United States: U.S. CLOUD Act's Potential Impact On The GDPR

Last Updated: September 4 2019
Article by Natascha Gerlach and Elisabeth Macher

Responding to a request by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE), the EU's data protection supervisory bodies released an initial joint opinion on the impact of the U.S. Clarifying Lawful Overseas Use of Data Act ("CLOUD Act") on the EU data protection framework.

The preliminary assessment by the European Data Protection Supervisor ("EDPS") and European Data Protection Board ("EDPB") leaves service providers facing a familiar dilemma.

Although the CLOUD Act now makes clear that U.S. disclosure orders have an extraterritorial reach, the EDPS and EDPB see very limited options for service providers to comply with such orders without breaching the EU's General Data Protection Regulation ("GDPR").

Companies will have to carefully consider whether to store data with service providers that may be subject to the Act.

The CLOUD Act

The CLOUD Act, signed into law on March 23, 2018,  updated portions of the 1986 Stored Communications Act ("SCA"), which prescribes the circumstances under which the U.S. government may compel production of remotely stored electronic communications.  Prior to the enactment of the CLOUD Act, the Supreme Court was poised to rule in the Microsoft Corporation v. United States of America case on whether the SCA in its previous form permitted the use of a warrant to obtain electronic communications stored by a U.S. company on foreign servers.

The CLOUD Act rendered this case moot by (i) explicitly stating that the SCA's provisions extend to those held abroad; (ii) establishing a framework for service providers to challenge an SCA warrant; (iii) directing courts to conduct a limited comity analysis when deciding whether to quash a warrant; and (iv) authorizing the United States to enter into executive agreements governing cross-border data requests with foreign governments.1 Notably, however, the CLOUD Act rendered the Microsoft case moot only as it concerns the question of whether U.S. authorities deem its warrants and other court orders to reach information stored abroad:  the flip side – specifically, whether foreign jurisdictions agree that U.S. court orders do not conflict with their data protection laws and therefore can reach data stored in their jurisdictions – remains.

Express Extraterritoriality

Section 103 of the CLOUD Act adds to the SCA Section 2713, which states that a service provider shall disclose information in the service provider's "possession, custody, or control, regardless of whether such . . . information is located within or outside of the United States."2 This extraterritoriality provision aims to reduce barriers for U.S. law enforcement investigations.  Yet, as the Department of Justice ("DOJ") acknowledged in its April 2019 white paper, under Section 2713 of the SCA, service providers may have to answer to two conflicting systems of law when asked by authorities in one jurisdiction to disclose communications that are stored abroad in another.3 

However, the DOJ also stated that the extraterritoriality provision is not a new concept.  Rather, it "makes explicit in U.S. law the long-established U.S. and international principle that a company subject to a country's jurisdiction can be required to produce data the company controls, regardless of where it is stored at any point in time."4  According to the DOJ, even with the CLOUD Act, much remains the same, including (i) the standard under which U.S. authorities may obtain a warrant and (ii) the fact-specific analysis a U.S. court must undertake to determine whether it has personal jurisdiction over a company.5

Mechanism For Quashing A Warrant and Required Comity Analysis

The CLOUD Act provides a way for service providers to challenge or move to quash SCA warrants and requires courts to conduct a limited comity analysis when determining whether to block such warrants.  This "totality of the circumstances" analysis takes into account the interests of both the U.S. and foreign governments and includes factors such as the availability of alternative means to secure the information, and the extent to which compliance with the court order would undermine important interests of the state where the information is located.

Executive Agreements Governing Cross-Border Requests

The CLOUD Act also allows the U.S. Attorney General to enter into executive agreements with foreign governments, when those foreign governments meet certain privacy and human rights requirements.6  These bilateral agreements would permit both the United States and the foreign government to access and share data stored abroad.7

According to the DOJ, these executive agreements may lift barriers to reciprocal data sharing (pursuant to qualifying orders in certain types of criminal cases) and may address the concern that many global service providers have about potential liabilities that would stem from violating the disclosure laws of one country when compelled by another to disclose.     

