The US-EU Rivalry for Data Protection: Energy Sector Implications Edito Energie, February 2019
The General Data Protection Regulation and the energy sector
There have been a variety of conflicting accounts about the potential economic impact of the GDPR on both sides of the Atlantic. Certain reports claim that the GDPR could end up costing large firms more than $1 billion overall. This is in part due to high EU penalties for non-compliance (up to 4% of global revenues), which may negatively impact competitiveness and transatlantic trading. Other studies, however, have asserted the exact opposite, namely that the GDPR contains a number of provisions requiring firms to update and modernize their modes of operation, making them more efficient and competitive. In addition, the GDPR also creates a common set of rules for data protection, which will bring clarity and legal certainty to firms on both sides of the Atlantic, potentially boosting transatlantic trade. Finally, firms that do not comply with the GDPR now risk being at a competitive disadvantage compared to companies that offer stronger data protection. Overall though, the benefits from the GDPR in terms of privacy protection are unequivocally positive.
Conflicts with the US Cloud Act
On March 23rd 2018, and perhaps in anticipation of the GDPR, the US Congress ratified the Clarifying Lawful Overseas Use of Data Act (or Cloud Act) as part of the 2018 federal omnibus spending bill. Many of the potential benefits deriving from the GDPR, both from an economic viewpoint and from the perspective of privacy protection, risk being jeopardized by the Cloud Act and the danger of conflicting legislation. In a nutshell, the Cloud Act represents an extension of the Stored Communications Act (SCA) of 1986, which covered the disclosure of electronic communications held by Internet service providers. As a result, the Cloud Act makes it lawful for US federal authorities, within the context of an investigation, to compel American technology companies, either through warrant or subpoena, to hand over data stored on their servers and data centers. This applies regardless of whether or not such data is stored on US soil or in a foreign country; the person(s) concerned are not notified and there is no possibility of oversight from judicial authorities in the country where the data is stored.
Such provisions enter into direct conflict with several key sections of the GDPR, in particular Articles 44 to 48, which subject the international transfer of EU citizens’ data to very strict conditions. Up until now, the international transfer of personal data has been regulated by ‘mutual legal assistance treaties’ (MLATs), bilateral arrangements that are often slow and cumbersome. One of the stated objectives of the Cloud Act is to circumvent this existing system in order to establish a more rapid and efficient one, whereby certain foreign governments may enter into ‘bilateral executive agreements’ with the US for direct and reciprocal data transfers. This runs counter to the GDPR’s insistence that the MLAT system provides the most adequate framework to protect the international transfer of EU citizens’ data. Furthermore, although the Cloud Act contains a number of clauses that are supposed to provide safeguards to protect personal data, these have been widely criticized for being insufficient, especially when compared to the MLAT system. This means that the Cloud Act risks nullifying many of the privacy protections contained in the MLATs and the GDPR.
The Cloud Act has a direct impact on the energy sector, because energy firms on both sides of the Atlantic have expanded their reliance on Cloud computing technologies to store the large quantity of data they are processing. It is becoming highly problematic for companies to store all the data being collected through new ICTs (such as smart meters) in their own data centers. Cloud computing technologies offer clear economic benefits; the global market for Cloud storage in the energy sector was estimated at $1.786 billion in 2017, and is predicted to grow at a compound annual growth rate of 25.68% over the next few years, reaching $7.037 billion by 2023. European energy firms often rely on American Cloud providers to store their data, given that US companies are world leaders in this sector. Even when they do not, any EU-based Cloud computing company that has a branch of activity in the US risks falling under the jurisdiction of the Cloud Act; given the extent of transatlantic trading, this includes the majority of European Cloud providers.
As a result, there is an imminent risk that the Cloud Act could bypass the GDPR and render millions of EU citizens’ personal data vulnerable to interception and surveillance from US federal authorities in most sectors, including the energy sector. In addition to national security concerns, industrial espionage is likely to become more widespread with the adoption of the Cloud Act. Moreover, energy companies and many other sectors that engage in extensive transatlantic trading could become trapped in contradictory legal obligations between the Cloud Act and the GDPR. This potentially exposes them to simultaneous sanctions from both the EU and US federal authorities.
Although it is true that many European energy firms rely on US Cloud providers and have an American market presence, they only become vulnerable to Cloud warrants in the case of a judicial inquiry in the US, which is not a common occurrence. Therefore, most European energy companies are still more concerned about the issue of non-compliance with the GDPR than with the Cloud Act, especially since their main base of operations is in the EU. Nevertheless, the fact remains that if a US judicial inquiry is forthcoming, there is currently no apparent way to avoid a conflict between the legal requirements of a Cloud warrant and the exigencies of the GDPR, which may expose firms to very high sanctions on both sides of the Atlantic.
