, [the EU has] shown the world that good policy and political will can come together to

protect the rights of everyone. It’s time for the rest of the world, including my home country, to follow your lead. We at Apple are in full support of a comprehensive federal privacy law in the United States.”

- Tim Cook, CEO

Amazon Web Services“AWS welcomes the arrival of the GDPR. The

new, robust requirements raise the bar for data protection, security, and compliance, and will push the industry to follow the most stringent controls, helping to make everyone more secure […] all AWS services will comply with the GDPR when it becomes enforceable on May 25, 2018.”

- Stephen Schmidt, Vice President and CISO

Microsoft“GDPR is an important step forward for privacy rights in Europe and around the world, and we’ve been enthusiastic supporters of GDPR since it was first proposed in 2012. It sets a strong standard for privacy and data protection by empowering people to control their personal information [...] We are committed to making sure our products and services comply with GDPR.”

- Julie Brill, Corporate VP and Deputy General Counsel

GDPR Legal Defense Derogation

• “Legal defense” derogation allows for transfer outside EU if “necessary for the establishment, exercise, or defense of legal claims”

• Guidance from European Data Protection Board:• Transfer must relate to formal proceedings or legal process (mere possibility

of future legal proceedings not sufficient)• Derogation applies to criminal or administrative investigation, where

transferred data is needed to defend oneself or avoid penalty (not clear if it applies to third-party subpoena—particularly if served on non-EU entity)

• A “close and substantial connection” between legal defense and transferred data is required (obtaining “good will” of foreign authorities is insufficient)

GDPR Public Interest Derogation

• “Public interest” derogation permits transfer outside EU if “necessary for important reasons of public interest”

• But the public interest must be recognized under EU law or the law of the data controller’s member state

• Guidance from European Data Protection Board indicates that derogation is unlikely to apply to US law enforcement request:• not enough if transfer serves public interest of third country that is

shared in “abstract” sense with EU/member state• derogation only appears applicable where EU member states have

specific information-sharing arrangements in place with third country (e.g., AML, terrorist-financing)

GDPR Compelling Interests Derogation

• “Compelling interests” derogation can be invoked if no other derogation is applicable and:• transfer is necessary for compelling legitimate interests that are not

outweighed by interests of data subject• controller ensures transfer is made with suitable privacy safeguards

based on assessment of all the circumstances• the data subject and relevant data protection authority must be notified

of the transfer

• This derogation is likely to be impractical in context of confidential law enforcement investigation

• On legitimate interest test:• “the transfer could potentially qualify as ‘necessary for the purposes of the

legitimate interests pursued by the controller’—namely, the interest in not being subject to legal action in a non-EU state”

• But only if this interest is not overridden by fundamental rights and freedoms of data subject

• On grounds for transfer:• Article 48 makes clear that a foreign court order does not, as such, make a

transfer lawful under the GDPR; but its requirements are without prejudice to other grounds for transfer

• Other grounds might be public interest, including “the fight against serious crime,” or compelling legitimate interests, but these derogations must be strictly construed

16

European Commission Amicus Brief in Microsoft Case

French Focus

Article 1 bis of the 1968 French Blocking Statute as amended in 1980 provides that:“Subject to Treaties or International Agreements and to currently applicable laws and regulations, it is prohibited for any person to request, seek or disclose, in writing, orally, or in any other form, documents or information of an economic, commercial, industrial, financial or technical nature directed toward establishing evidence in view of foreign judicial or administrative proceedings or in relation thereto.”

March 2019: a draft report requested by the government would recommend to strengthen the French Blocking Statute (draft report by Mr. Gauvain, not published yet).

In reaction to the Cloud Act, a fine of 4% of the turnover could be imposed to any intermediary which has access to, stores, hosts and transmits sensitive data to US judicial authorities.

Practical Tips

Due Diligence Vendors• Understand the geography of their operations and the locations from which they exercise ‘control’• Update Vendor questionnaires accordingly

For companies with a US subsidiary:• Ensure that the US subsidiary has no possession, custody or control over EU data• Implement technical and operational controls as well as policies and procedures, e.g. access controls

For companies with a US parent:• Diligence the existence of executive agreements and/ or comity principles of the countries in which subs with

access are located• Put in place a Law Enforcement Access Policy describing the steps taken in response to a US Law

Enforcement Request – escalation processes should be clearly documented

Understand the steps taken by your Vendors upon receipt of a LEA from US law enforcement• Secure contractual terms setting out the vendor’s process upon receipt of a request, including steps to unseal

requests etc

19

Contact Information

Serrin TurnerPartner, New York+1.212.906.1330serrin.turner@lw.com

Fiona MacleanPartner, London+44.20.7710.1822fiona.maclean@lw.com

Myria SaarinenPartner, Paris+33.140.62.28.43myria.saarinen@lw.com