Listen to this article
Since 2000, US cloud providers have relied on the Safe Harbour agreement with the EU. This assured the providers and their European clients that employee and customer data sent to US-based servers would be subject to the same data protection rules as if they were kept in Europe.
So when the European Court of Justice ruled last October that the Safe Harbour accord was invalid as it did not do enough to protect that EU data from US government surveillance, those same cloud providers rushed to assure their customers that they were on top of the situation.
For one provider, NetSuite, the timing could not have been better. The day Safe Harbour fell, Zach Nelson, the chief executive, was in London to announce plans to open data centres in Dublin and the Netherlands. This, he said, would enable the company’s customers to keep data on their employees and customers on EU soil.
Other cloud providers made similar moves. Amazon’s chief technology officer, Werner Vogels, said in a blog post that the company’s Amazon Web Services hosting business would open its first UK-based data centre — its third in the EU — by early 2017. Microsoft also unveiled plans for two UK data centres for its Azure cloud business.
But not every US-based cloud provider offers EU-based data centres and even those that do may not be immune to legal problems in the future, warns Nicola Fulford, head of data protection and privacy at law firm Kemp Little.
Microsoft, for example, is embroiled in a long-running dispute with the US government over requests to see emails held in its Irish data centre. The US government argues that US-based companies have a legal obligation to comply with such requests, regardless of where data are stored. More worrying still for European cloud customers and their US suppliers, Ms Fulford says, is continuing uncertainty over an acceptable replacement for Safe Harbour.
In February, the EU-US Privacy Shield agreement finally emerged after much wrangling between Brussels and Washington. The deal is expected to come into effect from June this year.
However, in April a group of national data protection watchdogs known as the Article 29 Working Party rejected Privacy Shield, announcing that, in its current form, the deal is not robust enough to get their support.
The FT reported that the regulators had criticised the agreement for failing to limit “massive and indiscriminate” collection of data by US authorities and for not guaranteeing the independence of an ombudsman who will deal with complaints from EU citizens.
“The path for adoption of the Privacy Shield was never expected to be easy, but the breadth and specificity of the shortcomings perceived by [the Article 29 Working Party] will make subsequent legal attacks significantly more likely to succeed, even if further negotiations between the US and EU can find ways to address the problems,” says Robert Cattanach of law firm Dorsey & Whitney.
“It’s difficult for customers who want to move forward with cloud deals and difficult for vendors who want to keep signing deals,” adds Ms Fulford.
Companies are left to fall back on contractual mechanisms to safeguard data, which are complex and expensive to put in place and still cannot offer guarantees in a shifting legal landscape.
“The real impact could be on potential customers who may hesitate to upgrade to modern, cloud-based business systems,” says Mr Nelson of NetSuite. “That’s bad for the European economy.”