Microsoft, the USA PATRIOT Act, and European cloud computing
January 6, 2012
Microsoft announced last month that its Software as a Service (SaaS) offering, Office 365, will better comply with European guidelines to ensure that customer data is adequately protected. This move is certainly welcome, but the long-armed spectre of the USA PATRIOT Act continues to hang over Microsoft and other US companies, regardless of customers’ nationality or the country within which Microsoft might physically host a particular customer’s data.
The PATRIOT Act’s acronymic name may evoke harmless images of bunting, parades, and national anthems, but the reality is rather different. A product of America’s post-9/11 entrenchment, the Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism Act of 2001 affords the Federal Government wide-ranging and far-reaching powers that show little — if any — respect for geographic boundaries or inconveniently contradictory local legislation. A US company (like Microsoft or Amazon) is subject to the Act’s powers all around the world. A US citizen’s data, stored in a US company’s data centre that is physically situated in the United States is subject to the Act, and everyone might be reasonably comfortable with that. But so is a German citizen’s data, stored in an Amazon data centre in Ireland; and German, Irish and European lawmakers appear almost powerless to intercede…
European countries tend to be stricter about use (and abuse) of personally identifiable information than the US. Although surveys identify some national differences, it also appears that Europeans broadly embrace the approach taken by their governments. And, anecdotally, conversations with European and American entrepreneurs and European and American individuals repeatedly point to rather different sets of basic presumptions operating on either side of the Atlantic. Europe’s Data Protection Directive, and its implementation in national legislation such as the UK’s Data Protection Act, are clear about the ways in which a citizen can expect data about themselves to be collected, stored, shared and used. The penalties for intentional abuse could probably be tougher, but the sentiment remains clear. The Safe Harbor Principles provide mechanisms by which US companies can self-certify that their normal operating procedures meet European standards (Microsoft, Google, Amazon and many others do this). The February 2010 ‘model clauses‘ that Microsoft embraced last month codify some of these protections in a manner that — theoretically — makes it easier for customers’ lawyers to understand what Microsoft will do with their data. It’s unlikely that the legalese (PDF) will actually make things any clearer for the average customer, though.
So, from the perspective of Europe’s governments and citizens, and for US companies that choose to trade here, things appear more or less ok. Personally identifiable data can be collected, stored, shared and used, but only within a set of constraints that Europeans broadly seem comfortable with. Unfortunately, all those Safe Harbor self certifications and model clause endorsements are summarily ignored whenever the PATRIOT Act is invoked. Data Protection Directive requirements not to transfer data to random third parties are trumped by PATRIOT Act powers enabling the US Federal Government to take what it wants. Data Protection Directive stipulations that citizens be informed when their data are taken are over-ruled by the PATRIOT Act’s cloak of secrecy. And on and on the list of contradictions continues. And the PATRIOT Act wins every time, because its powers, its penalties, and its backers are so much scarier than the officials in Brussels. Despite tougher language, it’s not clear that sweeping changes to Europe’s data protection directive will really resolve the contradictions. Indeed, once enshrined in law, the proposals will most likely result in more polarisation, not less.
In Europe too, of course, there are exemptions to the data protection legislation specifically intended to permit reasonable use of data by law enforcement agencies and others. This makes sense, and it could be argued that the PATRIOT Act is simply more of the same. But it’s not, because European law enforcement agencies must demonstrate a far clearer need before they’re allowed to — legally — start rooting through a citizen’s data.
It is unlikely that the PATRIOT Act is routinely invoked, or that US officials spend much time reading Europeans’ email. The cloud — even the parts run by US companies — remains broadly safe, secure, and reliable. Safe Harbor provisions, model clauses, and the ability to insist that data normally resides in one territory or another remain an effective means of ensuring that day-to-day cloud operations meet user needs whilst complying with relevant local, regional and international legislation. But, every now and again, the PATRIOT Act will be invoked, and data will be taken. Whilst it’s something to be aware of, it’s probably not something for most people to lose too much sleep over. You’re more likely to lose data yourself, or have it escape into the wild because of an error in your own systems or a malicious hack by a competitor. And you could and would be held accountable for those breaches, in a way that you almost certainly wouldn’t for a PATRIOT Act data seizure.
So the PATRIOT Act may not be as scary as it might now appear. But it remains a visible illustration of a rather more worrying issue; a belief that the laws of one country should be able to trample over the laws of other countries at will — even inside those countries. Further, it suggests a (growing?) disconnect between the attitudes and expectations on either side of the Atlantic. And one particular aspect of that is the subject for my next post.