Updated European law will close Patriot Act data access loophole

Updated European law will close Patriot Act data access loophole

Summary: An updated European directive will patch the flaws in current laws, that enables the Patriot Act to access cloud-stored data on European citizens.


BRUSSELS -- European lawmakers have been revising and updating the data protection laws that apply to all 27 European member states, after it was discovered that the United States can use the Patriot Act to access European citizens' data without their consent.

The European Commission's justice commissioner Viviane Reding met with German Consumer Protection Minister Ilse Aigner, discussed the new directive yesterday and outlined plans for the updated law to compel any non-European company -- with customers or clients within Europe -- to comply with European regulations.

In a statement, it was said that the: "European Commission will come forward with proposals to reform the 1995 Data Protection Directive by the end of January 2012".

"We both believe that companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business on our internal market", the joint statement added.

Referring to the cloud, the new law will not only modernise the data protection laws, but will also counteract the effects of the Patriot Act in Europe.

The 1995 directive, which passed into the local legal system of each member state, is over 15 years old. It is widely considered to be outdated and flawed, in light of technological developments, such as cloud computing, developed since the directive was ratified.

During Microsoft's Office 365 launch, Gordon Frazer, managing director of Microsoft UK, admitted exclusively to ZDNet that the Patriot Act can be invoked by U.S. law enforcement to access EU-stored data without consent.

This alone set a precedent that had not been seen before: an industry leader admitting that European data was not safe nor protected from a foreign government, the United States.

Microsoft, Google, Amazon, along with any other U.S. based organisation, has to comply with local U.S. laws. Any data that is housed, stored or processed by a U.S. based company, is vulnerable to interception and inspection by U.S. authorities.

The new law will likely not go into effect for several years. Not only did it take three years for the 1995 directive to be ratified by the 27 European member states, the new law will have to undergo scrutiny, discussion, debate and stress-testing by European parliamentarians.

Companies such as the aforementioned cloud service providers will be given the chance to propose changes to the law in efforts to enable their services to maintain without disruption of its services.

One of the reported changes to the law could if anything drive up the use of cloud services, by making data that has been lost liable to the cloud service provider, rather than the "data controller", the person or organisation that owns the data.

Read more: Facebook and other social networks could find themselves in hostile territory once the new laws are enacted, with EU Commissioner Reding already having the social networking giant in her crosshairs. See the article here.


Topics: Data Centers, Government, Government US, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • They are really slow with it.

    Not seriously interested in protecting the citizens privacy.
    • RE: Updated European law will close Patriot Act data access loophole

      But at least Europe is moving in the right direction. I dislike belonging to the United Police States of America. It's shameful to be associated with a country that could enact a Patriot Act. So why do I stay? Simple, so I can cast a feline vote in favor of repeal.
    • Hold on...


      You're complaining that the EU isn't moving fast enough when the US is actively trying to go in the OPPOSITE direction and will certainly do what they can to block this?

      Perspective, amigo... perspective...
  • Karen millen dresses

    <p>Police66 learned about their protest, which aimed to <a href="http://www.baleshop.co.uk/dresses-one-shoulder-c-80.html">Karen Millen online</a> highlight Sydney's housing shortage, this afternoon.<br>
    It is alleged they forced their way into the building on Clarence Street <a href="http://www.baleshop.co.uk/karen-millen-clearance-c-83.html">Discount karen millen</a> via the rear fire doors.<br>
    The protesters then barricaded themselves in the seven storey building <a href="http://www.baleshop.co.uk/karen-millen-clearance-c-83.html">Karen Millen dresses on sale</a> and unfurled a banner onto the outside of a window.<br>
    Police say they attempted to talk with the protesters inside the building but <a href="http://www.baleshop.co.uk/karen-millen-coats-c-79.html">Karen millen uk</a> they refused to speak with officers.<br>
    The Public Order and Riot Squad, Operational Support Group, Police <a href="http://www.baleshop.co.uk/strapless-dresses-c-82.html">Karen millen clothes</a> Rescue and Bomb Disposal Squad and the Dog Unit were called to the scene.<br>
    At about 9.30pm (AEST), police forced their way in with grinders due to <a href="http://www.baleshop.co.uk/modern-dresses-c-81.html">Karen millen outlet</a> a number of doors having been barricaded.<br>
    Four men, aged, 22, 27, 32 and 44 as well as a 27-year-old woman <a href="http://www.baleshop.co.uk/">Karen millen dress</a> were arrested.<br>
    They were all taken to Surry Hills Police Station where they are expected to be <a href="http://www.baleshop.co.uk/">Karen Millen sale</a> charged with enter enclosed lands (trespass).</p>
  • RE: Updated European law will close Patriot Act data access loophole

