Patriot Act affects European cloud adoption
Summary: Microsoft's admission, made at the Office 365 launch, that EU data is vulnerable to U.S. inspection is hampering cloud uptake and growth.
More and more organisations are abstaining from the cloud, according to a report by a leading newspaper, due to the reach of the Patriot Act in Europe and further afield.
According to the Financial Times (available via Google without registering), the discussions were brought up during private FT meetings last month, and data privacy and cloud services topped the concerns of IT bosses.
During the Office 365 launch in London in June, Microsoft admitted to ZDNet that any data stored, processed or owned in Europe and further afield -- including email, file storage and web applications -- are liable for U.S. government inspection under the Patriot Act.
The FT's report is crucial to understand the feeling in the wider room amongst IT chiefs. As many are data controllers as well as processors of the data, it could lead to civil or criminal action against cloud users for mismanagement of data.
Due to the disparity between European and U.S. law, wholly-owned subsidiaries cannot comply with the European Data Protection Directive -- which requires companies to inform their users that data will leave the European zone -- because U.S. law can 'gag' them with existing legislation.
Microsoft's admission sets precedent across the board, applying to every other cloud-service provider with an entity in the United States, including Amazon, Intel, Apple and Google.
A former Microsoft employee, still close to the company, told me that Frazer's admission has cost the company "millions" in potential contracts.
The Redmond based company will "only respond to government requests for enterprise customer data when legally required", adding: "we will use commercially reasonable efforts to notify those customers in advance, unless we are legally prohibited from doing so."
Such reassurances, however, does not firmly guarantee that data will not be handed over under any circumstances -- even if the customer is outside U.S. jurisdiction. This alone does not fill IT chiefs with confidence over the security of their clients' data.
Healthcare providers are also holding back from cloud initiatives due to the concern over data privacy and security. With the need to comply with key legislation such as the Health Insurance Portability and Accountability Act (HIPAA), the requirement to safeguard data -- even from government inspections -- is a demanding task and a challenge yet to overcome.
Related content:
- ZDNet's USA PATRIOT Act series
- Microsoft admits Patriot Act can access EU-based cloud data
- EU demands answers over Microsoft’s Patriot Act admission
- If you have something to hide from the government, don't use Dropbox
- Microsoft: 'We can hand over Office 365 data without your permission'
- Senator: "The 'real' Patriot Act is classified"
- CBS News: US cannot say how many had communications watched
- CNET: Patriot Act renewed despite warnings of 'secret' law
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
wow american corruption knows no limits
RE: Patriot Act affects European cloud adoption
Who? Article makes no previous mention of "Frazer".
Check your links
The article is referenced in the paragraph that begins, "During the Office 365 launch in London in June..." (link follows directly after the word "June"), & in the article Gordon Frazer is specifically referenced.
http://www.zdnet.com/blog/igeneration/microsoft-admits-patriot-act-can-acce
So what has the Cloud got to do with it?
So what has the Cloud got to do with it?
In other words a "Patriot Act" directive to a UK-based IBM data centre currently supporting (non-federated) UK clients would have to be fulfilled by the US-headquatered firm.
Why are peolpe only now talking about this issue?
RE: Patriot Act affects European cloud adoption
My 2c worth
It becomes more of an issue because in a cloud environment, there are less defined boundaries - the data could be anywhere. If that data ends up in the US that it is subject to the Patriot act and other US privacy laws as opposed to the privacy laws of the country where that cloud customer resides. Very few other countries have the equivalent of the patriot act and as such, it represents a huge risk to the privacy of both the end customers and the companies using cloud services.
This issue is not unique to MS - it effects all of the cloud service providers that have data centres in the US (in particular). My company has cloud services and I know the Patriot act has cost us business. It has also forced us to set up data centres outside of the US to cater for the privacy concerns of non-US companies.
Companies that are looking to utilise cloud services (from any provider), should look at the privacy implications of the laws associated with the possible end location of the data. That advice applies regardless of the data ending up in the US , Iceland, Australia, Philippines or France. It should be part of the due diligence that is applied whenever any company is looking at using an outsourced partner (for cloud or traditional hosting services).
Cloud has nothing to do with it...
You misunderstand my point. The issue is here today with any US headquatered company (IBM, HP, MS, Amazon etc) providing DC services based on DC's outside of the US. The key bit is the domicile of the HQ. A US-headquatered company is subject to US law. Including the Patriot Act.
RE: Patriot Act affects European cloud adoption
I am no laywer, but since most multinational companies will be incorporated in each country they have major offices in, I suspect that as long as the data is not in the US and the contract for hosting/cloud services is with the locally incorporated country office, it would not be subject to the patriot act, but would instead be subject to the privacy laws of the country of incorporation and the country where the data is phyically stored.
I do work for a US headquartered multinational (in Australia), and if some law was broken by the Australian incorporated branch, then the legal liability would be within Australia and would not extend to the US. Sure, some questions might get asked in the US, but unless the US branch also committed the same act, US charges could not be laid. An US Patriot act order for information from an Australian company, hosted in Australia from what is effectively an Australian company (the Australian incorporated branch of the multinational) would I expect also need to go through the Australian legal system in order to get access to that data, regardless of where the HQ is.
I am happy for an International IP Laywer to correct me on this, but as I understand corporations law, limitation of legal liability is a part of the reason for doing it.
Any international equivalent of the Patriot Act?
I'm trying to "tone down" the us Patriot act by bringing awareness about similar treaties between other countries. But I can't find the info. Anyone has an opinion/pointer? Thanks.