Indigenous European cloud needed to defeat NSA surveillance, says report

Privacy advocate calls for tougher data protection penalties

A report commissioned by the European Parliament urges the European Union to encourage development of local cloud computing capacity based on open source software as a way of safeguarding against U.S. intelligence community surveillance.

The report (.pdf), written by former Microsoft Chief Privacy Adviser Caspar Bowden (now an independent privacy advocate), also finds that the U.S.-EU Safe Harbor Framework fails to prevent against U.S. interception of European citizens' cloud-processed data. Bowden calls on the parliament to consider reinstating a deleted article from the proposed General Data Protection Regulation that would prohibit third countries from accessing personal data in the European Union without prior authorization from an European data protection authority.

Consideration of the data privacy regulation--it would update a privacy regulation approved in 1995--has been bogged down this summer in the Civil Liberties, Justice and Home Affairs committee. It postponed three times taking a binding vote on the regulation as it ploughs through the more than 3,000 offered amendments. The committee is set to meet Sept. 24 in a hearing called over U.S. surveillance.

Bowden's report notes that the deleted clause from the regulation known as Article 42 has issues that would need to be addressed, including whether it would be effective. Compliance with it by American companies could cause executives to risk espionage charges from the federal government.

Parliament should increase the penalty for violations of European data protection regulations, Bowden says, stating that the current treatment of data protection offenses as minor offenses are "no deterrent against a calculated strategy to ignore EU law, weighed against the penalties applicable under U.S. law." A fine amounting to 20 percent of global revenue for data protection violations "may be needed to persuade such corporations to reckon seriously with Article 42 compliance."

So far Europe has almost no indigenous cloud platforms that can compete on cost, feature or reliability with U.S. providers, he says. The International Trade Administration says (.pdf) cloud computing doesn't create any unique issues for the Safe Harbor agreement, which was signed in 2000 and which requires American private sector signatories to follow principles of the 1995 EU privacy regulation in exchange for European data protection authorities approval of their Internet services for European uses.

The agreement has only created the "semblance of legal control over EU data" since it "left ambiguous whether it covered the situation of remote processing of data inside the United States," Bowden argues. Model privacy contract language developed by the European Commission requires companies handling data to tell European customers about legally binding requests to view that data, unless the request carries a secrecy requirement. That amounts to turning an institutional blind eye to intelligence community surveillance, Bowden says.

"Every organizational actor has an incentive to turn a blind-eye under these arrangements. The Commission so they can maintain 'high standards' of data protection are observed, [data protection authorities] so as not to expose their technical limits and exhaust their limited resources in expensive legal actions, member states whose security hierarchies benefit from access to U.S. counter-terror information, and business in EU and the U.S. who simply want to transact without awkward questions of state mass-surveillance continually arising," he writes.

For more:
- download the report, "The US National Security Agency (NSA) surveillance programmes (PRISM) and Foreign Intelligence Surveillance Act (FISA) activities and their impact on EU citizens' fundamental rights" (.pdf)

Related Articles:
Cameron Kerry decries U.S. privacy notice model while warning against divided Internet
FISC declassifies opinion supporting bulk telephony metadata collection
EU moves forward with data protection regulation as trust in U.S. Internet companies, government is shaken