Notably however, the DOJ has also emphasized that an executive agreement in and of itself would not (i) impose new obligations on service providers, (ii) establish the U.S. government's or the foreign government's jurisdiction over service providers, or (iii) require either government to compel a service provider to disclose.  Rather, "[t]he only legal effect of a CLOUD agreement is to eliminate the legal conflict," (as it concerns qualifying orders) that would exist between U.S. law and foreign law absent the executive agreement.8 Ultimately, the executive agreement would require only what is negotiated and agreed to by the U.S. and the foreign government, although any executive agreement would likely "permit U.S.-based global [service providers] to respond directly to foreign legal process in many circumstances."9 Of course, if the U.S. or a foreign government seeks data that falls outside of the executed executive agreement, "[the] countr[y] may continue to use their existing legal process . . . but may continue to face a conflict of laws in those circumstances."10  Currently, the United States and EU Member States have not entered into any executive agreement under the CLOUD Act.

Legal Assessment of the EDPS & EDPB

Although the CLOUD Act makes clear the United States' view on whether U.S. warrants under the SCA apply to data stored abroad, the GDPR imposes strict rules on data processing11 and transfers of data abroad. The European Commission ("EC") already emphasized in their amicus brief submitted in the Microsoft case that, under Article 48 GDPR, "a foreign court order does not, as such, make a transfer lawful" under EU data protection laws.12

The EDPS and EDPB have now undertaken a detailed analysis of the legality of complying with U.S. warrants from an EU data protection perspective ultimately recommending that the EU seek a dedicated international agreement with the United States.13

General Assessment

The EDPB and EDPS joint opinion re-affirmed the Commission's view: the request of a U.S. authority alone does not constitute a legal basis for transferring data to the United States.  Absent a legal basis grounded in EU or Member State law, service providers disclosing personal data located in the EU in order to comply with a U.S. warrant or  subpoena may run afoul of the GDPR. 

Article 48 GDPR states that a foreign court order can only be recognized "if based on an international agreement such as a mutual legal assistance treaty, in force between the requesting third country and the Union or Member State." 

The EDPB already emphasized in previous guidance on the derogations of Article 49 GDPR that "[i]n situations where there is no international agreement [. . .], EU companies should generally refuse direct requests and refer the requesting third country authority to an existing mutual legal assistance treaty or agreement."14

However, under the CLOUD Act, U.S. authorities would not need to go through the – potentially lengthy15 – judicial assistance procedure laid out by the current mutual legal assistance treaty ("MLAT") or any other international agreement undertaken by way of the CLOUD Act's executive agreements provision, but could directly address the U.S. company to produce data stored in the EU.  Service providers subject to the jurisdiction of U.S. courts will be compelled by a U.S. court order alone and refusal will likely result in adverse consequences.16

The EDPS and EDPB point out that the extraterritorial application practically invites U.S. authorities and courts to bypass the MLAT currently already in place between the United States and the EU17 in favor of responding to requests directly regardless of data location.

However, in the absence of the MLAT procedure or a treaty signed via the executive agreement provision of the CLOUD Act, EDPB and EDPS also make clear that service providers subject to EU law cannot legally base the disclosure and transfer of personal data to the United States on foreign orders or requests.18

According to the EDPS and EDPB, service providers must then apply the standard two-step process under the GDPR for determining whether they can lawfully comply with the request for disclosure:  (i) a legal basis for processing the personal data (as set out in Articles 6 and 9 of the GDPR) must exist and (ii) a means by which the transfer to the United States can be lawfully made, such as meeting the requirements of an Article 49 GDPR derogation, must be established.

