USA PATRIOT Act: The myth of a secure European cloud?

This is the fourth and final installment in a series of posts that examine the principles governing the transfer of data across borders between the European Union and the United States, and the effect that the USA PATRIOT Act has on businesses, citizens and governments outside the United States. Although this is a U.S.-oriented site and I am a British citizen, the issues I surface here affect all readers, whether living and working inside or outside the United States.

[ See also: Case study: How the USA PATRIOT Act can be used to access EU data.]

There is no privacy in the European cloud, or any public cloud outside of the United States where a U.S.-based or wholly owned subsidiary company is involved.

Conclusion: The myth of a secure European cloud?

If you are a university that has outsourced data, storage or IT infrastructure to Google's Apps for Education, Microsoft's Live@edu or another cloud service provider, then you are a customer of these respective companies.

As a university, it is vital to remember that your students are also your customers. Organisations, universities and educational institutions should put their customers' needs and requirements at a high priority; arguably higher than that of internal bureaucracy regarding budgeting, financing and cost-cutting.

The effect that the USA PATRIOT Act could have on universities outside the United States is worrying. Those who study and permanently reside within the U.S. do so under the premise that they are aware of the legislation which enables law enforcement to maintain national security and prevent terrorism.

However, this is also imposed on institutions outside direct U.S. jurisdiction in the EEA member states of Europe. Permanent residents of the EU abide by the laws of their own respective country, which in some cases are put into practice through mutual agreement of their own and other EU member states.

But on another dimension, non-EU citizens allowed to study in EU universities on student visas, who have passed nationality and health screenings, security validation and identity checks, will be subject to U.S. laws if their school, college or university sign up to outsourced cloud-based email or storage. It's possible this could result in no visible or obvious action being taken towards such a student; at the other extreme, however, it could result in the student being barred from entering the United States without a disclosed reason.

Students from countries which are not deemed 'friendly' to the United States, coined the 'Axis of Evil' by former US President George W. Bush in 2002, even though passing the strict entry and security requirements for visas to an allied nation such as the United Kingdom, could be at higher risk by possessing a nationality which holds negative connotations to the US intelligence community.

Universities which provide 'international status' atmospheres to their brand, image and campus, by branching out to other European and international countries to set up campuses, could be the worst affected.

These institutions brand themselves as diverse and multicultural environments, and focus on fair and equal representation regardless of nationality, political stance or religion. For citizens of these deemed 'unfriendly' nations to discover their prospective university directly or indirectly hands over personal data to a country which considers their home state a potential threat, could deter a vast number of students from these institutions.

It could further damage already wounded diplomatic ties and tarnish the reputation of universities with an existing 'international status'.

If cloud data is handed over to the U.S. authorities through the invoking of the USA PATRIOT Act without informing the university or without the direct permission from them, the university as the data controller could be investigated and reprimanded by the local privacy authorities, such as the Information Commissioner's Office in the UK for being in breach of the UK Data Protection Act 1998.

This applies to every other EEA member state as the EU 'Data Protection Directive' 95/46/EU includes common principles which have been implemented in legislation of each subscribing European country.

During the course of the year researching this area, and after speaking to a number of senior university officials around the UK, I could not find a single official or representative who can guarantee that student data will not leave the EEA under any circumstances.

Until U.S. wholly-owned subsidiary companies that provide cloud services to EU customers state clearly and unequivocally, "under no circumstances will the data you provide us leave the EEA, even from a request under the USA PATRIOT Act", the privacy of cloud customers around the European Union and further afield will be at risk to laws that they are either unaware affects them, or do not consciously subscribe to in their current location.

If universities, businesses and organisations of any size inside the EEA choose to outsource their email, storage or IT infrastructure, there is one solution to ensure it will not be subject to the USA PATRIOT Act. EU customers should look for wholly-owned EU cloud service providers which provide EU only based datacenters, which is then protected by law since 1998 under the EU 'Data Protection Directive' 95/46/EU.

Leave your comments and thoughts below.