Caspar Bowden, Don’t put your Data in the Cloud, Mrs.Reding

Caspar Bowden, Don’t put your Data in the Cloud, Mrs.Reding

PLSC 2013

Workshop draft abstract:

This multidisciplinary paper assesses the privacy situation of European citizens when their personal data is transferred to Cloud computing systems under United States jurisdiction, with particular reference to the FISA Amendment Act of 2008 (FISAAA). The technical varieties of Cloud computing are analysed in terms of the 1995 EU Data Protection Directive and the proposed new Regulation, and the mechanisms envisaged for legitimating transfers examined, together with the origins of these “derogations” in the Council of Europe’s Convention 108.

The analysis of the United States position begins with precedent rulings on the inapplicability of 4th Amendment protections for non-US persons located outside the US, in the light of political and media controversy attending the “warrantless wiretapping” affair and whistle-blower allegations of mass-surveillance programs illegally impacting US persons. The terms of FISAAA §1881 (now also known as FISA section 702) are reviewed with particular attention to the inclusion of obligations on providers of “remote computing services” (absent from the interim Protect America Act 2007), the definition of “foreign intelligence information”, and the concept of ex post facto “minimization” of the privacy consequences for US persons. A pattern of bipartisan secrecy and redaction of documents and court rulings around the time of FISAAA’s passage in 2008 and renewal in 2012 is scrutinized together with propaganda efforts by US government and industry to neutralize foreign concerns over Cloud surveillance powers, which strongly indicate a covert policy of concealment by omission, misdirection, and specious reasoning. Alternative technical means of conducting very large scale surveillance of the Cloud are reviewed, as well as architectural specifications emerging from standards bodies. Specific modalities of Cloud surveillance are distinguished from ordinary interception of communications, and brief comparisons made with what can be inferred about “secret interpretations” of section 215 of the USA PATRIOT Act. The EU/US Safe Harbour Agreement of 2000, and in particular the new notion in the EU Regulation of “Binding Corporate Rules for data processors” which was ostensibly devised to be suitable for Cloud transfers, are then critiqued as vulnerable to foreseeable relevant risks, and anomalies in the Opinions of regulatory authorities are highlighted.

Finally the jurisprudence of the European Court of Human Rights is reviewed to locate certain lacunae in the tests for lawfulness of secret strategic communications surveillance thus far, arising from universal versus nationality based conceptions of human rights. Nevertheless there are obligations on signatory states to provide effective measures to protect the rights of those within their jurisdiction, irrespective of unresolved conflicts of international public law. The conclusion is that transfers of Europeans’ data to US controlled Clouds are impermissible, at the very least absent repeal of certain clauses of FISAAA, and new binding treaties offering explicit guarantees. Recommendations are offered to the European Parliament for measures which could have some mitigating dissuasive and deterrent effects, with reflections on the fractured governance of EU privacy by institutions which either failed to detect, or acquiesced in the construction of complex legal antinomies over several years.

*With apologies to