Step 1:  Lawfulness of Processing under Article 6

Regarding the lawfulness of data processing, i.e., the disclosure of the data as such, the EDPB and EDPS examined (and discarded) a number of potential legal bases under Article 6 GDPR.  Most notably, the authorities held that (i) the service provider cannot rely on the processing being "necessary for compliance with a legal obligation" pursuant to Article 6(1)(c) GDPR, since a request from a U.S. authority is only enforceable if based on an international agreement, such as an MLAT; (ii) service providers can only claim, in exceptional circumstances, that the processing is "necessary in order to protect the vital interests of the data subject," e.g. in cases concerning abducted minors; and (iii) the disclosure of data is not "necessary for the performance of a task carried out in the public interest" pursuant to Article 6(1)(e) GDPR, since an order under the CLOUD Act does not qualify as "public interest" in the EU.

While in many instances of data transfers from the EU/EEA to the United States in the context of (civil) litigation and investigations, undertakings will rely on such processing being "necessary for the purposes of its legitimate interests" in accordance with Article 6(1)(f) GDPR, the EDPS and EDPB have discarded this legal basis for processing in response to the request from a U.S. court or authority under the CLOUD Act for data covered by the GDPR. While the undertaking as the controller may have a legitimate interest in complying with the U.S. law enforcement request (e.g., avoiding sanctions under U.S. law) and in the prevention and detection of potential criminal acts, the EDPB and EDPS see such an interest as overridden by the interests and fundamental rights and freedoms of the person whose information is being sought. The EDPS and EDPB considered, in particular, that without the protective nature of an internationally agreed framework, the data subject in law enforcement matters could be deprived of their right to an effective remedy guaranteed in Article 47 of the Charter of Fundamental Rights of the European Union. It is also conceivable that the transfer of data may lead to prosecution for acts not sanctioned in their own country (dual criminality principle).19 

The EDPB and EDPS further stressed that "the compelling nature" of the U.S. law enforcement request and the limited information flow connected with such requests run afoul of the obligations a controller would have toward the data subject under the GDPR (in particular, transparency), which in turn are directly linked to the data subject being able to exercise the rights bestowed on him or her by the GDPR.

Step 2: Derogations for Transfers under Article 49

Apart from the legal basis for the transfer as an act of processing under the GDPR, the two-step process also requires that Chapter 5 GDPR20 be satisfied where the transfer is to third countries such as the U.S.  As the generally required safeguards are unlikely to apply in this context, the EDPB and EDPS focused on derogations provided for in Article 49 GDPR, with emphasis on a strict interpretation, "so that the exception does not become the rule."21

In particular, the EDPB and EDPS held that (i) the transfer would not be "necessary for important reasons of public interest" pursuant to Article 49(1)(d) GDPR, since the public interest of a third country such as the U.S. is of no consequence to the GDPR; and (ii) it is generally not "necessary for the establishment, exercise or defense of legal claims" pursuant to Article 49(1)(e) GDPR, unless there is a close link between the data transfer and a specific procedure.

Finally, the EDPS and EDPB considered the legitimate interest derogation somewhat hidden in Article 49(1) sent. 2 GDPR, but concluded that due to the higher threshold compared to Article 6(1)(f) GDPR and the requirement for notifications to all data subjects and the data protection authorities, which will often be prohibited by the warrant, this is unlikely a valid basis for a transfer. In particular the additional condition of suitable safeguards for the protection of the data will be difficult, if not impossible, to implement for an undertaking in the face of a CLOUD Act request.

Recommendation of the EDPB and EDPS

As a result, the EDPS and EDPB strongly recommended that an international agreement be concluded between the EU and the United States, containing sufficient personal data protection provisions on which the disclosure and transfer of such data could be based in the future.

Absent such an agreement, the lawfulness of complying with a U.S. warrant cannot be ascertained, creating legal uncertainty for businesses and data subjects.

Key Takeaways

The EDPS and EDPB raised questions regarding the scope of certain provisions of the CLOUD Act still to be clarified. In particular, the bodies raised questions regarding the CLOUD Act's application to EU undertakings with a U.S. presence,  or EU undertakings that are affiliated with U.S.-based entities. The latter will depend on the application of the concept of "custody or control" over the data in question.

