60. What is the aim of Article 32?

Article 32 of the Data Act ensures that customers of cloud service providers that choose to store their non-personal data in the EU are protected from having their data unlawfully accessed by or transferred to non-EU governments. To this end, the cloud service provider must put in place all adequate technical, organisation and legal measures in order to prevent unlawful or illegitimate government access to or transfer of the customer’s data (cf. Article 28). An unlawful access to or transfer of data may occur when such access or transfer would clash with obligations under EU or Member State law, such as regarding the protection of fundamental rights of the individual, or the protection of commercially sensitive data, including trade secrets and intellectual property rights (cf. Recital 101). In case of access or transfer request made by a third country authority to a customer’s non-personal data, the cloud service provider is obliged to verify its lawfulness. Lawfulness exists, for instance, where the request is based on an international agreement such as a mutual legal assistance treaty. In the absence of an international agreement, the request must comply with certain procedural safeguards that are aligned with fundamental rules and norms in the EU legal order, such as proportionality of the request and judicial review. The definition of ‘government’ or ‘public authority’ should not be too narrow when evaluating whether a particular body falls in that category.