Given the current anti-EU sentiment gripping certain shires of England, it might not be fashionable to highlight the positive role that the EU plays in setting the regulatory framework for certain aspects of business behaviour and personal rights.
Nevertheless, there’s no doubting the valuable service provided by a recent report from the Directorate General for Internal Policies (entitled Fighting cyber crime and protecting privacy in the cloud), which highlights serious concerns over the safeguarding of cloud-based data from European companies and citizens in a multi-jurisdictional framework.
The report accepts that cloud computing is making data processing global but warns that “jurisdiction still matters. Where the infrastructure underpinning cloud computing (i.e. data centres) is located, and the legal framework that cloud service providers are subject to are key issues”.
This is particularly so with regard to the US, home of many large technology companies and cloud computing providers, and two specific pieces of legislation, the US Patriot Act and the US Foreign Intelligence Surveillance Amendment Act (FISAA) of 2008. The report believes both acts give rise to conflicts in the relationships between states and companies.
“Major cloud providers are transnational companies subject to conflicts of international public law,” the report states. “Which law they choose to obey will be governed by the penalties applicable and exigencies of the situation, and in practice the predominant allegiances of the company management.”
Those allegiances are likely to be sorely tested by the scope of FISAA which essentially authorises the mass-surveillance of foreigners outside US territory whose data is within range of US jurisdiction, including data accessible in US clouds. The question that needs to be addressed is whether EU-based businesses and citizens should be prepared to gamble the integrity, security and privacy of their data against the loyalties of managers of US-based companies.
The report warns that cloud computing breaks the 40 year old model for international data transfers because once data is transferred into a cloud “sovereignty is surrendered” and it advocates the use of prominent warnings concerning the dangers of cloud data being exported to US jurisdiction.
It’s a concern UK businesses should heed very carefully if they don’t want to put their data at risk from being spied on by US authorities. For those already ‘in the cloud’, the report represents an opportune moment to ask what country their cloud provider is storing their data in. Many cloud providers are global operations, which leaves them (and their customers’ data) vulnerable to surveillance from the authorities in the US and other jurisdictions.
One way for UK businesses to ensure their data is safe and not being snooped on by the US or any other country’s authorities is to choose a cloud provider with a geographically diverse cloud platform spread across the UK. A UK company gives them the comfort of being able to visit the data centre and an understanding of where their data lives. Until the US authorities change or amend the Patriot Act and FISAA, that’s the only way businesses in the UK can guarantee their most critical asset stays outside the jurisdiction of the US authorities (or those of any other country).