Recent Article copied from forbes.com
A top concern of moving to the cloud, particularly in Europe, is the patchwork of laws that leave many unsure of how to proceed. In Europe, a very stringent legal framework is in place with criminal sanction for companies and individuals that break EU data protection laws. Access to and sharing of EU citizens’ personal data is tightly controlled, including requirements for notification of data releases. In the U.S., while data laws are significantly more flexible, frameworks do exist, meaning European companies operating there also need to comply with U.S. laws.
In particular, laws such as the U.S. Patriot Act have further complicated the situation. Both Amazon Web Services and Microsoft have recently acknowledged that they would comply with U.S. government requests to release data stored in their European clouds, even though those clouds are located outside of direct U.S. jurisdiction and would conflict with European laws. Does this mean, however, that European companies and individuals using U.S.-company-operated clouds are breaking EU law?
Key Factors: Location and Control
There are two important factors affecting the treatment of data. Firstly, knowing where it is physically located, as this determines the legal jurisdiction presiding over that data. For example, data stored in Germany is subject to German and EU law, whereas data stored in the U.S. is only subject to U.S. law. It’s also important to consider where customer records are kept, as sometimes they may be replicated beyond the raw data storage. For example, a company operating a public cloud may hold uploaded data in one place (the main published cloud location), but keep copies at its corporate HQ, which may be in another country.
Secondly, knowing who controls the data is key as some country laws place obligations on companies beyond that country’s borders. For example, since a U.S. company operating in Europe is still subject to the U.S. Patriot Act, the European customers using those services are exposing themselves to U.S. jurisdiction. It’s important to note that subsidiaries of U.S. companies are also subject to the same U.S. data access abroad.
Implications of the U.S. Patriot Act in Europe
European law strictly mandates the treatment of EU private citizens’ data with strong sanctions against breaches. Additionally, there are clear and specific notification requirements if data is shared with third parties. In contrast, the U.S. Patriot Act requires U.S. companies (and their foreign subsidiaries) to comply with U.S. government data requests regardless of location, provided that data is under the control of a U.S. company. Furthermore, by the same U.S. law, such data sharing is not allowed to be revealed to a third party, directly conflicting with European disclosure requirements.
ased on these facts, a U.S. company (or local subsidiary) controlling data in Europe must comply with EU data protection and notification laws, but is also subject to the onerous U.S. Patriot Act requirements, which are incompatible. In such a situation, it’s reasonable to assume that a company would comply with its ‘home’ jurisdiction, particularly if data disclosures are required to be private. U.S. companies controlling EU citizens’ data in Europe are therefore in an impossible situation if they have to release data under the U.S. Patriot Act. The Safe Harbor Framework, designed to avoid this, has proved ineffective, as recently admitted by major U.S. companies operating in Europe.
So, the question remains – for companies holding EU citizens’ data in Europe, does placing such data under the control of a U.S.-based entity expose them to legal consequences? The simple answer is yes. If a German company were to place their customers’ data under the control of a U.S. entity or subsidiary, they could be held liable for any subsequent data release.
article copied from forbes.com