European companies 'need confidence' over Patriot Act concerns

One Dutch member of the European Parliament is on a mission: to clarify the reach of the Patriot Act in Europe, and to amend laws to prevent its reach.
Written by Zack Whittaker, Contributor

European businesses and companies are increasingly concerned about the revelations earlier this year that the USA Patriot Act can be invoked to access cloud-stored data in Europe and further afield, according to a European lawmaker.

Today, as Europe's lawmakers are about to start up again after the summer vacation, one Dutch member of the European Parliament (MEP) is championing on behalf of her European citizens to get important questions regarding data transfer answered from the U.S. government.

In June, Microsoft finally admitted what most had suspected -- that European data held in EU datacenters, provided by any cloud service provider with a U.S. headquarters, cannot guarantee that data will not be handed over to U.S. authorities for interception or intelligence gathering.

It comes only days after Jeff Bullwinkel, director of legal and corporate affairs at Microsoft Australia, all but outright said that under the Patriot Act, Microsoft cloud-stored data inside Europe and elsewhere was 'never secure'. In a blog post, he added even more pressure on businesses in Australia, and more reason to avoid the U.S.-linked cloud altogether.

Sophie in 't Veld, along with four other members of the European Parliament, is calling on Viviane Reding, the European Commissioner for justice, fundamental rights and citizenship, for "clarification" to answers given pertaining to the Patriot Act's reach in Europe.

The Dutch MEP and vice-chair of the European Parliament's Civil Liberties, Justice and Home Affairs committee, raised questions to the European Commission, shortly after ZDNet began exploring the reach of the Patriot Act outside of the United States.

But in 't Veld is not at all content with the reply she received from Commissioner Reding, and is asking for further clarification.

in t' Veld had asked questions many chief information officers and citizens alike had been asking for years:

"Is the Commission aware that on the basis of the Patriot Act, the U.S. authorities can access personal data stored in the EU by companies with headquarters in the U.S.?"

Crucially, the last question asks what the European Commission do to "remedy this situation", to ensure that "third country legislation [in this case, the United States] does not take precedence over EU legislation?".

Commissioner Reding's reply [in Dutch] missed the point completely, and glossed over the crucial questions that the MEP's had put to her.

Sarah Ludford, one of the four other MEP's asking for further clarification, called the Commissioner's reply "alarmingly evasive", adding: "It fails to clearly assert that EU data protection law always applies to EU-stored data and dodges the issue of how a firm based in the US can resist US demands for access to such data."

in 't Veld said on the Dutch D66 party blog today, that she has responded to a "very unsatisfactory response", adding: [translated]

"The European Commission should quickly make it clear that European businesses and citizens are under European privacy laws. European citizens and businesses need to be confident that EU institutions enforce their own laws."

Keen to stress that though EU subsidiaries of U.S. parent companies are breaking European law by handing over data back to the United States under a Patriot Act request, that while these subsidiaries are operating within Europe, EU law must take precedent.

"The European Commission should urgently contact the U.S. government and make clear that we do not accept."

Posting to Twitter, in 't Veld said: "companies in the EU cannot be sure what jurisdiction they are in -- the EU or the U.S.".

In her reply to Commissioner Reding, the Dutch MEP reiterated that:

"[...] Your reply does not clarify the situation of companies operating in the EU, that equally have a presence (either headquarters or other activities) in the U.S.

In that situation, through its presence in the U.S., that company would be under U.S. jurisdiction indeed. The U.S. considers that the European activities, including databases, of those companies automatically fall within U.S. jurisdiction."

The issue of subpoenas and National Security Letters -- written devices which apply gagging orders on those who are told to hand over data -- also arose in the reply to the Commissioner.

"EU based companies are currently facing US subpoenas under the Patriot Act, as described in the Written Question.

They are obliged to submit data stored in Europe to the U.S. authorities, thereby probably violating EU laws. Formally, it is for those companies to refuse to comply with the subpoena. However, we recognise that in practice this is very difficult."

The European Data Protection Directive, which makes up the basic level of each European member states' data protection laws, is likely to be changed in the coming months and years.

Next week, in 't Veld's European Privacy Platform, which will debate this topic heavily, may yield a clearer response from the Commissioner.

Related content:

Also read ZDNet’s Patriot Act series:

Editorial standards