Guest post written by Patrick Baillie
Patrick Baillie is CEO of CloudSigma.
A top concern of moving to the cloud, particularly in Europe, is the patchwork of laws that leave many unsure of how to proceed. In Europe, a very stringent legal framework is in place with criminal sanction for companies and individuals that break EU data protection laws. Access to and sharing of EU citizens’ personal data is tightly controlled, including requirements for notification of data releases. In the U.S., while data laws are significantly more flexible, frameworks do exist, meaning European companies operating there also need to comply with U.S. laws.
In particular, laws such as the U.S. Patriot Act have further complicated the situation. Both Amazon Web Services and Microsoft have recently acknowledged that they would comply with U.S. government requests to release data stored in their European clouds, even though those clouds are located outside of direct U.S. jurisdiction and would conflict with European laws. Does this mean, however, that European companies and individuals using U.S.-company-operated clouds are breaking EU law?
Key Factors: Location and Control
There are two important factors affecting the treatment of data. Firstly, knowing where it is physically located, as this determines the legal jurisdiction presiding over that data. For example, data stored in Germany is subject to German and EU law, whereas data stored in the U.S. is only subject to U.S. law. It’s also important to consider where customer records are kept, as sometimes they may be replicated beyond the raw data storage. For example, a company operating a public cloud may hold uploaded data in one place (the main published cloud location), but keep copies at its corporate HQ, which may be in another country.
Secondly, knowing who controls the data is key as some country laws place obligations on companies beyond that country's borders. For example, since a U.S. company operating in Europe is still subject to the U.S. Patriot Act, the European customers using those services are exposing themselves to U.S. jurisdiction. It’s important to note that subsidiaries of U.S. companies are also subject to the same U.S. data access abroad.
The combination of these two factors reveals the legal framework that any data is subject to, making it imperative to study data protection implications before moving to the cloud.
Implications of the U.S. Patriot Act in Europe
European law strictly mandates the treatment of EU private citizens’ data with strong sanctions against breaches. Additionally, there are clear and specific notification requirements if data is shared with third parties. In contrast, the U.S. Patriot Act requires U.S. companies (and their foreign subsidiaries) to comply with U.S. government data requests regardless of location, provided that data is under the control of a U.S. company. Furthermore, by the same U.S. law, such data sharing is not allowed to be revealed to a third party, directly conflicting with European disclosure requirements.
Based on these facts, a U.S. company (or local subsidiary) controlling data in Europe must comply with EU data protection and notification laws, but is also subject to the onerous U.S. Patriot Act requirements, which are incompatible. In such a situation, it’s reasonable to assume that a company would comply with its 'home' jurisdiction, particularly if data disclosures are required to be private. U.S. companies controlling EU citizens’ data in Europe are therefore in an impossible situation if they have to release data under the U.S. Patriot Act. The Safe Harbor Framework, designed to avoid this, has proved ineffective, as recently admitted by major U.S. companies operating in Europe.
So, the question remains – for companies holding EU citizens’ data in Europe, does placing such data under the control of a U.S.-based entity expose them to legal consequences? The simple answer is yes. If a German company were to place their customers’ data under the control of a U.S. entity or subsidiary, they could be held liable for any subsequent data release.
Bias Against U.S. Companies
Europe has often been criticized for trying to limit competition from large, incumbent U.S. technology companies, with some justification. However, it’s clear that the U.S. approach, which post-dates the EU framework, has put U.S. companies at a major disadvantage to non-U.S. companies within Europe. As a result, there’s strong reticence from many European companies using U.S-company-operated public clouds.
Currently, more than 90% of the cloud market in Europe is controlled by U.S. companies and their local European subsidiaries, meaning within Europe, a significant amount of cloud customers are European-based companies. This creates an extremely fragile situation if, for example, a fulfilled U.S. access request went against EU citizens with legal implications for whichever company put that data into the cloud. This could create a snowball effect. Likewise, for those that understand the current situation, it can be an obstacle to using the cloud entirely.
This Isn't a Cloud Problem
Such issues around data protection and legal frameworks are often used as an excuse not to adopt the cloud, but, what many companies don’t realize is that they are already potentially exposing themselves to the same problems. Using a data center owned or operated by a U.S. company arguably exposes that data to the same U.S. access framework as putting such data in a U.S.-controlled cloud. Many customers only start to examine this situation when they decide to move to the cloud, but, in reality, many have already been in this predicament before then.
So, really, the problem of data protection laws and frameworks has nothing specifically to do with the cloud, but whenever a company places their data with a third party. Moving to a cloud environment definitely involves using a third party, but many may have already gone down this route – for example, by using co-location datacenter space.
A Call for Transparency and Better Data Structuring
Regardless of the laws that exist, cloud companies should strive to be transparent about where they store data and customer records, and how they’re handled. Many cloud companies have been guilty of preaching 'location doesn't matter in the cloud,' however, this is patently not the case.
Cloud companies need to consider location and how data is moved and stored when they design their systems, preferably allowing customers to control where their data and records end up. Transparency and good cloud architecture can significantly help customers comply with requirements for data protection, particularly in Europe. Cloud companies need to embrace this challenge if cloud adoption is to continue to grow and breakout from its current user base.
