The digitalization in the public sector of Sweden has given rise to legal questions regarding under which circumstances authorities can use service providers without violating the applicable law of Sweden.
One source of confusion has been the interpretation of the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”), which allows U.S. law enforcement to request access to data from service providers subject to U.S. jurisdiction. This regardless of where the data is stored.
As the U.S. Department of Justice (“DOJ”) explains in an April 2019 White Paper, the CLOUD Act does not expand U.S. law enforcement authority, nor does it extend U.S. jurisdiction. The Act merely serves to establish what has been long standing law in the U.S. The DOJ also points to the fact that the CLOUD Act is consistent with international principles regarding the fight against cybercrime.
However, in a legal statement published in October 2018, eSamverkansprogrammet (“eSam”) declared that confidential information made technically available to a service provider is deemed to have been disclosed if, by reason of ownership or otherwise, the service provider is bound by rules in another country under which the service provider may be required to provide the confidential information, without reference to an international legal treaty or other legal basis under Swedish law. This legal statement published by eSam differs significantly from a previous legal statement published by the same group in 2015 regarding information made technically available to a service provider.
The European Commission recognizes that more than half of all criminal investigations today require access to cross-border electronic evidence and that the U.S. is one of the main recipients of Mutual Legal Assistance Treaty ("MLAT") requests from the EU. As the European Commission finds the MLAT process to be slow, initiatives have been taken to negotiate an agreement between the EU and the U.S. regarding cross-border access to electronic evidence for judicial cooperation in criminal matters.
We believe there are good reasons to challenge the legal statement published by eSam in October, as the statement is too general and sweeping. The proper use of cloud services needs to be carefully analyzed on a case-by-case basis and we find support for the use of such services in applicable Swedish legislation (including GDPR) and case law. To read more, download the memorandum.