USA PATRIOT Act: The myth of a secure European cloud?

USA PATRIOT Act: The myth of a secure European cloud?

Summary: ZDNet's USA PATRIOT Act series: Concluding comments of the consequences of the USA PATRIOT Act on EU cloud data. And it's not good news.


This is the fourth and final installment in a series of posts that examine the principles governing the transfer of data across borders between the European Union and the United States, and the effect that the USA PATRIOT Act has on businesses, citizens and governments outside the United States. Although this is a U.S.-oriented site and I am a British citizen, the issues I surface here affect all readers, whether living and working inside or outside the United States.

[See also: Case study: How the USA PATRIOT Act can be used to access EU data.]

There is no privacy in the European cloud, or any public cloud outside of the United States where a U.S.-based or wholly owned subsidiary company is involved.

Conclusion: The myth of a secure European cloud?

If you are a university that has outsourced data, storage or IT infrastructure to Google's Apps for Education, Microsoft's Live@edu or another cloud service provider, then you are a customer of these respective companies.

As a university, it is vital to remember that your students are also your customers. Organisations, universities and educational institutions should put their customers' needs and requirements at a high priority; arguably higher than that of internal bureaucracy regarding budgeting, financing and cost-cutting.

The effect that the USA PATRIOT Act could have on universities outside the United States is worrying. Those who study and permanently reside within the U.S. do so under the premise that they are aware of the legislation which enables law enforcement to maintain national security and prevent terrorism.

However, this is also imposed on institutions outside direct U.S. jurisdiction in the EEA member states of Europe. Permanent residents of the EU abide by the laws of their own respective country, which in some cases are put into practice through mutual agreement of their own and other EU member states.

But on another dimension, non-EU citizens allowed to study in EU universities on student visas, who have passed nationality and health screenings, security validation and identity checks, will be subject to U.S. laws if their school, college or university sign up to outsourced cloud-based email or storage. It's possible this could result in no visible or obvious action being taken towards such a student; at the other extreme, however, it could result in the student being barred from entering the United States without a disclosed reason.

Students from countries which are not deemed 'friendly' to the United States, coined the 'Axis of Evil' by former US President George W. Bush in 2002, even though passing the strict entry and security requirements for visas to an allied nation such as the United Kingdom, could be at higher risk by possessing a nationality which holds negative connotations to the US intelligence community.

Universities which provide 'international status' atmospheres to their brand, image and campus, by branching out to other European and international countries to set up campuses, could be the worst affected.

These institutions brand themselves as diverse and multicultural environments, and focus on fair and equal representation regardless of nationality, political stance or religion. For citizens of these deemed 'unfriendly' nations to discover their prospective university directly or indirectly hands over personal data to a country which considers their home state a potential threat, could deter a vast number of students from these institutions.

It could further damage already wounded diplomatic ties and tarnish the reputation of universities with an existing 'international status'.

If cloud data is handed over to the U.S. authorities through the invoking of the USA PATRIOT Act without informing the university or without the direct permission from them, the university as the data controller could be investigated and reprimanded by the local privacy authorities, such as the Information Commissioner's Office in the UK for being in breach of the UK Data Protection Act 1998.

This applies to every other EEA member state as the EU 'Data Protection Directive' 95/46/EU includes common principles which have been implemented in legislation of each subscribing European country.

During the course of the year researching this area, and after speaking to a number of senior university officials around the UK, I could not find a single official or representative who can guarantee that student data will not leave the EEA under any circumstances.

Until U.S. wholly-owned subsidiary companies that provide cloud services to EU customers state clearly and unequivocally, "under no circumstances will the data you provide us leave the EEA, even from a request under the USA PATRIOT Act", the privacy of cloud customers around the European Union and further afield will be at risk to laws that they are either unaware affects them, or do not consciously subscribe to in their current location.

