Foreign clouds in the European sky: how US laws affect the privacy of Europeans

: This article presents a general analysis of how user autonomy in the cloud is increasingly put into jeopardy by the growing comfort and efficiency of the user-interface. Although this issue has not been, thus far, explicitly addressed by the law, it is a fundamental ethical question that should be carefully assessed to guide the future deployment of cloud computing. Different policy decisions might, in fact, significantly affect user’s fundamental rights and online freedoms by shifting the balance from one part or another of the trade-off. This article aims to explore emerging trends in cloud computing technologies and analyse them from an ethical perspective to identify the issues they might raise, and the extent to which current laws and regulations actually take these issues into account.


UNITING AND STRENGTHENING AMERICA BY PROVIDING APPROPRIATE TOOLS REQUIRED TO INTERCEPT AND OBSTRUCT TERRORISM (USA PATRIOT) ACT
The USA PATRIOT Act -enacted shortly after the attacks of September 11, 2001 -is particularly problematic in this regard.Conceived as a means to facilitate the prevention of terrorism, it is, however, also likely to jeopardise the privacy and confidentiality of data crossing international boundaries.Indeed, several provisions of the PATRIOT Act are known to clash with various aspects of European data privacy laws insofar as they allow for U.S. authorities to legally request access to foreign personal data stored or transferred into the U.S. Specifically, section 217 of the Act reserves U.S. government agencies the right to monitor online communications as long as previous authorisation has been granted by the owner of a "protected computer" -a term which includes systems used in "interstate or foreign commerce or communication."This essentially means that, provided that the service provider agrees, U.S. authorities could theoretically request access to any information stored in U.S.-based cloud computing platforms (such as those of Google, Apple, Amazon or Facebook) for the purpose of law enforcement.The issue was publicly acknowledged by Gordon Frazer, Microsoft U.K.'s managing director, who publicly admitted that "Microsoft cannot guarantee that EU-stored data, held in EU-based datacenters, will not leave the European Economic Area under any circumstances," and "neither can any other company" whose headquarter is subject to U.S. laws.
2.Google confirmed this statement, by subsequently admitting that the company received numerous requests to hand over EU-citizens data to U.S. intelligence agencies -and was compelled to comply under U.S. law. 3 In response to that, a series of legislative or institutional measures have been taken in different parts of the world (such as Canada4, Germany5, France6, Spain7 etc.) to reduce the likelihood of personal data being illegitimately exported to third countries.At the European level, the Data Protection Directive8 (article 25) established strict rules regulating the transfer of personal data to countries outside of the European Economic Area (EEA), unless those countries have been specifically acknowledged by the European Commission as providing an adequate standard of protection.9.While the U.S. does not belong to this category, cross-border cooperation between Europe and the U.S has been promoted by non-legislative measures and self-regulation.Most relevant in this regard are the Safe Harbour principles10 aimed at facilitating the transfer of personal data from and to U.S. service providers (including cloud operators) which agree to comply with an adequate standard of data protection.Although based on voluntary codes of conduct, failure to comply with the agreed principles can be actioned by the U.S. Federal Trade Commission.Violations can be punished with a fine of up to $12,000 per day and persistent failure to comply could eventually lead to the institution or organisation becoming ineligible to using the safe harbour again.11Yet, since most cloud operators are companies governed by U.S. law, they cannot guarantee that the data they host will not be handed over to U.S. authorities as a result of governmental requests.Many European institutions (and citizens) might thus decide to rely exclusively on cloud services provided by online operators that might preclude any attempt by foreign governments to access their personal data by ensuring that such data will only be stored and processed in European data centres.Following in the footsteps of Amazon and Microsoft, which let users select EU-based data centres in which to store their data, Google recently updated its platform to let companies only keep their data within European borders (although it does not yet allow them to select the exact location on a national basis).

