Building a wall: Europe’s exclusion of U.S. cloud providers has deep implications

A long-running clash of legal approaches to the handling of personal data is coming to a head, as European countries begin to act.

In Germany, Deutsche Telekom is calling for more stringent regulation of cloud providers, and in the Netherlands a government minister suggests that U.S. companies could be barred from government contracts to prevent European citizens’ data being opened by U.S. authorities. In the UK, the junior partner in the coalition government is beginning to express concern about the safety of personal data in the cloud and to hint at legislative solutions. What, then, are the implications for Europeans and for the U.S. companies that sell to them?

The USA Patriot Act includes powers that permit law enforcement agencies to seize data on any computer belonging to a U.S. company, whether that company is physically situated in the U.S. or not. Microsoft recently attracted headlines by acknowledging this. Europe’s Data Protection Directive protects personal information, and the Safe Harbor provisions normally make it possible for U.S. companies to store and process European data. However, any company handing over data to meet its U.S. legal obligations is breaking European laws that explicitly prohibit this type of data transfer, which puts companies in an impossible position, since they cannot obey both jurisdictions. And as the penalties for breaking the U.S. legislation are considered far more serious than fines imposed for a data breach in Europe, it is assumed that the Patriot Act will always win.

ZDNet reports that the Dutch government is looking at ways to solve the problem. Dutch Minister for Security and Justice Ivo Opstelten recently said, “it is possible to include a requirement . . . that stipulates that the provider is not allowed to hand over government data (including data about citizens) to the United States under the Patriot Act” (thanks to Wilbert Kraan for translating). The minister concludes, “This means that companies from the United States are effectively excluded from such RFPs and contracts.” It is unlikely that the Netherlands or Germany would ban U.S. companies outright, but it would be reasonable to include clauses within contracts ensuring that data cannot be disclosed as the Patriot Act requires. U.S. companies would therefore be “effectively excluded” from government contracts.

If the Netherlands goes as far as its minister suggests, then European companies will be quick to fill the gap. While much of the innovation in the cloud is still being led by well-known U.S. companies, there is also plenty of innovation and emulation outside the U.S. SaaS providers like London-based Huddle (with accreditation to deliver sensitive government documents) and IaaS companies including Scotland’s Flexiant and Switzerland’s CloudSigma would all be able and willing to fill any gap.

Today U.S. companies typically have the technical investment and the marketing spend to ensure name recognition. But with their government pursuing policies that cause concern in overseas markets, there is a clear opportunity for competitors in Europe and elsewhere. Indeed, these non-U.S. companies may begin to attract higher levels of U.S. investment as venture capitalists seek products that can generate revenue for them in growing markets outside the States. Given attention and investment, a Flexiant or a Huddle can compete directly with U.S. competitors that are currently better financed.

The U.S. government is unlikely to routinely seize European customer data, but it has the legal power to do so if it feels threatened. For most individuals and companies, the benefits offered by U.S. cloud services outweigh the risk that America will seize their data. It’s unlikely that Europeans will lose access to Google Apps and Amazon Web Services anytime soon, but increased awareness of the (small) risk of a Patriot Act data seizure may make everyone take a careful look at alternatives closer to home. The challenge is for those European companies to compete fairly, on their own merits, and not to denigrate the competition with the specter of Uncle Sam reading everyone’s email.

Question of the week

Are European proposals, like those from the Netherlands, a reasonable reaction to the Patriot Act?