UpCloud reckons Finnish privacy laws can protect data hosted in US

Post-Snowden, European cloud providers find themselves with a couple strong selling points: they host in Europe, so U.S. authorities can’t simply walk in and demand customer data, and they’re not headquartered in the U.S., so they don’t have to hand over data under the Patriot Act.
But what about those that want to expand to the U.S.? Finland’s UpCloud is in precisely that position, planning as it is to open a U.S. data center, probably in Chicago. And while it’s not the first European cloud outfit to head west, this infrastructure-as-a-service (IaaS) provider reckons it’s come up with a model that can protect even customers using that facility under Finnish and European data protection laws.
Part of this involves carefully-constructed contracts, and part involves keeping all customers’ personal information in Finland – in other words, the authorities in the U.S. won’t have what they need to match any seized data to its owner.
As UpCloud general manager Antti Vilpponen explained it to me via email:

“Currently the situation with U.S. IaaS providers is that local law enforcement agencies have access to customers’ data (and personal information for that matter) globally as the companies are registered in the U.S.
“Some of our European competitors have solved the situation by building separate services into each data centre. This basically protects customers from cross-border inquiries, but the customer experience in using these services is poor. They have different accounts to different data centres without the possibility to migrate servers easily. With UpCloud, you are able to manage all your servers with a single account — improving usability (in addition to the privacy of your personal data) immensely.”

Vilpponen was loath to go into any detail regarding the mechanism UpCloud is using here, to ensure everything runs smoothly while personal data is kept out of U.S. servers, other than to say the firm’s non-European operations (it’s planning a similar move into Asia) are run by fully-owned subsidiaries.
“We’re looking to build a model whereby we give our customers the best possible privacy protection possible in a global setting… while also handing down some of the responsibility to the customers themselves; they are aware and take the risk that the local law enforcement officials might require us to hand over the data stored on servers in that country, but only in that country,” he said.
Without those missing details about contractual and technical mechanisms, it’s hard to judge precisely how effective UpCloud’s model is. That said, if it works as promised and if UpCloud is proficient at locking down the personal data it stores in Finland – one must bear in mind that U.S. intelligence laws give less protection to data stored outside the U.S. — it could be a smart way for a European provider to make inroads into the lucrative homeland of the NSA.
Here’s a video from last year’s Structure:Europe, where I interviewed Vilpponen and other European cloud upstarts about taking on Amazon(s amzn):
[protected-iframe id=”1bbe1fd1c4da4bca77e8f0ab2940a6d2-14960843-25766478″ info=”http://new.livestream.com/accounts/74987/events/2361507/videos/30328698/player?autoPlay=false&height=360&mute=false&width=640″ width=”640″ height=”360″ frameborder=”0″ scrolling=”no”]