European companies 'need confidence' over Patriot Act concerns

European companies 'need confidence' over Patriot Act concerns

Summary: One Dutch member of the European Parliament is on a mission: to clarify the reach of the Patriot Act in Europe, and to amend laws to prevent its reach.

SHARE:

European businesses and companies are increasingly concerned about the revelations earlier this year that the USA Patriot Act can be invoked to access cloud-stored data in Europe and further afield, according to a European lawmaker.

Today, as Europe's lawmakers are about to start up again after the summer vacation, one Dutch member of the European Parliament (MEP) is championing on behalf of her European citizens to get important questions regarding data transfer answered from the U.S. government.

In June, Microsoft finally admitted what most had suspected -- that European data held in EU datacenters, provided by any cloud service provider with a U.S. headquarters, cannot guarantee that data will not be handed over to U.S. authorities for interception or intelligence gathering.

It comes only days after Jeff Bullwinkel, director of legal and corporate affairs at Microsoft Australia, all but outright said that under the Patriot Act, Microsoft cloud-stored data inside Europe and elsewhere was 'never secure'. In a blog post, he added even more pressure on businesses in Australia, and more reason to avoid the U.S.-linked cloud altogether.

Sophie in 't Veld, along with four other members of the European Parliament, is calling on Viviane Reding, the European Commissioner for justice, fundamental rights and citizenship, for "clarification" to answers given pertaining to the Patriot Act's reach in Europe.

The Dutch MEP and vice-chair of the European Parliament's Civil Liberties, Justice and Home Affairs committee, raised questions to the European Commission, shortly after ZDNet began exploring the reach of the Patriot Act outside of the United States.

But in 't Veld is not at all content with the reply she received from Commissioner Reding, and is asking for further clarification.

in t' Veld had asked questions many chief information officers and citizens alike had been asking for years:

"Is the Commission aware that on the basis of the Patriot Act, the U.S. authorities can access personal data stored in the EU by companies with headquarters in the U.S.?"

Crucially, the last question asks what the European Commission do to "remedy this situation", to ensure that "third country legislation [in this case, the United States] does not take precedence over EU legislation?".

Commissioner Reding's reply [in Dutch] missed the point completely, and glossed over the crucial questions that the MEP's had put to her.

Sarah Ludford, one of the four other MEP's asking for further clarification, called the Commissioner's reply "alarmingly evasive", adding: "It fails to clearly assert that EU data protection law always applies to EU-stored data and dodges the issue of how a firm based in the US can resist US demands for access to such data."

in 't Veld said on the Dutch D66 party blog today, that she has responded to a "very unsatisfactory response", adding: [translated]

"The European Commission should quickly make it clear that European businesses and citizens are under European privacy laws. European citizens and businesses need to be confident that EU institutions enforce their own laws."

Keen to stress that though EU subsidiaries of U.S. parent companies are breaking European law by handing over data back to the United States under a Patriot Act request, that while these subsidiaries are operating within Europe, EU law must take precedent.

"The European Commission should urgently contact the U.S. government and make clear that we do not accept."

Posting to Twitter, in 't Veld said: "companies in the EU cannot be sure what jurisdiction they are in -- the EU or the U.S.".

In her reply to Commissioner Reding, the Dutch MEP reiterated that:

"[...] Your reply does not clarify the situation of companies operating in the EU, that equally have a presence (either headquarters or other activities) in the U.S.

In that situation, through its presence in the U.S., that company would be under U.S. jurisdiction indeed. The U.S. considers that the European activities, including databases, of those companies automatically fall within U.S. jurisdiction."

The issue of subpoenas and National Security Letters -- written devices which apply gagging orders on those who are told to hand over data -- also arose in the reply to the Commissioner.

"EU based companies are currently facing US subpoenas under the Patriot Act, as described in the Written Question.

They are obliged to submit data stored in Europe to the U.S. authorities, thereby probably violating EU laws. Formally, it is for those companies to refuse to comply with the subpoena. However, we recognise that in practice this is very difficult."

The European Data Protection Directive, which makes up the basic level of each European member states' data protection laws, is likely to be changed in the coming months and years.

Next week, in 't Veld's European Privacy Platform, which will debate this topic heavily, may yield a clearer response from the Commissioner.

Related content:

Also read ZDNet’s Patriot Act series:

Topics: Government UK, Data Centers, Data Management, Government, Government US, Storage

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • Ain't gonna happen

    The EU can pass all the regulations it wants, and the US government will blithely ignore them as they have for years. When push comes to shove, the US has enormous influence over the EU, especially in the area of regs that cover security and trade relations.<br><br>A dirty little secret is that many EU bureaucrats and authorities "assist" US police and intelligence agencies often in contravention of their own laws. For one thing, it is lucrative: the US regularly hands out money and favors to cooperative agencies. They also provide free training and even equipment to foreign agencies.<br><br>It's no accident that the FBI has more offices in foreign countries than any other law enforcement organization. And we can only speculate on the CIA presence ...
    terry flores
    • Actually, it can happen.