THE U.S. FOREIGN INTELLIGENCE AND SURVEILLANCE ACT
The USA PATRIOT Act is only one part of the problem.Most of the safeguard measures described so far are pointless when faced with a much more intrusive (and yet, much less debated) piece of U.S. legislation: the Foreign Intelligence and Surveillance Act (FISA), which establishes special procedures for conducting physical searches and electronic surveillance of individuals allegedly involved in international espionage or terrorism against the United States of America.Enacted in 1978, the FISA was subsequently amended in 2008 with the Foreign Intelligence Surveillance Amendments Act (FISAA), which relaxed some of the requirements prescribed by the FISA, thereby facilitating the surveillance of foreign electronic communications (Title VII).Scheduled to expire on December 31, 2012, these provisions have recently been extended for another 5 years, to last until December 31, 2017.
By defining an "electronic communication service" as also including "remote computing services," the provisions of the FISAA can now be relied upon to retrieve and inspect data or electronic communications exchanged in the realm of cloud computing.Particularly relevant for the purpose of this analysis is section 1881a, which introduces the possibility for the U.S. government to monitor foreign communication and access data of foreign citizens located outside of the U.S., without the need for a warrant (a requirement that by virtue of the Fourth March 2013 | Volume 2 | Issue 1 amendment, would only apply to U.S. citizens).As such, the FISAA raises important challenges to EU data sovereignty and could seriously affect the privacy of European citizens.Indeed, not only does it enable U.S. government agencies to intercept phone calls and other in-transit communications, it also allows them to request access to foreign citizens' data located in any data centre within the range of U.S. jurisdiction, without prior notice or consultation.
As Thilo Weichert, data protection officer of the German state of Schleswig-Holstein puts it, today, "the long arm of US law stretches as far as Europe": the FISAA could effectively force U.S. companies to disclose EU citizens' data (including personal data) without properly informing them of the matter.
While FISAA did not -until recently -receive extensive media coverage, it recently generated considerable controversy and eventually attracted the attention of European authorities.The implications of U.S. legislation on the fundamental rights of EU citizens have been recently analysed in a EU report entitled "Fighting cyber crime and protecting privacy in the cloud"12commissioned by the European Parliament's Committee on Civil liberties, justice and home affairs (LIBE) to analyse the impact of cloud computing on EU strategies and policies with a focus on data protection.The report examines the challenges raised by cloud computing on the right to privacy and data protection, the issues of jurisdiction, responsibility and the regulation of data transfers between countries.It emphasizes that "where cloud computing is possibly most disruptive is where it breaks away from the forty-year-old legal model for international data transfers, jeopardising the rights of the EU citizens."Hence, "from a legal perspective, the challenge of jurisdiction is central." The report also draws attention to the potential loss of EU sovereignty deriving from the fact that data stored in any data centre operated by U.S. companies could be subject to masssurveillance by the U.S. government: "lack of legal certainty surrounding the [...] legal frameworks of cloud-based investigations, as well as inadequate tools to safeguard privacy and data protection increase the potential for misuses and abuses by law enforcement actors and agencies."In this regard, Caspar Bowden (co-author of the report, and former policy adviser to Microsoft) strongly criticised the FISAA for giving carte blanche to U.S. government agencies which -in the name of security and the fight against terrorism -are entitled to track down any type of activities, including ordinary lawful democratic political activities that could potentially further foreign policy interests of the U.S.
The report concludes that appropriate measures should be taken to ensure that EU citizens are properly informed of the fact that personal data exported into the cloud will be more easily accessible by the U.S. government, and suggests that the violation of users' fundamental right to privacy by any online cloud operator should be considered a cyber-crime punishable under the law.
The findings of this report have been examined during a debate on cyber-security held at the European Parliament on February 20th, 2013, with a view to identify which measures should be taken to protect privacy in the cloud, in light of the recent extension of the FISAA.While recognising the dangers of the US government spying on EU citizens' data, the parliamentary committee regarded the proposed measures as being too drastic, declaring that "the basic framework of the cloud computing strategy is set and won't be changing."In particular, article 13 of the draft Cybersecurity Directive provides for the EU to cooperate with third parties for the sake of cyber-security -and such cooperation could, in theory, also include data sharing.

THE NEED FOR AN INTERNATIONAL DATA PROTECTION FRAMEWORK
While the revised European Data Protection Regulation may introduce new measures aimed at reducing the risks of EU citizens' data being handed over to the U.S. government, Sophia Veld (vice-chair of the LIBE committee and member of the Dutch social liberal party Democraten 66) expressed her concern that European authorities might not be properly addressing these issues by fear of standing up against U.S. authorities.Besides, the situation is further complicated by the fact that European intelligence services could actually benefit from the surveillance activities of the U.S. government in order to obtain information that they could not request under European law.13At this time, therefore, in order to preserve their privacy online, European citizens shall store their data exclusively on European cloud computing platforms operated by EU-based service providers (e.g., CloudSigma, T-Systems, Gandi, or OVH, to name just a few).Such a strategy could, however, significantly slow down cloud adoption in the EU.Besides, while it constitutes a viable option for citizens living within the EU, a similar strategy cannot be implemented by non-EU residents, who are ultimately subject to the laws of the country they live in.Even the recent proposals for new data protection regulations in Europe do not indeed address the issue of potential conflicts posed by the laws of third countries.
In a global and increasingly connected online world, preserving the privacy of EU citizens might therefore require the establishment of a more comprehensive framework of international rules when it comes to privacy and data protection, but also, more generally, an improved system of internet governance, with more sophisticated models of laws and/or standards which are properly adapted and constantly updated to the latest advancements in cloud computing.

FOOTNOTES 1 .
Fighting cyber crime and protecting privacy in the cloud, October 2012.13.As Jan Phillip Albrecht, member of European Parliament working on EU data protection regulations, points out: "European intelligence services and the police are of course happy to be provided data on European citizens by the US.They could not obtain this data under European law".