Wednesday, January 4, 2012

Can European Firms Legally Use U.S. Clouds To Store Data?

Guest post written by Patrick Baillie

Patrick Baillie is CEO of CloudSigma.


A top concern of moving to the cloud, particularly in Europe, is the patchwork of laws that leave many unsure of how to proceed. In Europe, a very stringent legal framework is in place with criminal sanction for companies and individuals that break EU data protection laws. Access to and sharing of EU citizens’ personal data is tightly controlled, including requirements for notification of data releases. In the U.S., while data laws are significantly more flexible, frameworks do exist, meaning European companies operating there also need to comply with U.S. laws.

In particular, laws such as the U.S. Patriot Act have further complicated the situation. Both Amazon Web Services and Microsoft have recently acknowledged that they would comply with U.S. government requests to release data stored in their European clouds, even though those clouds are located outside of direct U.S. jurisdiction and would conflict with European laws. Does this mean, however, that European companies and individuals using U.S.-company-operated clouds are breaking EU law?

Key Factors: Location and Control

There are two important factors affecting the treatment of data. Firstly, knowing where it is physically located, as this determines the legal jurisdiction presiding over that data. For example, data stored in Germany is subject to German and EU law, whereas data stored in the U.S. is only subject to U.S. law. It’s also important to consider where customer records are kept, as sometimes they may be replicated beyond the raw data storage. For example, a company operating a public cloud may hold uploaded data in one place (the main published cloud location), but keep copies at its corporate HQ, which may be in another country.

Secondly, knowing who controls the data is key as some country laws place obligations on companies beyond that country’s borders. For example, since a U.S. company operating in Europe is still subject to the U.S. Patriot Act, the European customers using those services are exposing themselves to U.S. jurisdiction. It’s important to note that subsidiaries of U.S. companies are also subject to the same U.S. data access abroad.

The combination of these two factors reveals the legal framework that any data is subject to, making it imperative to study data protection implications before moving to the cloud.

Implications of the U.S. Patriot Act in Europe

European law strictly mandates the treatment of EU private citizens’ data with strong sanctions against breaches. Additionally, there are clear and specific notification requirements if data is shared with third parties. In contrast, the U.S. Patriot Act requires U.S. companies (and their foreign subsidiaries) to comply with U.S. government data requests regardless of location, provided that data is under the control of a U.S. company. Furthermore, by the same U.S. law, such data sharing is not allowed to be revealed to a third party, directly conflicting with European disclosure requirements.

No comments:

Post a Comment