This executive summary recaps a series of posts and a year's worth of research on how the USA PATRIOT ACT impacts cross-border clouds, and considers whether data is safe from the risk of interception or unwarranted searches by U.S. authorities; even European protected data.
Although this is a U.S.-oriented site and I am a British citizen, the issues I surface here affect all readers, whether living and working inside or outside the United States.
U.S. law enforcement could use the USA PATRIOT Act on a U.S.-based organisation -- like Microsoft, Google, Intel or Amazon, for example -- to force its local subsidiary companies across the world into handing over user data to U.S. authorities.
EU data once may have 'had to stay in Europe', but this is on the most part untrue. The Safe Harbor framework, designed to protect EU data in the United States, protects merely the transfer of data from Europe to U.S. soil. But as soon as it arrived on U.S. soil, Safe Harbor can be superseded by America's counter-terrorism law.
U.S. corporations survive by having subsidiary or smaller companies in foreign locations, to communicate and collaborate with their clients on the ground in their locale. These subsidiary companies are wholly owned and controlled by their U.S. parent. If a U.S. parent company receives a request from the U.S. government to inspect data held by a subsidiary company in a foreign location, the subsidiary would therefore have no choice but to hand over the data to their U.S.-based parent.
No company or organisation can wholly guarantee that data in European datacenters will under no circumstances leave European soil. Until a company comes forward and unequivocally states otherwise, then this series of posts stands true.
The 'cloud' is an abstract concept to newcomers: Access is granted from any device anywhere in the world. It stores files under your name, from photos to video and work documents. But in reality, these files are on a server in a datacenter -- on sovereign territory, somewhere, where a government's law applies.
Though the notion of 'privacy' in itself has become diluted with social networking settings and the loss or theft of mobile devices, privacy in itself relates directly back to the individual. As previously discussed, there is no such thing as "I have nothing to hide".
More often than not, this will be the United States; even if you live elsewhere in the world. The vast majority of ordinary citizens will think nothing of this conundrum. They should start paying attention along with the businesses that control vast quantities of citizen data.