EU cloud confidence hit by Snowden affair: report
European lawmakers move to protect personal data amid concerns over US security powers
European officials are in the midst of revisiting data protection legislation as the extent of US security powers came to light in the wake of the Edward Snowden affair, The Financial Times reported today.
According to Snowden, the US security contractor turned whistleblower, under the US National Security Agency's (NSA) operation, Prism, US cloud providers such as Yahoo! and Microsoft were compelled by the Foreign Intelligence Surveillance Act (FISA), to surrender private data if such requests were approved by a secret court.
But EU officials are concerned that US-based companies and even companies that have significant operations within US borders, may be compelled to share data from cloud infrastructures hosted in other territories. In such cases, US security services could demand data that pertains to non-US citizens.
"If I am a German provider and the [NSA] comes to me [to ask for data], then I can say: ‘I'm not allowed to and have no interest in doing so'," said Klaus Landefeld, board member for infrastructure and networks at Eco, the Association of the German Internet Industry.
"But if I'm a US provider in Germany then I have the problem that under FISA, I'm bound to comply."
Non-US companies can get around the US legislation if their clouds are operated by separate entities. CloudSigma is such a company.
"Our holding company is Swiss and has no concept of extraterritorial jurisdiction. The US authorities can try that kind of stuff, but it's possible to hold firm and explain your position," said Robert Jenkins, chief executive, CloudSigma.
As FISA requests are secret and companies are prohibited from revealing them, it may prove difficult to police the flow of privileged data, but EU officials appear undeterred and have already drafted legislative language to combat surveillance programmes such as those disclosed by Snowden. The amendment, known as Article 42 and referred to by its advocates as the "anti-FISA clause", would subject any request for personal data on an EU citizen to approval by a special committee.
Critics of the move suggest global cloud companies could find themselves caught between two legal frameworks.
"US intelligence requests will keep on coming and cloud providers will be either in breach of US or EU law," Axel Arnbak, of the Institute for Information Law at the University of Amsterdam told FT.