The US CLOUD Act and the EU GDPR entered into force at around the same time, but these regulations pursue completely different and inherently incompatible goals.
A few months after the adoption of the CLOUD Act by the US Congress, the European Union's General Data Protection Regulation (GDPR) entered into effect on 25 May 2018, two years after the EU member states had reached agreement on a major reform of the existing EU data protection framework.
"The principles underlying the GDPR are not uniquely European and some of its protections can be found – albeit in weaker, less prescriptive forms – in US privacy laws and in Federal Trade Commission settlements with companies."The GDPR replaced the 1995 EU Data Protection Directive which was adopted at a time when the Internet was in its infancy. The new Regulation aimed to provide a reformed framework giving EU citizens more control over their own personal data and improving their security both online and offline.
The GDPR applies to all EU member-states and also to all countries in the European Economic Area (EEA) which includes Iceland, Norway, and Liechtenstein.
The principles underlying the GDPR are not uniquely European and some of its protections can be found – albeit in weaker, less prescriptive forms – in US privacy laws and in Federal Trade Commission settlements with companies.
However, in contrast to Europe, the US does not recognise a universal fundamental right to privacy. Notwithstanding the fourth amendment to the US Constitution, US government authorities can often obtain personal information without court approval. Legislation that provides a legal framework for the handling of data at approximately the same level as the The European Commission found in that the Safe Harbor Principles would provide "adequate protection" under Article 25 of Directive 95/56/EC, when it comes to the transfer of personal information from the EU to the US.
GDPR only exists in one single state: California.
"GDPR aims at protecting personal data, and thus the rights and information of European citizens."Although the US CLOUD Act and the EU GDPR entered into force at around the same time, these regulations pursue completely different goals.
GDPR aims at protecting personal data, and thus the rights and information of European citizens.
In contrast, the US enacted the CLOUD Act to clarify, extend, and speed up official access to electronic information held by US-based global providers, irrespective of the storage location of that data.
The bottom line here is that US companies are by nature not able to guarantee EU GDPR compliance, even if they provide their services via European subsidiaries.
"The bottom line here is that US companies are by nature not able to guarantee EU GDPR compliance, even if they provide their services via European subsidiaries."Regardless where their data processing operations are located, US companies fall under the jurisdiction of the US CLOUD Act which places them in a situation of conflict with the GDPR.
Likewise European data processors can’t be GDPR-compliant either if they rely on use US-based cloud providers to handle their services.
The inherent incompatibility between EU data protection regulations and US "data harvesting" legislation has been confirmed by the judgments of the Court of Justice of the European Union in the landmark judgments known colloquially as "Schrems I" and "Schrems€ II" which we will look at next. ⬆