Updated European law will close Patriot Act data access loophole

An updated European directive will patch the flaws in current laws, that enables the Patriot Act to access cloud-stored data on European citizens.
Written by Zack Whittaker, Contributor

BRUSSELS -- European lawmakers have been revising and updating the data protection laws that apply to all 27 European member states, after it was discovered that the United States can use the Patriot Act to access European citizens' data without their consent.

The European Commission's justice commissioner Viviane Reding met with German Consumer Protection Minister Ilse Aigner, discussed the new directive yesterday and outlined plans for the updated law to compel any non-European company -- with customers or clients within Europe -- to comply with European regulations.

In a statement, it was said that the: "European Commission will come forward with proposals to reform the 1995 Data Protection Directive by the end of January 2012".

"We both believe that companies who direct their services to European consumers should be subject to EU data protection laws. Otherwise, they should not be able to do business on our internal market", the joint statement added.

Referring to the cloud, the new law will not only modernise the data protection laws, but will also counteract the effects of the Patriot Act in Europe.

The 1995 directive, which passed into the local legal system of each member state, is over 15 years old. It is widely considered to be outdated and flawed, in light of technological developments, such as cloud computing, developed since the directive was ratified.

During Microsoft's Office 365 launch, Gordon Frazer, managing director of Microsoft UK, admitted exclusively to ZDNet that the Patriot Act can be invoked by U.S. law enforcement to access EU-stored data without consent.

This alone set a precedent that had not been seen before: an industry leader admitting that European data was not safe nor protected from a foreign government, the United States.

Microsoft, Google, Amazon, along with any other U.S. based organisation, has to comply with local U.S. laws. Any data that is housed, stored or processed by a U.S. based company, is vulnerable to interception and inspection by U.S. authorities.

The new law will likely not go into effect for several years. Not only did it take three years for the 1995 directive to be ratified by the 27 European member states, the new law will have to undergo scrutiny, discussion, debate and stress-testing by European parliamentarians.

Companies such as the aforementioned cloud service providers will be given the chance to propose changes to the law in efforts to enable their services to maintain without disruption of its services.

One of the reported changes to the law could if anything drive up the use of cloud services, by making data that has been lost liable to the cloud service provider, rather than the "data controller", the person or organisation that owns the data.

Read more: Facebook and other social networks could find themselves in hostile territory once the new laws are enacted, with EU Commissioner Reding already having the social networking giant in her crosshairs. See the article here.


Editorial standards