    Best of both worlds: anti-spying laws in Europe, and Microsoft Cloud software so we can just take the data through all the naturally occurring MS security holes...
    Tony Burzio
  • Finally

    Maybe cloud computing could eventually turn into a realistic proposition for companies in Europe.

    At the moment, the though of being held accoutable to the courts, customers and private individuals, because MS, Google, Amazon etc. gave MY data to the US Government, without informing me or the people it affected is abhorrent.

    Maybe this will give American based companies pause for thought. I have grave doubts, that it will slap some sense into the US Government though.
  • RE: Updated European law will close Patriot Act data access loophole

    I'm wondering how any law passed in the EU can affect the Patriot Act, other than something like "US Based Companies can't host data" which wouldn't fly. Any idea, Zack?
    • RE: Updated European law will close Patriot Act data access loophole

      The simple reply is in the article: "companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business on our internal market". In other words, companies will have to host ALL EU citizen data outside of the United States and partition it accordingly outside the laws of discovery in the US. Otherwise, EU will ban the sale of their services and goods. Period. Which is as it should be.
      • RE: Updated European law will close Patriot Act data access loophole

        @sleepdawg - As always, the US government does what it wants, including ignoring EU laws when they get in the way. Unless there is some elaborate compliance mechanism (and there isn't) this law will have little or no effect.

        Companies who cooperate with the US government will always get coverage, both political and bureaucratic. It will be impossible for EU countries to ding Microsoft if the US Dept. of Commerce could retaliate against Siemens or Philips or SAP.
        terry flores
      • That doesn't work...

        @sleepdawg According to the Patriot Act, as long as the Cloud company has an office in America, they must hand over data, even data stored outside the USA.

        The REAL problem here is, Google, Amazon, MS (I'll just use Google for brefity from here on) get the request, hand over the data, without telling the company whose data it is, or the customers, employees etc. whose data has been handed over (they are explicitly NOT allowed to inform them).

        That is the problem. The company whose data it is, is responsible for getting authorisation from each affected individual, BEFORE the data is exported outside the EU. Because Google handed over the data, without telling their customer, that customer was unable to fulfill his legal requirements, so faces fines and imprisonment and possiblly getting sued by the individuals, whose data was handed over.

        Therefore, it is commercial suicide, at the moment, for a company to think of using a cloud service which is based in America.

        This is why the law needs to be changed - or more appropriately, the Patriot Act, which is unconstitutional even in America, should have its reach cut back or, better yet, be scrapped.

        It handicaps non-American businesses from using cloud solutions from companies that also have a presence in the USA. It handicaps US businesses (not just cloud providers), who want to do business with customers outside the USA, especially with customers in the EU - the American companies, here, have the same problem as the EU companies using cloud services, they have to illegally (from the EU customer's perspective) hand over personal data to the US Government, without either notifying the individuals or, more importantly, getting their consent to hand over the information.

        Inside the EU, the companies are protected by EU law. If an EU government wants the information, they have to go through an EU court and get a court order to see the data.

        The Patriot Act does not require the US Government to get an EU court order to get at the European data, it just forces the cloud companies involved to act illegally and put their customers at risk of prosecution.

        This also leaves a quasi loop-hole in the law, where the cloud provider can act "illegally", but isn't responsible for their actions, their customers are held responsible for the cloud provider's actions.
  • RE: Updated European law will close Patriot Act data access loophole

    Sadly this isn't about where the data is stored. Its about Jurisdiction. A US based company will always have to abide by US law, they have no option. So MSFT, Amazon, Rackspace, Dropbox etc have to option but to comply with the US Patriot Act regardless of what legislation the EU passes.