Just about the last thing the world economy needs right now is a trumped up, digital trade war about electronic data stored and processed on servers located virtually anywhere. However, unless the governments of United States and Europe, and multinational tech companies, start talking soon about reconciling and simplifying international data protection rules, some ominous storm clouds could threaten transatlantic eCommerce.
Given the staggering potential of Cloud computing to promote economic growth, it is well worth preventing transatlantic privacy wars from bogging down and Balkanizing the Cloud. Policymakers and business people on both sides understand the power and benefits of Cloud computing for commerce, consumers, and economic growth. In fact, the former White House Chief Information Officer, Vivek Kundra, established a “Cloud First” policy for new government expenditures on IT resources and the Cloud Strategy he published for the White House in February 2011 estimated that $20 billion of the federal government’s $80 billion IT budget could be shifted to the Cloud. His White House strategy document gushed that “cloud computing will not just be more innovative than we imagine; it will be more innovative than we can imagine”!
Unfortunately, whether inspired by polemics, protectionism or genuine privacy concerns, some European officials are speaking up against Cloud computing because of unwarranted fears about the data protection practices of US companies. For example, in September, the Dutch minister of safety and justice, cited the USA Patriot Act to exclude U.S. providers of “cloud computing” services from bidding on Dutch government contracts, and a member of the Dutch parliament proclaimed that “data from Dutch citizens that is managed by the government should exclusively be stored within Dutch borders using Dutch companies” in order to guarantee the privacy of Dutch citizens. Even the United Kingdom’s Liberal Party worried recently that “cloud computing is an area where, if left unchecked, there is serious potential for abuse – for example, large corporations taking control of enormous quantities of public or private data outside the reach of national law.”
With all of this digital xenophobia, it is no surprise that a provincial privacy commissioner for Shleswig-Holstein in Germany ruled earlier this year that the only permissible Cloud in Europe is a European Cloud. This inspired Deutsche Telekom to petition the German government to certify German and European Cloud providers because certified German computer companies will be “well-positioned if we can say we're a European provider in a European legal sphere and no American can get to them.” The Deutsche Telekom official didn’t pull any nationalistic punches when he promised that “A German cloud” would be a “safe cloud.”
In truth, US privacy practices, and even the Patriot Act, can withstand comparison to the powers and practices of European governments. While the US bears the brunt of criticism from privacy advocates, every European government has as much legal authority to conduct digital surveillance and obtain personal information about individuals as does the US government. In fact, the EU’s own privacy bible, the Data Protection Directive, contains an express derogation of personal privacy allowing member states to protect national security and conduct law enforcement. And the European governments are not shy about using their extensive powers of surveillance and monitoring. Indeed, Google – which publishes statistics about the government data requests it receives – reports that Germany, the Netherlands and other EU member states are all pretty well practiced requesting and acquiring personal information directly from that American Cloud service provider.
The Patriot Act is not the only problem US Cloud providers face in Europe. There is an ongoing battle between the US and Europe regarding how to protect the privacy of personal information. At present, the EU Data Protection Directive actually prohibits the transfer of personal information from Europe to the United States. The prohibition goes so far as to block the ability of a company to send data about its own employees from the company’s offices in Europe to its offices in the US, unless the American company jumps through certain rather complex procedural rings of fire. This is because the EU has taken the official position that the US approach to data protection is “not adequate,” that is, not up to European standards – largely because America doesn’t have a single comprehensive federal privacy law and an independent federal privacy commissioner.
While the US and Europe do indeed have different procedures for assuring protection for private information, the substance of data protection is more comparable across the ocean than the EU has so far given us credit for. To achieve “data protection détente,” the US side thus needs to engage Europe more effectively on the digital standards for global commerce. The imagined privacy gap does not really exist. In truth, American business and government can make a compelling case for the US data protection regime: we have myriad federal and state privacy and data security statutes (many with private rights of action and statutory damages), comprehensive data breach notification laws, common law privacy torts, federal and state prohibitions against unfair and deceptive practices, and aggressive (multi-million dollar) enforcement by the Federal Trade Commission, state attorneys general, and the plaintiffs’ bar.
There are some new rays of hope for such digital détente. European Justice Commissioner Viviane Reding understands that “Our societies have been transformed as users embrace social networks, blogs, newsfeeds and shared bookmarks that are kept in the cloud. Companies cut costs by outsourcing data storage tasks.” And EU Digital Agenda Commissioner Neelie Kroes has acknowledged that because the Cloud is “by definition a global issue,” “Europe should work with the U.S. and Asia in setting policy.”
More business and government dialogue with Europe is needed to tamp down undue suspicion regarding the Patriot Act, and help ameliorate the current international imbroglio over privacy. A transatlantic digital initiative to rationalize online standards will allow international Cloud providers to benefit businesses and consumers around the globe. The current legal quagmire of divergent, muddled and unduly complicated national rules may be protectionist, but they are not really protecting anybody’s privacy.
To view the article as it first appeared in The Washington Times, please click here.
The views expressed in this article are exclusively those of the author and do not necessarily reflect those of Sidley Austin LLP and its partners. This article has been prepared for informational purposes only and does not constitute legal advice. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this without seeking advice from professional advisers.