By clarifying that U.S. authorities can use a warrant for criminal cases to reach into foreign jurisdictions to obtain personal data, where it does apply, the CLOUD Act ultimately leaves undertakings subject to the GDPR between the same rock and hard place as before the Act went into effect.

Another open field of question is the option of challenging a CLOUD Act order and the related comity analysis.  Notably, the concept of pre-enforcement challenges and comity analyses is not altogether novel.  The CLOUD Act's introduction of a procedure for pre-enforcement challenges to SCA warrants and a requisite comity analysis puts the SCA warrant procedure on equal footing with well-established procedures for enforcing subpoenas and civil discovery requests regarding information held abroad by entities otherwise subject to U.S. jurisdiction.22

The CLOUD Act provides limited avenues to quash warrants issued under it, particularly where the data might relate to persons not located in the United States, or where laws of countries are violated which have entered into executive agreements with the United States. This leaves open the question of whether a challenge could be brought in the case of a data subject's dual citizenship (if the provider even had that information) and whether an objection could be raised under common law comity at present, since no agreements have yet been entered into under the CLOUD Act.23

While the comity analysis the U.S. Supreme Court outlined in Aerospatiale24 could also provide useful guidance in this context, historically U.S. courts have been quick to favor compliance with the order over important interests of the jurisdiction in which the information is located such as European privacy laws or blocking statutes. It is too early to tell if this will change now that the GDPR has become effective.25 Further guidance on the factors of the comity analysis to be applied with due deference to fundamental rights protected by sovereign nations outside the United States would certainly be desirable.

Any agreement to be negotiated now, apart from being more nimble than the current MLAT proceedings, would have to address the question of enforcement in the Member States where the request is served, as well as include sufficient safeguards to ensure due access to legal remedies for data subjects and provisions for the potential of onward transfers.

Finally, the  opinion should be read in its context – an initial legal assessment of the impact of the CLOUD Act for U.S. law enforcement requests on data governed by the GDPR or Member State data protection law.  While the EDPB and EDPS emphasized that it should be seen against the larger background of international cross-border access to electronic evidence as well,26 it should still be read in the context of criminal enforcement.  This should also inform the reading of the legal assessment presented for Article 6(1)(f) GDPR (legitimate interest) where the potential consequences of the data processing for the data subject in the absence of a protective framework would outweigh the undertaking's legitimate interest especially where transparency requirements could not (or not fully) be complied with.

Footnotes

1 For further analysis of the CLOUD Act, see CLOUD Act Establishes Framework To Access Overseas Stored Electronic Communications, Cleary Gottlieb Alert Memorandum (Apr. 4, 2018), https://www.clearygottlieb.com/blishes-framework-to-access-overseas-stored-electronic-communications.pdf.

2 CLOUD Act § 103(a)(1); to be codified at 18 U.S.C. § 2713.

3 Promoting Public Safety, Privacy, and the Rule of Law Around the World:  The Purpose and Impact of the CLOUD Act 2, U.S. Dep't of Just. (Apr. 2019) [hereinafter "DOJ White Paper"], https://www.justice.gov/opa/press-release/file/1153446/download.

4 Id. at 3.  See also id. at 2-3, 6 n.3 ("The Convention on Cybercrime (also called the 'Budapest Convention') requires each of the more than 60 countries . . . to maintain the legal authority to compel companies in their territory to disclose stored electronic data under their control pursuant to valid legal process, with no exception for data the company stores in another country. . . .  [and] Australia, Belgium, Brazil, Canada, Colombia, Denmark, France, Ireland, Mexico, Montenegro, Norway, Peru, Portugal, Serbia, Spain, [and] the United Kingdom" assert such authority.")

