ANALYSIS: A Broader Perspective On EU Concerns About US Law Enforcement Access To Information In The Cloud
By Tanguy Van Overstraeten and Bastiaan Bruyndonckx, of Linklaters LLP, Brussels.
Cloud computing is gaining momentum as the new IT paradigm and a leading business and economic model. In weighing the pros and cons of going cloud, users must assess what this means for them in terms of security and data protection, just how safe, private and confidential their data is in the cloud, both from a technical and legal point of view. In this regard, the ubiquitous and transnational nature of cloud computing raises considerable questions on applicable law and competent jurisdiction.
From an EU perspective, Dutch Liberal MEP Sophie in ’t Veld has voiced her concern about the reach of the so-called USA PATRIOT Act in the European realm. Within the EU, the USA PATRIOT Act is often perceived as a sort of broad blanket license for law enforcement agencies to oblige individuals and companies to disclose certain records or information they hold and which are believed to be relevant for counterterrorism or counter-intelligence investigations.
One of the most controversial provisions of the USA PATRIOT Act is Section 215, which amends the Foreign Intelligence Surveillance Act of 1978 to permit the FBI to obtain an order (“Section 215 Orders”) from the Foreign Intelligence Surveillance Court demanding “any tangible thing (including books, records, papers, documents and other items)” believed to be relevant to an authorised investigation regarding international terrorism or espionage. The USA PATRIOT Act also expanded the use of National Security Letters (“NSLs”). NSLs permit the FBI and other law enforcement agencies to obtain information within certain prescribed categories: financial records, telephone and e-mail communications data and internet searches. NSLs may be issued where the records sought are relevant to an authorised counterterrorism or counter-intelligence investigation.
This is worrisome according to Mrs. in ’t Veld as it would enable US authorities to access personal data stored in the EU by companies with headquarters in the US based on US legislation, while disregarding EU legislation on data protection.
Ultimately, the concerns expressed are usually based on the assumption that European legislation is fundamentally more protective than the US’. However, the current debate on the compatibility of the USA PATRIOT Act with EU data protection laws and on the alleged ‘vulnerability’ of data placed in a US cloud environment appears to be based upon a misapprehension of the EU Data Protection Directive and the broader legal framework within the EU.
The EU’s centrepiece legislation on data protection explicitly enables Member States to make away with privacy protections, which would otherwise apply, for a series of reasons, among which ‘public security’, ‘State security (including the economic well-being of the State, when the processing operation relates to State security matters)’ and ‘the activities of the State in areas of criminal law’. Many EU Member States have provided for specific exemptions in their national data protection laws, resulting in either the national data protection law not being applicable to these kinds of activities at all or certain protections provided for by the national data protection law not being applicable to these kind of activities. Counterterrorism and counter-intelligence investigations carried out by law enforcement agencies thus benefit from an exemption from the national data protection law in most EU Member States…