Patriot Act affects European cloud adoption

Patriot Act affects European cloud adoption

Summary: Microsoft's admission, made at the Office 365 launch, that EU data is vulnerable to U.S. inspection is hampering cloud uptake and growth.

SHARE:

More and more organisations are abstaining from the cloud, according to a report by a leading newspaper, due to the reach of the Patriot Act in Europe and further afield.

According to the Financial Times (available via Google without registering), the discussions were brought up during private FT meetings last month, and data privacy and cloud services topped the concerns of IT bosses.

During the Office 365 launch in London in June, Microsoft admitted to ZDNet that any data stored, processed or owned in Europe and further afield -- including email, file storage and web applications -- are liable for U.S. government inspection under the Patriot Act.

The FT's report is crucial to understand the feeling in the wider room amongst IT chiefs. As many are data controllers as well as processors of the data, it could lead to civil or criminal action against cloud users for mismanagement of data.

Due to the disparity between European and U.S. law, wholly-owned subsidiaries cannot comply with the European Data Protection Directive -- which requires companies to inform their users that data will leave the European zone -- because U.S. law can 'gag' them with existing legislation.

Microsoft's admission sets precedent across the board, applying to every other cloud-service provider with an entity in the United States, including Amazon, Intel, Apple and Google.

A former Microsoft employee, still close to the company, told me that Frazer's admission has cost the company "millions" in potential contracts.

The Redmond based company will "only respond to government requests for enterprise customer data when legally required", adding: "we will use commercially reasonable efforts to notify those customers in advance, unless we are legally prohibited from doing so."

Such reassurances, however, does not firmly guarantee that data will not be handed over under any circumstances -- even if the customer is outside U.S. jurisdiction. This alone does not fill IT chiefs with confidence over the security of their clients' data.

Healthcare providers are also holding back from cloud initiatives due to the concern over data privacy and security. With the need to comply with key legislation such as the Health Insurance Portability and Accountability Act (HIPAA), the requirement to safeguard data -- even from government inspections -- is a demanding task and a challenge yet to overcome.

Related content:

Topics: Microsoft, Government, Government US

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • wow american corruption knows no limits

    nt
    otaddy
  • RE: Patriot Act affects European cloud adoption

    [...told me that Frazer?s admission has cost the company ?millions? in potential contracts.]

    Who? Article makes no previous mention of "Frazer".
    Techboy_z
    • Check your links

      @techboy_z

      The article is referenced in the paragraph that begins, "During the Office 365 launch in London in June..." (link follows directly after the word "June"), & in the article Gordon Frazer is specifically referenced.
      spdragoo@...
    • http://www.zdnet.com/blog/igeneration/microsoft-admits-patriot-act-can-acce

      @techboy_z
      wessonjoe
  • So what has the Cloud got to do with it?

    I would like someone to explain why this issue is being associated solely with the Cloud? Afterall the Patriot Act has been around for many years, and Data Centres run by IBM, HP, Micorsoft, Google, Amazon et. al. in *any* non-US locality have had to comply with it's directives for all those years. The issue has not been introduced by the Cloud.<br><br>In other words a "Patriot Act" directive to a UK-based IBM data centre currently supporting (non-federated) UK clients would have to be fulfilled by the US-headquatered firm.<br><br>Why are peolpe only now talking about this issue?
    skiwi44
  • So what has the Cloud got to do with it?

    I would like someone to explain why this issue is being associated solely with the Cloud? Afterall the Patriot Act has been around for many years, and Data Centres run by IBM, HP, Micorsoft, Google, Amazon et. al. in *any* non-US locality have had to comply with it's directives for all those years. The issue has not been introduced by the Cloud.

    In other words a "Patriot Act" directive to a UK-based IBM data centre currently supporting (non-federated) UK clients would have to be fulfilled by the US-headquatered firm.

    Why are peolpe only now talking about this issue?
    skiwi44
    • RE: Patriot Act affects European cloud adoption

      @skiwi44 Simply put -- I discovered it about a year ago, and spent this past year and a bit researching it to prove it. Someone had to do it. :)
      zwhittaker
  • My 2c worth

    Yes - It has been an issue if the data was stored in a US hosting centre. It is one of the reasons that many of those big IT hosting companies set up hosting centres outside of the US.

    It becomes more of an issue because in a cloud environment, there are less defined boundaries - the data could be anywhere. If that data ends up in the US that it is subject to the Patriot act and other US privacy laws as opposed to the privacy laws of the country where that cloud customer resides. Very few other countries have the equivalent of the patriot act and as such, it represents a huge risk to the privacy of both the end customers and the companies using cloud services.

    This issue is not unique to MS - it effects all of the cloud service providers that have data centres in the US (in particular). My company has cloud services and I know the Patriot act has cost us business. It has also forced us to set up data centres outside of the US to cater for the privacy concerns of non-US companies.

    Companies that are looking to utilise cloud services (from any provider), should look at the privacy implications of the laws associated with the possible end location of the data. That advice applies regardless of the data ending up in the US , Iceland, Australia, Philippines or France. It should be part of the due diligence that is applied whenever any company is looking at using an outsourced partner (for cloud or traditional hosting services).
    OzDot
    • Cloud has nothing to do with it...

      @OzDot

      You misunderstand my point. The issue is here today with any US headquatered company (IBM, HP, MS, Amazon etc) providing DC services based on DC's outside of the US. The key bit is the domicile of the HQ. A US-headquatered company is subject to US law. Including the Patriot Act.
      skiwi44
      • RE: Patriot Act affects European cloud adoption

        @skiwi44

        I am no laywer, but since most multinational companies will be incorporated in each country they have major offices in, I suspect that as long as the data is not in the US and the contract for hosting/cloud services is with the locally incorporated country office, it would not be subject to the patriot act, but would instead be subject to the privacy laws of the country of incorporation and the country where the data is phyically stored.

        I do work for a US headquartered multinational (in Australia), and if some law was broken by the Australian incorporated branch, then the legal liability would be within Australia and would not extend to the US. Sure, some questions might get asked in the US, but unless the US branch also committed the same act, US charges could not be laid. An US Patriot act order for information from an Australian company, hosted in Australia from what is effectively an Australian company (the Australian incorporated branch of the multinational) would I expect also need to go through the Australian legal system in order to get access to that data, regardless of where the HQ is.

        I am happy for an International IP Laywer to correct me on this, but as I understand corporations law, limitation of legal liability is a part of the reason for doing it.
        OzDot
  • Any international equivalent of the Patriot Act?

    Hi, I was told that there are several bi-lateral treaties that have the same impacts as the patriot acts. The info I'm seeking is to say "look guys, France can require the same from Germany" or "The UK can get data from Italy" and - if it exists - "Brazil can require data from Australia"... (all in context of , for example, an Australian company having a data centre in Brazil))

    I'm trying to "tone down" the us Patriot act by bringing awareness about similar treaties between other countries. But I can't find the info. Anyone has an opinion/pointer? Thanks.
    slurpey