EU-US data privacy storm blows cloud off course


This article is part of our special report Data protection.

The EU is currently in talks with the US over its reluctance to allow sensitive data transfers across the Atlantic under the US Patriot Act, one of many obstacles to the wider adoption of cloud computing.

Public tenders for cloud services in some European countries are currently avoiding US providers like the plague for fear of falling under the US Patriots Act, which compels companies to transfer the personal data of terror suspects to Washington authorities.

European companies are also afraid that even the slightest presence in the US means they also fall under US jurisdiction. Some companies, like Deutsche Telekom, have publicly said they want an official certificate sheltering European companies from American laws on data transfers.

European clouds wanted

Though the data transfers contravene EU law barring organisations from passing on user data to a third country without the users’ permission, the Patriot Act contains a clause on "delayed warrants", basically granting access to data without prior consent.

A recent statement by EU Commissioner Viviane Reding, responsible for justice and fundamental rights, says that US authorities have reassured her by promising they will first "seek assistance from member states using existing police and judicial cooperation channels."

But European cloud providers say they would rather not have to deal with the US Patriot Act at all. “A German cloud” would be a “safe cloud,” Reinhard Clemens from Deutsche Telekom's T-Systems division said recently.  

The Dutch minister for Security and Justice, Ivo Opstelten, also recently warned that US cloud providers would be "excluded" from public tenders if the EU does not come up with a solution.

International agreement on data transfer?

The issue is fast becoming a bone of contention in the European Parliament, which has consistently defended strong EU data protection laws. MEPs are gearing up for debates on the act's legality under EU law.

"The US considers just having a single mailbox in the US enough to request data from European companies," said Sophie in t'Veld, a Dutch MEP known for investigating EU-US data transfers.

"This is a remarkable interpretation," she told EURACTIV. The MEP also referred to a Belgian case where a judge ruled that the country's law enforcement authorities could not get data on the e-mail account of a Belgian national from the US company Yahoo.

"We are doing it right, so why can't they."

Viviane Reding, the EU's Justice Commissioner, has been meeting with her counterpart Erik Holder in the US to discuss the Patriot Act and a potential international agreement on data transfers.

"We would like a set of internationally agreed principles which cover data protection, privacy and security and levels of certification, so that a user or a citizen can put data into a cloud and can be sure data never exported without permission," said Commission spokesperson Ryan Heath.


Cloud computing describes a whole range of infrastructure, software, data or applications residing in the cloud – that is to say, off your own premises and accessed via the Internet.

A study carried out by the University of Milan, published in 2010, estimated that cloud computing has the potential to create 1.5 million new jobs in Europe over the next five years.

While businesses and governments wax lyrical about the benefits of cloud computing, EU regulators have been more wary, as further use of cloud systems would mean a large swathe of public and commercial data would migrate to servers possibly located outside the EU.


Subscribe to our newsletters