5 Id. at 8.  For further analysis of the DOJ White Paper, see DOJ Releases White Paper Addressing Scope & Implications of CLOUD Act, Cleary Cybersecurity and Privacy Watch post, (Apr. 18, 2019), https://www.clearycyberwatch.com/2019/04/doj-releases-white-paper-addressing-scope-implications-of-cloud-act/.

6 The foreign government must "afford[] robust substantive and procedural protections for privacy and civil liberties in light of the data collection."  Factors to be considered in making this determination include (i) "adequate substantive and procedural laws on cybercrime and electronic evidence" as detailed in the Budapest Convention; (ii) "respect for the rule of law and principles of nondiscrimination"; (iii) "adher[ence] to applicable international human rights obligations"; (iv) "clear legal mandates and procedures" for the collection, retention, use, and sharing of data, and "effective oversight of these activities"; (v) "sufficient mechanisms to provide accountability and appropriate transparence regarding the collection and use of electronic data"; and (vi) " [a] demonstrate[d] commitment to . . . the global free flow of information and the open . . . Internet", CLOUD Act § 105(a) amending 18 U.S.C. § 2523(b). 

7 While U.S. courts have compelled disclosure of data from foreign jurisdictions in U.S. proceedings, the reverse is not the case. Ironically, the SCA itself prevents disclosure in foreign proceedings by allowing only very limited derogations under which a service provider can disclose, excluding foreign discovery requests. See Suzlon Energy Ltd. V. Microsoft Corp. 671 F.3d 726, 728-29 (9th Cir. 2011).

8 DOJ White Paper at 5.

9 Id. at 4.

10 Id. at 12.

11 "Processing" means any operation which is performed on personal data, including its collection, use, disclosure, storage and erasure (Article 4(2) GDPR). 

12 Brief of the European Commission on behalf of the European Union as amicus curiae, United States of America v. Microsoft Corporation, Case No. 14-2985, at 14 (Dec. 13, 2017); see also GDPR, Recital 115.

13 Initial legal assessment of the impact of the U.S. CLOUD Act on the EU legal framework for the protection of personal data and the negotiations of an EU-US Agreement on cross-border access to electronic evidence, July 10, 2019, in response to a request by the European Parliament's Committee on Civil Liberties, Justice and Home Affairs, available at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_edps_joint_response_us_cloudact_coverletter.pdf (cover letter); https://edpb.europa.eu/sites/edpb/files/files/file2/edpb_edps_joint_response_us_cloudact_annex.pdf (analysis).

14 EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, p. 5.

15 The EDPB and EDPS acknowledge that a "new generation" of MLATs should be implemented, "allowing for a much faster and secure processing of requests in practice."

16 Similar to the district court's ruling in Microsoft, a U.S. court could hold the noncompliant service provider in contempt of court. See Microsoft Corp. v. United States, 829 F.3d 197, 200-01 (2d Cir. 2016).  However, it remains to be seen how courts will deal with noncompliant service providers in instances where they do not produce data after failing to quash or modify the request from U.S. authorities in court. 

17 Agreement on mutual legal assistance between the European Union and the United States of America, Official Journal L 181 , 19/07/2003 P. 0034 – 0042. .

18 The EDPB and EDPS point out that neither the EU-US Privacy Shield adequacy decision, nor the EU-US Umbrella Agreement (which only applies to requests between authorities, not requests issued by an authority to a company) are applicable to service providers being directly addressed by U.S. law enforcement authorities.

19 On the other hand, it is perhaps conceivable that in cases where the behavior is sanctioned in either country, this would weigh in favor of a transfer.

20 Chapter 5 GDPR sets out principles and prerequisites for the transfer of personal data to third countries.

21 Opinion p.6.

22 See Société Nationale Industrielle Aérospatiale v. United States District Court, 482 U.S. 522 (1987) (established the five factor balancing test under which U.S. courts can compel production of information held abroad).

23 See also opinion p. 2

24 Id.

25 Although the recent Finjan decision seems rather to indicate business as usual.

26 Opinion, p. 9

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions