Related Papers
Computer Law & Security Review
Access to extraterritorial evidence: The Microsoft cloud case and beyond
2015 •
Felicity Gerry KC
ECOEI V
European Union General Data Protection Regulation (GDPR) and United States of America’s Clarifying Overseas Use of Data (Cloud) Act: David Versus Goliath
2019 •
Sema Yılmaz Genç, Hassan Syed
The Edward Snowdens June 2013 leaks of United States National Security Agency (NSA) documents unsettled the global community of internet users, Governments and the Civil Society at large. At the heart of Snowdens leaks was the NSA top-secret PRISM programs that the NSA was using to obtained mass users data through direct access to the systems of Google, Facebook, Apple and other US internet service providers. Complicit with the NSA PRISM program was UKs General Communications Headquarters or GCHQ through its own covert mass data collection program TEMPORA. Google, Facebook and Microsoft etc. denied their complicity in the PRISM program. Verizon came forward and revealed that the communications that were being targeted by the PRISM did not just stop at the metadata rather it also collected the contents of the specifically targeted data subject. It can be argued that the US and UK intelligence communities were responding to the emerging threats of “Global terrorism”. The PRISM program was working under the US Legislation of FAA or the FISA Amendments Act. The Foreign Intelligence Surveillance Act (FISA) of 1978 Amendments Act of 2008 allowed the US intelligence agencies to collect mass data for surveillance without any Court Orders or seeking the cooperation of the internet service providers. It can be stated with confidence that the present day European Unions May 2018 General Data Protection regulation (GDPR) and USAs Clarifying Overseas Use of Data (CLOUD) Act March 2018 are the culmination of a series of legal battles on both sides to tackle the uncertainties that occurred with the lawful handling of Big Data. This paper seeks to review the brief history of both the legal instruments and how these two competing laws would affect the future handling of personal data for those using internet technologies. The international reach of both the laws makes them unique as the Supra-National nature of both the laws aims to satisfy the prescribed needs of EU and USA only. We will also focus our attention to the possible tension that these laws create for the subject of these laws, the individual or the data-subjects whose data is the focal point these laws. It is ubmitted that both EU GDPR and USAs CLOUD Act have far reaching social and legal implications on how the internet use and the development of its technologies proceeds in the future.
Australian Journal of Telecommunications and the Digital Economy
The Cloud and data sovereignty after Snowden
2014 •
David Vaile
Learning Lessons from Cloud Investigations in Europe: Bargaining Enforcement and Multiple Centers of Regulation in Data Protection
Dr Asma Vranaki
The race is on for businesses and consumers to join the cloud. From increased efficiency to low operational costs to scalability, reasons abound as to why we are adopting cloud solutions. However, unleashing the potential of cloud ecosystems for companies and individuals has not been without difficulties. Industry research has highlighted that data protection and privacy concerns, in particular, can often be one of the main inhibitors to the widespread adoption of cloud-based systems. Lately, some US-based cloud companies have been required to comply with European data protection laws through the regulatory process of investigation by European data protection authorities (“Cloud Investigations”). In this article, I analyze selected empirical findings from my recent qualitative socio-legal research project where I have examined the investigations of cloud providers by European data protection authorities (“EU DPAs”) to reflect on the roles of data protection laws during such investigations. I advance two arguments. Firstly, a decentralized perspective on Cloud Investigations sheds a more comprehensive light on the roles of data protection laws during Cloud Investigations without assuming a priority that such laws have a privileged and static role in the regulatory process. Secondly, and relatedly, I argue that by “cutting off the King’s head”, we can understand more fully the dynamic and context-dependent roles of data protection laws during Cloud Investigations. From time to time, law can be deployed to achieve the aims of the law-makers or enforcers. At other times, law can also be used as bargaining chips by EU DPAs and Cloud Providers to obstruct or facilitate the negotiations during Cloud Investigations. At other times still, law can often retreat from the field of action as other actors carry out the “act of government” to determine if and to what extent Cloud Providers are “accountable in reality.”
Keeping Up with the Clouds - Revealing the Discrepancy between the Realities of Cloud Technology and European Data Protection Law
Emerald de Leeuw
Cloud Investigations by European Data Protection Authorities: An Empirical Account
Dr Asma Vranaki
This chapter draws on qualitative interviews, documentary analysis and observation data to analyse how European data protection authorities ('EU DPAs') exercise one of their statutory enforcement powers, namely, investigations more frequently to determine the compliance of cloud providers with the relevant data protection laws. The empirical analysis presented in this chapter supports two arguments. Firstly, the investigations of cloud providers by EU DPAs ('Cloud Investigations') are complex regulatory processes that often involve different co-operative relationships between various actors, such as DPAs. In reality, manifold interactions and practices, such as facilitative instruments, are deployed to form and perform such collaborations which are vital in ensuring the consistent application and enforcement of common data protection principles in an increasingly globalised context. Secondly, Cloud Investigations are also dynamic as they can involve continually evolving regulatory enforcement styles and compliance attitudes. Cloud Providers can often resist the attempts of the EU DPAs to direct the investigative process in specific ways. How such resistance is resolved is very much context-dependent.
Cambridge Law Journal
Rejecting the Transatlantic Outsourcing of Data Protection in the Face of Unrestrained Surveillance
2021 •
Monika Zalnieriute, Genna Churches
On 16 July 2020, the Grand Chamber of the Court of Justice of the European Union ('CJEU'), in a departure from the Advocate General's ('AG') Opinion, invalidated the the key mechanism for EU-United States data transfers, Privacy Shield for not affording 'essentially equivalent' protection to that provided under the EU legal order for personal data transferred to the US. The Court upheld the validity of the SCC for international data transfers, ruling that the National Data Protection Authorities ('DPAs') must take action where these clauses do not provide 'essentially equivalent' protection to EU law. The Schrems II judgement will have significant implications for many areas of EU law and policy, transatlantic relations and global data governance more generally. It will impact the EU-US data transfers, data transfers to third countries beyond US, including the post-Brexit UK, because SCCs are relied on by 88 per cent of EU companies transferring data outside the EU. Following the Snowden revelations in 2013, the CJEU has developed a powerful body of jurisprudence which rejects the transatlantic outsourcing of data protection without adequate safeguards. Schrems II reasserted the fundamental role of data protection in the EU legal order and transatlantic relations, and emphasised the need for EU to suspend, limit, or even block data transfers to countries where fundamental rights are not protected. Full implications of Schrems II are yet to be seen but the effects will be felt for many years to come.
2020 12th International Conference on Cyber Conflict (CyCon)
Up in the Air: Ensuring Government Data Sovereignty in the Cloud
2020 •
Przemysław Roguski
Cross-border Access to Electronic Data through Judicial Cooperation in Criminal Matters: State of the art and latest developments in the EU and the US
Cross-border Access to Electronic Data through Judicial Cooperation in Criminal Matters State of the art and latest developments in the EU and the US
2018 •
Gloria González Fuster
In the digital age, access to data sought in the framework of a criminal investigation often entails the exercise of prosecuting powers over individuals and material that fall under another jurisdiction. Mutual legal assistance treaties, and the European Investigation Order allow for the lawful collection of electronic information in cross-border proceedings. These instruments rely on formal judicial cooperation between competent authorities in the different countries concerned by the investigative measure. By subjecting foreign actors' requests for data to domestic independent judicial scrutiny, they guarantee that the information sought during an investigation is lawfully obtained and admissible in court. At the same time, pressure is mounting within the EU and in the US to allow law enforcement authorities' access to data outside existing judicial cooperation channels. Initiatives such as the European Commission's proposals on electronic evidence and the CLOUD Act in the US foster a model of direct private–public cross-border cooperation under which service providers receive, assess and respond directly to a foreign law enforcement order to produce or preserve electronic information. This paper scrutinises these recent EU and US initiatives in light of the fundamental rights standards, rule of law touchstones, and secondary norms that, in the EU legal system, must be observed to ensure the lawful collection and exchange of data for criminal justice purposes. A series of doubts are raised as to the Commission e-evidence proposal and the CLOUD Act's compatibility with the legality, necessity and proportionality benchmarks provided under EU primary and secondary law.