      @terry flores

      The EU is not beholden to the US in any way. If they pass a law that absolutely prohibits compliance with the US law (ie. a law that prohibits transfer of private data outside the EU by a company that has physical presence IN the EU - whether or not it be a subsidiary of a US company), then they put those companies in a very interesting legal position: complying with the US law means breaking the EU law. At that point, businesses will have to do one of three things: shut down, find some way to isolate their subsidiaries from US law, find some way to get the US to change its laws.

      I agree that last one is the least likely - but there ARE other options.

      And the FBI in other countries is there generally by permission and with the invitation of the country. They don't have any jurisdiction in those countries - contrary to what bad US TV shows.
      TheWerewolf
      • RE: European companies 'need confidence' over Patriot Act concerns

        @TheWerewolf

        "At that point, businesses will have to do one of three things: shut down, find some way to isolate their subsidiaries from US law, find some way to get the US to change its laws."

        There are more than 3 options if such a law ever were to be written. Here are a few more:

        1. Petition the law to be repealed.
        2. Have the law stricken down through legal means within the EU court system
        3. Have the law stricken down through international legal challenges.

        Bottom line: International law is a delicate balance between individual states rights and established treaties. Such a short-sighted law would be throwing the baby out with the bath water.
        Your Non Advocate
      • RE: European companies 'need confidence' over Patriot Act concerns

        @TheWerewolf I think you missed a couple of the points: The US has been ignoring EU privacy laws for years, both in criminal investigations and with intelligence-gathering operations such as Echelon. In the case of companies who "comply" with US NSL's, they are explicitly instructed *not* to inform any employees or parties not involved in the actual data extract, including data-privacy supervisors. It gets really hard to track privacy violations if nobody ever gets told they happened.

        But the part that you really missed is that there are lots of willing conspirators in the EU that assist US agencies in violating the law. They range from French DCRI to the London Metropolitan Police. US agencies have shared out more than a thousand (three zeros) datasets with counterparts in the Met alone. When the various European authorities are willing to bend or break the rules, it's hard to fault the US authorities for ignoring them as well.
        terry flores
    • RE: European companies 'need confidence' over Patriot Act concerns

      @terry flores The US government can ignore it. But slap Google os Microsoft a 50% of revenue fine for handing over the Date the US per incident and I pretty sure the US would start listening, and the cooperation's would make congress listen if they want to operate in the EU or they would withdraw from the EU altogether.
      Knowles2
      • RE: European companies 'need confidence' over Patriot Act concerns

        @Knowles2 Sorry, but Google and Microsoft have as many powerful "friends" in Europe as they do in the US Congress. They might end up paying some token fines, only to find that the amounts are made up in subsequent government contracts or EU grants. The defense contractors perfected that system decades ago.

        Again, with most EU governments complicit in the violations, very little of this will ever see the light of day. For every politician who wants to make headlines out of it, there are 50 bureaucrats who are willing to look the other way.

        Doubt it? Read the headlines: http://hosted.ap.org/dynamic/stories/E/EU_EU_RENDITION
        terry flores
      • Much ado about nothing

        @terry flores

        "They might end up paying some token fines"

        Or not.

        "Again, with most EU governments complicit in the violations, "

        putative violations

        "For every politician who wants to make headlines out of it, there are 50 bureaucrats who are willing to look the other way. "

        Or, another way to phrase that sentence: "For every politician who wants to grandstand and make headlines out it, there are 50 people who know what they are doing".
        Your Non Advocate
  • RE: European companies 'need confidence' over Patriot Act concerns

    Its unaccpetable that any third country law override the law of the country in which the company operates. Otherwise why do they come to do the business in the first place. It doesn't matter if this third country is US, EU, CHINA or RUSSIA. The local laws should take precedence.

    If you are doing business in China, follow Chinese rule or in EU follow EU rules.

    If US has an illusion that its 'above' other nations, its time to wake up. The recent economic situtation is a wake up call.

    All nations has their right to be treated equal. If some nations have other ideas then its not very civilized
    owlnet
  • *yawn*

    Extra-territorial jurisdiction has been a legal precedent that predates the European Union itself. International criminal enterprises cannot incorporate in a safe haven nation and expect to continue to commit crimes in a third country. Member nations of the EU exerted this Extra-territorial jurisdiction authority themselves. To pretend that it is now a problem is disingenuous, short-sighted and, dare I say it, hypocritical.
    Your Non Advocate
    • Fortunately...

      @facebook@...

      Other countries, their people and their governments disagree with you.
      TheWerewolf
      • True

        @TheWerewolf

        True, but Switzerland is no longer the safe haven it once was for the Nazi's stolen gold.
        Your Non Advocate
      • RE: European companies 'need confidence' over Patriot Act concerns

        @TheWerewolf They can disagree all they want, but what is the recourse? A "sharp diplomatic note"? Those get put in the "joke of the day" file at the State Department.
        terry flores
  • One statement of intent

    National Security Letters ? written devices which apply gagging orders on those who are told to hand over data - are in direct violation of the 1st Amendment of the Constitution, regardless of any ruling to the contrary by any court of law. As such, I will never obey one.
    Dr_Zinj
    • RE: European companies 'need confidence' over Patriot Act concerns

      @Dr_Zinj

      Good thing we are talking about European companies. There is no 1st Amendment right to free speech in the UK.
      Your Non Advocate