Joris V.J. van Hoboken, Axel M. Arnbak, and Nico A.N.M. van Eijk, Obscured by Clouds or How to Address Governmental Access to Cloud Data From Abroad

Joris V.J. van Hoboken, Axel M. Arnbak, and Nico A.N.M. van Eijk, Obscured by Clouds or How to Address Governmental Access to Cloud Data From Abroad

Comment by: Carter Manny

PLSC 2013

Published version available here:

Workshop draft abstract:

Governments, companies and citizens have started to move their data and ICT operations into the cloud. For cloud service customers, this development leads to a decrease in overview and control over governmental access to data for law enforcement and national security purposes. This is the main conclusion of a recent study by the authors for the Dutch education and research sector, a study that was widely covered in international media.  The study analyzes the legal possibilities for U.S. governmental agencies to gain access to cloud data of Europeans in the U.S. directly, and the implications thereof for the decision-making process by potential cloud customers. It finds that in U.S. laws on national security and law enforcement wide and relatively unchecked possibilities of access exist. This is the case for data of non-U.S. persons abroad held by cloud providers conducting business in the U.S. The study further concludes that the transition towards the cloud has important negative consequences for the possibility of cloud customers to manage information confidentiality and security, as well as the privacy and protection of data of European end-users in relation to foreign governments.

The mere possibility that information in the cloud could be accessed by foreign governmental agencies has started to impact decision making by potential cloud customers. Concerns of governmental and corporate customers spur market developments such as federated and encrypted solutions as well as ‘national clouds’ that are ‘Patriot Act Proof’.   These developments consequently affect market conditions and competition, impacting U.S.-based cloud services in particular. In addition, the possibility of foreign governmental access impacts the privacy of cloud end-users and causes chilling effects with regard to cloud computing use. When data confidentiality is found vital, the situation has led to calls for regulatory action and termination of cloud contracts – such as in cases of medical data storage in electronic patient record systems and biometric data processing in relation to passports.  Furthermore, the mere possibility of access from the U.S. continues to be the subject of high-level legal and political debate in Trans-Atlantic discussions about the protection of privacy and information security in the cloud, most notably in the context of the hotly debated revision of the EU regulatory framework on data protection.

This paper will go beyond the previous study on the legal state of affairs and its impact on decision-making about the cloud, and will address the question if, and if so, how the laws in Europe could be adapted to better protect the privacy and information confidentiality interests of cloud computing end-users.

It will first address the ongoing EU data protection revision, which is seen by many as the proper instrument to ensure that foreign governmental access to cloud data meets EU standards of privacy and information security. However, the EU Data Protection Regulation clearly excludes national security regulations from its material scope (Article 2[2a] of the proposal). Nonetheless, the January 2013 draft report of the European Parliament rapporteur  introduces prior authorization of national supervisory authorities as an additional safeguard (Article 43a). Due to the exclusion of ‘national security’ from the material scope of the proposed Regulation and EU law in general, such proposals to address foreign cloud surveillance may prove to be ineffective. The complex relation between EU privacy laws and national security does, however, pose more fundamental questions, also in a strictly European context. For example, data availability and data access for law enforcement and national security purposes are increasingly interdependent in today’s information environments. The further privatization of surveillance that the transition to the cloud environment enables – meaning that personal data is collected by private entities and subsequently accessed by public authorities – may be an argument in favor of introducing additional legal safeguards on data collection and use in a regulatory initiative that is primarily targeted at industry stakeholders.

Second, the paper will assess whether improving oversight over foreign governmental access at the national and international level could be a better approach. In practice, data transfers between different state authorities in the sphere of national security seem to be mediated by a pragmatic “quid-pro-quo approach”.  The resulting exchange between governmental agencies in different countries introduces a dynamic of its own with respect to data collection, the construction of privacy safeguards in relevant laws, and the national oversight over their use in practice.  Such oversight is currently mostly focused on the relation of governmental agencies towards their own residents. This stands in contrast with the increased possibilities of gaining access to data from people abroad.

At a recent hearing in the European Parliament, EU Commissioner Viviane Reding declared that no third-country legislation overrules the European privacy regulations, and that “the International Court of Justice based in The Hague is the final arbiter on such disputes”.  Her statement will not be the final word on this matter, but does illustrate the complex political landscape associated with regulating foreign cloud surveillance. Nevertheless, the reality of today is that foreign data access is obscured by the cloud, with serious consequences for decision-making about cloud providers across the globe. The question of how the European regulator should respond becomes more relevant by the day.