The main focus of the third issue of the French Revue Critique de Droit International Privé for 2019 is on the interaction between the EU GDPR and the US Cloud Act. It offers four articles discussing various aspects of the topic.
Marie-Élodie Ancel (Paris-Est University) explores the implications of the “margin of manœuvre” under the GDPR (D’une diversité à l’autre. A propos de la « marge de manœuvre » laissée par le règlement général sur la protection des données aux Etats membres de l’Union européenne)
The General Regulation on Data Protection is a strange object. It is a regulation by essence but a directive on the edges, “marginally”. It claims to be general, but it is not exhaustive. Strongly driven by unilateralism, it is still receptive to the virtues of bilateralism. It is a dialectic on its own. This paper is based on some examples showing that the margins left to Member States can lead to deadlocks. The way to overcome them probably lies in differentiated approaches.
Patrick Jacob (Versailles Saint Quentin University) discusses the jurisdiction of states with respect to personal data (La compétence des Etats à l’égard des données numériques. Du nuage au brouillard … en attendant l’éclaircie ?)
The rise of the Microsoft/Ireland dispute, followed by the enactment of the Cloud Act and the ensuing European reactions provide another illustration of the way the digital economy and its evolution affect the rules governing States’ jurisdiction. Developments in States’ practices make it possible to progressively set out the kind of nexus they consider the more relevant in order to affirm their jurisdiction over digital data. Nevertheless, the remaining disagreements among them will lead to conflicts that could only be solved through international agreements, necessary to restore legal certainty.
Régis Bismuth (Sciences Po Law School) compares the Cloud Act with the proposal for the E-evidence regulation (Le Cloud Act face au projet européen E-evidence : confrontation ou coopération ?)
Enacted by the US Congress in March 2018, the Cloud Act regulates cross-border access to electronic evidence in US criminal proceedings. While strongly criticized in Europe for its extraterritoriality, which besides deserves to be nuanced, the European Commission, on the same matter, released its E-evidence regulation proposal which relies on similar mechanisms. Although these two unilateral initiatives do not seem compatible one with another, they may serve as a basis for an EU/US cooperative framework and can even provide an opportunity to shape a global law on the cross-border access to electronic evidence.
Finally, Théodore Christakis (Grenoble University) wonders whether compliance with the Cloud Act conflicts with the GDPR (La communication aux autorités américaines de données sur la base du Cloud Act est-elle en conflit avec le règlement général sur la protection des données ?)
It is debated whether the EU’s general regulation on data protection of 25th May 2016 (GRDP), applicable as from 25th May 2018, prevents a firm that has been the addressee of an injunction form an authority in the US from communicating personal data held within EU territory. Does the fact that the US CLOUD Act allows such injunctions irrespective of where the data are located create a conflict with the GRDP? At the heart of this debate are articles 48 and 49 of the latter text, whose content is less than clear. In order to contribute usefully to this discussion, this study aims at clarifying the meaning of these articles, with a specific focus on the thrust of article 49(1)(d) of the GRDP, that provides for a derogation for important reasons of public policy.
Finally, the issue features two short articles concerned with cross-border recovery of administrative claims in the EU and personal status in francophone sub-saharan Africa.
The full table of contents can be found here.