If universities, businesses and organisations of any size inside the EEA choose to outsource their email, storage or IT infrastructure, there is one solution to ensure it will not be subject to the USA PATRIOT Act. EU customers should look for wholly-owned EU cloud service providers which provide EU only based datacenters, which is then protected by law since 1998 under the EU 'Data Protection Directive' 95/46/EU.

Leave your comments and thoughts below.

Topics: CXO, Enterprise Software, Government, Government US, Government UK, Outsourcing

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • if EU does not like the PATRIOTIC act

    they can make their own cloud and demand that any EU resident should use it!
    And while at it, block access to the American cloud!
    Linux Geek
    • RE: USA PATRIOT Act: The myth of a secure European cloud?

      @Linux Geek How would this affect UK-USA relations long term? Does the Patriot Act hinder such relations from foreign countries? <a title="texas real estate attorney" href="http://kellylegalgroup">texas real estate attorney</a>
  • What if disclosure violates EU law?

    What if disclosure of information would violate EU/national privacy/data-protection law? Wholly owned EU subsidiaries of US firms are still subject to EU/national law, and even the US courts seem to accept this defence from US firms with non-US subsidiaries, provided the law is credibly enforced. A contract with an EU-based subsidiary of a US firm could also stipulate that any disclosure of information by that subsidiary (including to the parent) is a terminable act.

    I'd also like to know if EU firms that operate in the US (directly or via subsidiaries) are exposed to any risks from the USA Patriot Act (for non-US operations -- US operations are obviously at risk). According to some websites, any firms operating in the US are at risk, but I haven't found an authoritative source.
  • Legal test cases?

    A very good series of articles. Thanks.

    You've used the phrase "wholly owned" a bit during this series, which leads me to think that there's a grey area with partially owned companies. True?

    And what legal test cases are you aware of where data has been requested (and perhaps contested) from US subsidiaries outside the USA?
  • Interesting Series

    Good information on possible over reach into non US colleges and universities. Using a cloud service that is not entangled in US business is a partial solution. Are there other solutions or remedies to deal with the possible over reach of the Patriot Act?
    • RE: USA PATRIOT Act: The myth of a secure European cloud?

      @sboverie@... As far as I'm aware -- and would need a lawyer to really check -- but if you say in the UK, the only way would be to have a datacenter hosted on UK soil, hosted by a wholly owned UK company. If there's no links to the US, then it should be fine.
  • a datacenter hosted on UK soil, hosted by a wholly owned UK company

    Is there any such thing?

    Years ago, I thought I chose a wholly owned UK company to host a website I was registering and creating. A couple of years later, they became part of an American company, with no real choice for their customers!
  • RE: USA PATRIOT Act: The myth of a secure European cloud?

    This is wrong. Please sign petitions at the following:
    Huffington Post link is at:

    On, the link is,

    It'll just take a minute!
  • RE: USA PATRIOT Act: The myth of a secure European cloud?

    The Patriot Act should be revoked. Its most common use now is not to look for terrorists but to look at anyone who disagrees with the current administration. Since Homeland Security released a document in 2009 identifying nearly all veterans, anyone who belongs to a single focus organization (NRA or ACLU) and others as potential terrorists the use of the Patriot Act has shifted.
  • RE: USA PATRIOT Act: The myth of a secure European cloud?

    <a href="">kindle vs kindle keyboard</a> I???ve been speculating here about Amazon???s entry into the Tablet PC marketplace for months now. Finally, we have the Kindle Fire to actually look at. Sure it might not be here in person to play with yet, but what we know now is enough to come to some real conclusions for a change.
  • A chance to win a $25.00

    A chance to win a $25.00
    go to below website

    Are you watch question? so visit this website.
    A chance to win a $25.00

    Visa or MasterCard Gift Card

    This contest will be a fun and engaging way to look around the site
    and find clues that could win you a $25.00 gift card from
    Richly Middle Class.

    Let the games begin!
    How to enter: Copy and paste the items below into an email. You will need to complete the answers and tasks below. Please email your answers to