One of the weak points in the new European data protection regulation that privacy advocates have been warning about is the ease by which data can be exported from the EU into FISAAA-ready services in the USA. In short, the European Commission have been trying to make “data exports” easier, but in the process have made it harder to enforce our fundamental privacy rights.
The Commission's position on data exports relates to their cloud strategy. They see the use of cloud computing as a way to enable EU businesses to save costs and become more efficient. They hope this will increase European competitiveness in a global marketplace. The argument runs that current data protection rules make full use of cloud computing impossible because of the restrictions it imposes on data exports, as all the big cloud providers are non-EU.
As Caspar Bowden and Judith Rauhofer point out in their recent paper, this argument leads to a position where data protection rights are highly unenforceable as soon as data moves outside the EU via data exports. In short, if the US enacts FISAAA laws and initiates PRISM, there’s not much that the new data protection laws can do to help, especially as they are currently drafted.
Rauhofer and Bowden also reference a paper produced back in January by the European Economic and Social Committee.The EESC pointed out the problem with the Commission’s economic argument. They say that an increase in the uptake of cloud services provided by mostly US-based companies will lead to a loss of sovereignty by EU businesses and public sector, not only over personal data, but also over commercially sensitive information and trade secrets:
Recent decades have demonstrated the significance of the dependency of the Member States - or even of Europe as a whole - regarding various sources of energy: petrol, gas, electricity, etc. Should European citizens', businesses' and public services' data in future be hosted, managed and controlled by non-European CC operators, there would be legitimate concerns surrounding the impact of this dependency:
- protection of particularly sensitive data that are crucial to strategic competition between European and non-European countries, such as in the aviation, automotive, pharmaceutical and research sectors;
- the availability of data in the event of international tensions between "host" countries and Member States;
- equality of treatment of consumers of digital energy depending on whether or not they are citizens or organisations of a "friendly" country;
- job and wealth creation from the production of digital energy, and also from the entire service development ecosystem, in the host countries, thus disadvantaging countries that are simply "cloud-friendly" users of digital energy. …
3.5 Currently, although there are some differences between the Member States' regulations, they are close to the European texts, standards and directives; hence users' fears - in some cases justified - of their data being stored outside Europe, leading to difficulties and legal stalemates in the event of disputes.
In addition, the greatest cause for concern among users is the "Patriot Act". This act came out of the war on terror (following the September 11 attacks), and allows the US government or a federal judge to access any data hosted and controlled by an American company, whether or not the owner of the data is American and including data hosted in a centre on European soil. Above all, the owner of the data cannot be informed that the host has disclosed the hosted data.
After Edward Snowden’s revelations about PRISM, now that the public and EU Parliament are more aware of the effects of FISAAA as well as the Patriot Act, there is a very high risk that EU businesses will lose trust in cloud services to everyone’s detriment.
This also creates an opportunity: data protection law can allow citizens and businesses to manage the risks. The increased privacy of European-based services could make them more competitive, especially for businesses who must protect their confidentiality, as the EESC point out. But the EU Parliament will have to be open to making some significant changes, including improving notification and insisting that US and other states’ surveillance laws are only to be applied to EU data in the context of international laws and agreements. This was the intention of Article 42 – which should now be reinstated.