Members of the European Parliament have demanded to know what lawmakers intend to do about the conflict between the European Union’s Data Protection Directive and the U.S. Patriot Act.
The issue has been raised following Microsoft’s admission last week that it may have to hand over European customers’ data on a new cloud service to U.S. authorities. The company may also be compelled by the Patriot Act to keep details of any such data transfer secret. This is directly contrary to the European directive, which states that organizations must inform users when they disclose personal information.
“Does the Commission consider that the U.S. Patriot Act thus effectively overrules the E.U. Directive on Data Protection? What will the Commission do to remedy this situation, and ensure that E.U. data protection rules can be effectively enforced and that third country legislation does not take precedence over E.U. legislation?” asked Sophia In’t Veld, a member of the Parliament’s civil liberties committee.
Commissioner Viviane Reding, who is responsible for data protection, has in the past seemed to welcome a privacy protection bill introduced by senators John Kerry, a Massachusetts Democrat, and John McCain, an Arizona Republican, as a possible solution. “I welcome a draft Bill of Rights just introduced in the U.S. Congress as a bipartisan initiative of Democrats and Republicans. The Commission also shares the main objective of the Bill: strengthening individuals’ trust in new technologies through compatible standards,” she said.
Microsoft can already transfer E.U. data to the U.S. under the Safe Harbor agreement. But legal experts have warned that this agreement is hardly worth the paper it’s written on. There are seven principles of Safe Harbor, including reasonable data security, and clearly defined and effective enforcement. However all this is nullified if the Patriot Act is invoked.
“I’m afraid that Safe Harbor has very little value anymore, since it came out that it might be possible that U.S. companies that offer to keep data in a European cloud are still obliged to allow the U.S. government access to these data on basis of the Patriot Act, ” said Theo Bosboom, IT lawyer with Dirkzager Lawyers. “Europeans would be better to keep their data in Europe. If a European contract partner for a European cloud solution, offers the guarantee that data stays within the European Union, that is without a doubt the best choice, legally.”
The advice will come as a blow to the many cloud computing players registered in the U.S. including Microsoft, Facebook and Google. Microsoft’s new cloud service, which is due to be launched next week, will allocate geographic regions where customers’ data will be physically stored. But the computer giant could not guarantee that E.U. users’ information would not be disclosed: “In a limited number of circumstances, Microsoft may need to disclose data without your prior consent, including as needed to satisfy legal requirements, or to protect the rights or property of Microsoft.”
“I hope Commissioner Reding will respond soon, as this is really a key issue. Essentially what is at stake is whether Europe can enforce its own laws in its own territory, or if the laws of a third country prevail,” said In’t Veld. “I hope the Commissioner will ensure that the U.S. and other countries respect E.U. laws in E.U. territory. I don’t think the U.S. would be amused if Europeans (or other non-U.S. authorities) were to get access to databases located within U.S. jurisdiction.”