Different responses to the Cloud Act
There is no easy solution for the EU to respond to the Cloud Act while safeguarding the GDPR. One possibility would be for EU authorities to try and negotiate a bilateral executive agreement with the US, as outlined by the Cloud Act. This might help to contain some of the damage to privacy rights by setting clear and reciprocal conditions for US access to EU citizens’ data and vice versa, including in the energy sector. Nevertheless, it will likely be very challenging for the EU to negotiate such a bilateral executive agreement with the US without violating key provisions of the GDPR. Another solution could be for the EU and member states to rely exclusively on EU-based Cloud providers and achieve ‘digital sovereignty’. In response to the Cloud Act, a number of European energy firms have tried to decrease their reliance on US Cloud providers by privileging ‘local’ Cloud solutions. Yet, the majority of European Cloud providers and energy firms have some form of commercial activities in the US, rendering them vulnerable to Cloud Warrants. Only a small number of European-based providers are totally insulated from the American market, and they would probably not be capable of storing on their own the large amounts of data processed through smart metering.
As a result, the EU should first respond by reinforcing the transatlantic Privacy Shield to ensure that the data of EU citizens transferred to US firms under this agreement is still protected after passage of the Cloud Act. The Privacy Shield Framework aims to replace the former Safe Harbor Agreement, which was struck down by the European Court of Justice in October 2015 for inadequate protection of privacy rights. The new Privacy Shield aims to provide stronger guarantees during transatlantic data exchanges for commercial purposes, including in the energy sector. Although experts agree that the Privacy Shield represents an improvement over its predecessor, advocacy groups still criticize it as insufficient, and it currently faces a number of legal challenges that are likely to increase due to the Cloud Act. In particular, the Cloud Act calls into question the European Commission (EC)’s ‘adequacy determination’ of July 2016. The latter deemed that the Privacy Shield provided an equivalent level of data protection compared to EU law and was therefore adequate for the transfer of EU citizens’ data to the US. Consequently, there is an urgent need for the EU to demand additional guarantees from US federal authorities to ensure that the adequacy determination remains viable. Since President Trump has shown little interest in promoting greater privacy protection however, the Cloud Act could well mark the final demise of the Privacy Shield Framework, absent a clear shift in the policies of the current US administration.
Against this background, it appears that the EU has responded with a realpolitik approach by developing what has been described as a ‘European Cloud Act’. In April 2018, less than one month after the US Cloud Act was ratified, the EC published a legislative proposal outlining new rules in the form of a Directive and a Regulation, dubbed the ‘e-Evidence Initiative’. Like the Cloud Act, the e-Evidence Initiative would provide law enforcement institutions with stronger tools to obtain data stored across national borders, within the context of an investigation. More significantly, it would provide EU authorities with greater powers to obtain data directly from providers, even if they are based outside the EU and irrespective of which entity has custody or possession of the data. Once again, this would directly impact firms in the energy sector, given their increasing reliance on Cloud computing technologies. While the e-Evidence Initiative still needs to be approved by EU legislators in the coming months, it has already sparked significant outcry from advocacy groups.
The fear is that the EU may be preparing to mimic the Cloud Act and the transatlantic rivalry on data protection could turn into a ‘race to the bottom’, with potentially dire consequences for privacy rights on both sides of the Atlantic. It is understandable that the EU is seeking to provide more effective tools for law enforcement agencies in the fight against organized crime and terrorism; likewise, it is important to demonstrate European resolve to the Trump administration. Nevertheless, this should not come at the expense of sacrificing data protection and core European values.
As the e-Evidence Initiative is debated and amended in the coming months, sufficient safeguards must be inserted to ensure adequate protection of privacy rights consistent with the GDPR. It should be noted that both the Cloud Act and the e-Evidence Initiative embody responses to the inefficiency of the existing MLAT system. However, since the latter continues to offer the best safeguards in terms of privacy protection, the EU should seek to improve its legal framework, rather than attempt to bypass it. This means working more closely with partner countries to ensure that MLATs can offer a more rapid and effective structure for international data exchanges.
Overall, the GDPR, the Cloud Act and the e-Evidence Initiative all point to an escalation of the transatlantic rivalry for data protection, with major ramifications for the energy sector in the years to come.