Whichever type of cloud computing it is that European organisations are adopting, whether it’s SaaS, PaaS or IaaS, those organisations appear to be taking a head-in-the-sand approach to the implications of the European Data Protection Directive.
The Directive regulates the processing of personal data within the European Union and, whilst the Directive itself is not legally binding, every European Union member state has implemented its own data protection legislation to conform with the Directive.
The transfer of personal data to a country outside the EU is only permitted if that country provides an “adequate” level of personal data protection. The US adopted a set of principles known as US-EU Safe Harbor Framework in order to allow US companies to comply with the Directive.
On the surface, the subsequent introduction of the USA PATRIOT Act didn’t appear to cause any problems with the Safe Harbor Framework but it appears that things weren’t all that they seemed. The Patriot Act appears to give US government security agencies the right to sequester data in secret from any US company, including any data held by EU subsidiaries, at least according to an admission by Gordon Frazer, managing director of Microsoft UK, in June 2011.
An interpretation of the facts behind Gordon Frazer’s admission is that storing personal data of EU citizens with a US company may be in violation of the Directive. Indeed, Microsoft refutes liability for adhering with the Directive: “You, the customer, have … the responsibility under the law for making sure that we are following the rules and it is legal for you to be sending personal data to us.”
Amazon Web Services’ CTO, Werner Vogels, suggests that organisations using AWS encrypt their data in order to comply with the Directive. Encrypting data is an extra overhead that an organisation with full control over its systems must implement if they use a US cloud computing provider.
However, for an organisation using Software-as-a-Service (SaaS), this will simply not be possible. Does this mean that companies operating in the EU cannot comply with the directive if they use a US SaaS provider? Further, does it mean that US companies cannot comply with the Directive at all?
It would seem unlikely that US technology companies are going to accept such a situation that could, in theory, force them out of the EU market.
In the meantime, there would appear to be an opportunity for EU firms to enter the US-dominated SaaS market with indubitably European Data Protection Directive-compliant offerings.
Until further clarification is issued by the European Commission, EU organisations that store data with a non-EU owned and based company should ensure that the personal data of all EU citizens is encrypted. Whether it’s possible to use a non-EU SaaS to store personal data with any degree of confidence remains to seen and legal advice should be sought.