Today in Cloud

Sean Gallagher has a piece on Ars Technica this morning, which suggests that Microsoft lost a deal with European defence contractor BAE Systems… because of fears about PATRIOT Act-endorsed snooping. Microsoft, Gallagher writes, “could not guarantee that [BAE’s] data wouldn’t leave Europe.” Oops. Back in September, I looked at a recent European enthusiasm for getting tough about data. BAE’s decision is one more instance of this, and it’s really not clear yet how widespread the repercussions might be. Derrick Harris put the U.S. perspective last month, suggesting that U.S. companies want “free trade for data.” If U.S. laws like the PATRIOT Act continue to apply, companies, governments and citizens beyond the United States’ borders may not be so enthusiastic. “Free Trade” on one country’s terms is not free at all, regardless of the spin.

Building a wall: Europe’s exclusion of U.S. cloud providers has deep implications

A long-running clash of legal approaches to the handling of personal data is coming to a head, as European countries begin to act.

In Germany, Deutsche Telekom is calling for more stringent regulation of cloud providers, and in the Netherlands a government minister suggests that U.S. companies could be barred from government contracts to prevent European citizens’ data being opened by U.S. authorities. In the UK, the junior partner in the coalition government is beginning to express concern about the safety of personal data in the cloud and to hint at legislative solutions. What, then, are the implications for Europeans and for the U.S. companies that sell to them?

The USA Patriot Act includes powers that permit law enforcement agencies to seize data on any computer belonging to a U.S. company, whether that company is physically situated in the U.S. or not. Microsoft recently attracted headlines by acknowledging this. Europe’s Data Protection Directive protects personal information, and the Safe Harbor provisions normally make it possible for U.S. companies to store and process European data. However, any company handing over data to meet its U.S. legal obligations is breaking European laws that explicitly prohibit this type of data transfer, which puts companies in an impossible position, since they cannot obey both jurisdictions. And as the penalties for breaking the U.S. legislation are considered far more serious than fines imposed for a data breach in Europe, it is assumed that the Patriot Act will always win.

ZDNet reports that the Dutch government is looking at ways to solve the problem. Dutch Minister for Security and Justice Ivo Opstelten recently said, “it is possible to include a requirement . . . that stipulates that the provider is not allowed to hand over government data (including data about citizens) to the United States under the Patriot Act” (thanks to Wilbert Kraan for translating). The minister concludes, “This means that companies from the United States are effectively excluded from such RFPs and contracts.” It is unlikely that the Netherlands or Germany would ban U.S. companies outright, but it would be reasonable to include clauses within contracts ensuring that data cannot be disclosed as the Patriot Act requires. U.S. companies would therefore be “effectively excluded” from government contracts.

If the Netherlands goes as far as its minister suggests, then European companies will be quick to fill the gap. While much of the innovation in the cloud is still being led by well-known U.S. companies, there is also plenty of innovation and emulation outside the U.S. SaaS providers like London-based Huddle (with accreditation to deliver sensitive government documents) and IaaS companies including Scotland’s Flexiant and Switzerland’s CloudSigma would all be able and willing to fill any gap.

Today U.S. companies typically have the technical investment and the marketing spend to ensure name recognition. But with their government pursuing policies that cause concern in overseas markets, there is a clear opportunity for competitors in Europe and elsewhere. Indeed, these non-U.S. companies may begin to attract higher levels of U.S. investment as venture capitalists seek products that can generate revenue for them in growing markets outside the States. Given attention and investment, a Flexiant or a Huddle can compete directly with U.S. competitors that are currently better financed.

The U.S. government is unlikely to routinely seize European customer data, but it has the legal power to do so if it feels threatened. For most individuals and companies, the benefits offered by U.S. cloud services outweigh the risk that America will seize their data. It’s unlikely that Europeans will lose access to Google Apps and Amazon Web Services anytime soon, but increased awareness of the (small) risk of a Patriot Act data seizure may make everyone take a careful look at alternatives closer to home. The challenge is for those European companies to compete fairly, on their own merits, and not to denigrate the competition with the specter of Uncle Sam reading everyone’s email.

Question of the week

Are European proposals, like those from the Netherlands, a reasonable reaction to the Patriot Act?

Today in Cloud

A Microsoft executive’s answer to a question during the London launch of Office 365 last month has caused a bit of a storm. As Zack Whittaker reported for ZDNet, Microsoft “admitted” that the U.S. company might have to surrender European customer data if required to do so by U.S. law enforcement agencies invoking the USA PATRIOT Act. The problem, which is actually reasonably well known, is that the PATRIOT Act trumps the Safe Harbor agreements in place between the United States and Europe, and that normally provide a mechanism for U.S. companies to demonstrate their compliance with Europe’s tough data privacy laws. Jennifer Baker reports for Computerworld that the European Parliament is now getting involved, concerned that European data may be at risk. It is certainly true that the extreme powers of the PATRIOT Act could be used to sweep aside the Safe Harbor principles, and customers should be aware that it’s legally permissible. It’s also quite unlikely — unless you’re storing data in which U.S. law enforcement might have a legitimate anti-terror interest. Open and informed discussion of the issues is to be welcomed. Blind panic that — “suddenly” — the FBI will start reading European email? Less helpful.