Companies have historically worried that Cloud platforms may not provide adequate security for sensitive data. Just as many of them are apparently letting go of this worry, they will need to decide whether they feel comfortable storing information that U.S. authorities may be able to access.
Edward Snowden’s leaks about data gathering on the part of the United States National Security Administration are causing just the latest in a long line of concerns about U.S. data gathering. The extent of the bulk information surveillance allowed under U.S. law, particularly as it has changed in the aftermath of 9-11, was already publicly recorded, and concern about the new powers of U.S. intelligence gatherers was already mounting, especially in Europe.
In the wake of 2008’s amendments to the U.S. Foreign Intelligence Surveillance Act, companies and governments in the European Union became increasingly wary about the law’s extension of U.S. surveillance powers to the Cloud and its lack of privacy protection for non-U.S. people and organizations.
Under FISA, as it currently stands, foreign data on the Cloud can be subject to bulk retrieval demands. Since a provider may be forced to keep silent about these demands due to U.S. national security concerns, Cloud end users may have no way of knowing whether their data has been accessed.
Well ahead of the Snowden leaks, concerns about U.S. intelligence gathering in the Cloud had already been taking hold among Europe’s political and business leaders, with European Parliament members as early as 2011 making loud complaints about U.S. spying on European data. In February 2012, EU Justice Commissioner Viviane Redding, in response to a BBC question, said in a pointed reference to the United States that no third-country legislation overrules European privacy regulations and that the final arbiter of such disputes should be the International Court of Justice based in the Hague.
Also, in response to this concern, EU national governments such as the United Kingdom and the Netherlands have begun projects aimed at creating “national” clouds. These, and similar local clouds (as well as encryption services) have been proliferating, widely touting themselves as “Patriot Act-proof” in a testament to the widespread nature of these data security concerns.
That concern has apparently ramped up following the latest leaks. “The PRISM case was a wake-up call that shows how urgent it is to advance with a solid piece of legislation” on data protection, said European Justice Commissioner Viviane Reding following a June 14 meeting with U.S. Attorney General Eric Holder. Reding and Holder agreed to set up a “transatlantic group of experts“ to hash out the issues.
Unless action is taken to work these issues out, the worldwide transition to the Cloud may be headed for its first stumbling block as U.S. providers face increased scrutiny and the universal nature of the Cloud is torpedoed by local (and national) privacy concerns.
“What is happening now is really shocking,” French EP deputy Veronique Mathieu said on June 20 2013, in the wake of the Snowden leaks. “We cannot allow Americans to spy on EU citizens, even if it is a security matter.”