Header graphic for print
Steptoe Cyberblog

Cloudy With a Chance of Exploitation

Posted in Cloud Computing, Privacy Regulation

With all the controversy surrounding the leaks regarding the PRISM program, there is at least one constituency that is likely rejoicing — Europe-based cloud computing companies.

For the past few years, cloud providers in Europe have tried to gain a competitive advantage over US-based providers in the European market by arguing that the Patriot Act gives the US government essentially unfettered access to content stored with US-based companies. The term “Patriot Act” has become a weapon wielded by overseas providers to instill fear in potential customers and to deter them from using American cloud companies. Never mind that what those overseas providers have been saying about the Patriot Act is, in many respects, not true. And never mind that national security officials in many European countries have the same or greater access to content stored with Europe-based providers than the US government does with US-based providers, often with no judicial oversight.

US-based providers, along with officials from, among others, the Departments of Justice, State, and Commerce, have struggled to get the message across to European governments and citizens that the rhetoric about the Patriot Act did not match the reality. After the revelations of the past week, that struggle just got even harder.

Reasonable people can certainly disagree about whether the benefits of the PRISM program outweigh the risks to privacy, or whether the level of congressional or judicial oversight is adequate. But the reality is that in many European countries – including, among others, the UK, Germany, and France – the government has very similar – and in some cases significantly broader – authority in national security investigations to obtain content from providers based in, or subject to the jurisdiction of, those countries, without any court approval.

Moreover, unlike in the US, in many European countries – such as Denmark, Ireland, France, and the UK, just to name a few – providers can voluntarily provide content and customer data to the government, whereas in the US, legal process is required. Those who are criticizing the providers who were subject to the PRISM program should keep in mind that those providers were not voluntarily giving the government the data – rather, they were subject to legally authorized directives from the government to do so. Without such directives, they would have been legally prohibited from providing that data. The same can’t be said for providers in many European countries.

Privacy advocates often hail the EU as a model of privacy and data protection because of its laws governing data collection and processing by businesses. (Whether the EU’s consumer data privacy model is actually any more protective of privacy than the US sectoral model is a debate for another time.) But those same privacy advocates fail to recognize, or acknowledge, that when it comes to government access to data for national security purposes, EU member states are no more protective of privacy than the US government – and in many cases, much less so – and that’s as true today as it was a week ago.

Europe-based providers may try to exploit the current PRISM controversy, but businesses seeking cloud services would be wise to consider that, notwithstanding the rhetoric about the Patriot Act and US law generally, storing their content with Europe-based cloud providers would not afford their data any greater privacy protections than if they stored their data with an American-owned cloud provider. And in many instances, using a Europe-based provider would give them less protection, subjecting their data to a legal regime in the host country that may make the Patriot Act and FISA Amendments Act look like privacy statutes.