The CLOUD Act would amend the SCA to require service providers to “preserve, backup, or disclose the contents of a wire or electronic communication and any record or other information pertaining to a customer or subscriber within such provider’s possession, custody, or control, regardless of whether such communication, record, or other information is located within or outside of the United States.” The CLOUD Act would also give “qualifying” foreign governments access to records stored in the U.S. that pertain to foreign citizens, including foreign citizens here in the U.S. |
it is not clear whether the bill, in its current form, would meet legal requirements under the EU’s impending General Data Protection Regulation Act. Article 48 of the GDPR addresses foreign (including U.S.) investigations and prohibits the transfer or disclosure of personal data unless pursuant to an MLAT or other international agreement. One possible resolution would be for the U.S. to enter into an agreement with the EU or for the EU to agree that the U.S. investigations and subsequent transfers or disclosures in compliance with the CLOUD Act procedures do not conflict with Article 48. |