At some point, organisations worldwide have encountered the classic Cooperation Clause or one similar. Many organisations fail to pick up on such clauses or take the view that Big Tech does not entertain edits to their agreements.
x.x Cooperation. If either party receives any type of request or inquiry from a governmental, legislative, judicial, law enforcement, or regulatory authority (e.g., the Federal Trade Commission, the Attorney General of a U.S. state, or a European data protection authority) or faces an actual or potential claim, inquiry, or complaint in connection with the parties’ Processing of Personal Data shared under this agreement (collectively, an “Inquiry”), such party will notify the other party without undue delay unless such notification is prohibited by applicable law. The receiving party will promptly provide the other party with information relevant to the Inquiry, including any information relevant to the defense of a claim, to enable such party to respond to the Inquiry. Upon request, a party will provide relevant information to the other party to fulfill its obligations (if any) to conduct data protection impact assessments or prior consultations with data protection authorities.
Pathway to Protecting Your Organisation
When you challenge this type of clause, the big tech account manager will keep the company line.
“We are unfortunately unable to make any changes to the language in the agreement; however, if you require any clarifications or specific examples from our legal team, please just let me know.”
If you are presented with such binding clauses from Big Tech and receive such replies as above, organisations must stand their ground on EU Article 48 and its related recitals. After all, as Data Controllers, we must protect an individual’s Personal Data and comply with EU Regulations.
In our last such challenge of such a clause, after three days of communications, we received the following email from the Big Tech legal team.
“Our legal team have confirmed that, in this instance we can make the requested edits. “
Here is the context around how the US Cloud Act 2018 butts heads with EU GDPR Article 48.
In recent years, the world has witnessed an explosion of digital data. With the rise of cloud computing and big data, individuals and organisations alike are producing, processing, and storing vast amounts of information. As a result, there has been a growing concern about how this data is being collected, used, and protected.
In the European Union (EU), the General Data Protection Regulation (GDPR) was introduced in 2018 to provide individuals with more control over their personal data. The GDPR sets out a range of rights for individuals, including the right to access their data, the right to have their data corrected or erased, and the right to object to the processing of their data.
However, the implementation of the US Cloud Act in 2018 has raised concerns about how the GDPR’s Article 48, Any judgment of a court or tribunal, and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter. At present, no such treaty exists.
The Cloud Act allows US law enforcement agencies to access data stored by US cloud service providers, regardless of where the data is stored or the nationality of the individual or organisation that owns the data.
This raises serious questions about the protection of personal data for EU citizens when their data is stored on US servers. The Cloud Act allows US law enforcement to bypass the protections afforded by the GDPR, which violates EU citizens’ privacy rights.
The GDPR was created to provide a high level of protection for individuals’ personal data, and Article 48 is an essential part of this protection. It requires data controllers to notify data subjects of any transfers of their data to third countries and to obtain their explicit consent. This ensures that individuals have control over their personal data and are aware of who has access to it.
Cloud Act Impact
The Cloud Act undermines these protections by allowing US law enforcement to access personal data stored on US cloud servers without the knowledge or consent of the data subjects. This puts EU citizens’ privacy at risk and creates a legal grey area that is difficult to navigate.
Furthermore, the Cloud Act could have a chilling effect on the use of cloud services by EU organisations. If EU organisations cannot guarantee the protection of their customer’s personal data, they may be reluctant to use US-based cloud providers, which could have negative economic consequences.
In conclusion, the US Cloud Act represents a significant threat to the privacy rights of EU citizens and the GDPR’s protection of personal data. The EU must take steps to ensure that the Cloud Act does not undermine the GDPR and that the privacy rights of EU citizens are protected. This may involve negotiating a new data transfer agreement with the US or finding alternative solutions that ensure personal data protection.
United Kingdom Decision
Unfortunately for UK Data Controllers and Data Subjects, the UK Government opted out of Article 48 post Brexit. If UK organisations fall under both UK and EU GDPR and process the data of EU Citizens, then the EU Article 48 applies.