Just about the last thing the world economy needs right now is a trumped-up digital trade war over electronic data stored and processed on servers located virtually anywhere. However, unless the governments of the United States and Europe and multinational tech companies start talking soon about reconciling and simplifying international data-protection rules, some ominous storm clouds could threaten trans-Atlantic e-commerce.
Given the staggering potential of cloud computing to promote economic growth, it is well worth preventing trans-Atlantic privacy wars from bogging down and balkanizing the cloud. Policymakers and businesspeople on both sides understand the power and benefits of cloud computing for commerce, consumers and economic growth. In fact, former White House Chief Information Officer Vivek Kundra established a “cloud first” policy for new government expenditures on information technology (IT) resources, and the cloud strategy he published for the White House in February estimated that $20 billion of the federal government’s $80 billion IT budget could be shifted to the cloud. His White House strategy document gushed that “cloud computing will not just be more innovative than we imagine; it will be more innovative than we can imagine.”
Unfortunately, whether inspired by polemics, protectionism or genuine privacy concerns, some European officials are speaking up against cloud computing because of unwarranted fears about the data-protection practices of U.S. companies. For example, in September, the Dutch minister of safety and justice cited the USA Patriot Act to exclude U.S. providers of cloud computing services from bidding on Dutch government contracts, and a member of the Dutch parliament proclaimed that “data from Dutch citizens that is managed by the government should exclusively be stored within Dutch borders using Dutch companies” in order to guarantee the privacy of Dutch citizens. Even the United Kingdom’s Liberal Party worried recently that “cloud computing is an area where, if left unchecked, there is serious potential for abuse – for example, large corporations taking control of enormous quantities of public or private data outside the reach of national law.”
With all of this digital xenophobia, it is no surprise that a provincial privacy commissioner for Shleswig-Holstein in Germany ruled earlier this year that the only permissible cloud in Europe is a European cloud. This inspired Deutsche Telekom to petition the German government to certify German and European cloud providers because certified German computer companies will be “well-positioned if we can say we’re a European provider in a European legal sphere and no American can get to them.” The Deutsche Telekom official didn’t pull any nationalistic punches when he promised that “a German cloud” would be a “safe cloud.”
In truth, U.S. privacy practices, and even the Patriot Act, can withstand comparison to the powers and practices of European governments. While the United States bears the brunt of criticism from privacy advocates, every European government has as much legal authority to conduct digital surveillance and obtain personal information about individuals as does the U.S. government. In fact, the EU’s own privacy bible, the Data Protection Directive, contains an express derogation of personal privacy allowing member states to protect national security and conduct law enforcement. The European governments are not shy about using their extensive powers of surveillance and monitoring. Indeed, Google, which publishes statistics about the government data requests it receives, reports that Germany, the Netherlands and other EU member states are all pretty well practiced at requesting and acquiring personal information directly from that American cloud service provider.
The Patriot Act is not the only problem U.S. cloud providers face in Europe. There is an ongoing battle between the United States and Europe regarding how to protect the privacy of personal information. At present, the EU Data Protection Directive prohibits the transfer of personal information from Europe to the United States. The prohibition goes so far as to block the ability of a company to send data about its own employees from the company’s offices in Europe to its offices in the States unless the American company jumps through certain rather complex procedural rings of fire. This is because the EU has taken the official position that the U.S. approach to data protection is “not adequate,” that is, not up to European standards – largely because America doesn’t have a single comprehensive federal privacy law and an independent federal privacy commissioner.
While the United States and Europe do indeed have different procedures for assuring protection for private information, the substance of data protection is more comparable across the ocean than the EU has so far given us credit for. To achieve “data-protection detente,” the U.S. side thus needs to engage Europe more effectively on the digital standards for global commerce. The imagined privacy gap does not exist. In truth, American business and government can make a compelling case for the U.S. data-protection regime: We have myriad federal and state privacy and data-security statutes (many with private rights of action and statutory damages), comprehensive data-breach notification laws, common-law privacy torts, federal and state prohibitions against unfair and deceptive practices, and aggressive, multimillion-dollar enforcement by the Federal Trade Commission, state attorneys general and the plaintiffs’ bar.
There are some new rays of hope for such digital detente. European Justice Commissioner Viviane Reding understands that “Our societies have been transformed as users embrace social networks, blogs, newsfeeds and shared bookmarks that are kept in the cloud. Companies cut costs by outsourcing data storage tasks.” And EU Digital Agenda Commissioner Neelie Kroes has acknowledged that because the cloud is “by definition a global issue,” “Europe should work with the U.S. and Asia in setting policy.”
More business and government dialogue with Europe is needed to tamp down undue suspicion regarding the Patriot Act and help ameliorate the current international imbroglio over privacy. A trans-Atlantic digital initiative to rationalize online standards will allow international cloud providers to benefit businesses and consumers around the globe. The current legal quagmire of divergent, muddled and unduly complicated national rules may be protectionist, but it is not protecting anybody’s privacy.
By Alan Charles Raul, a partner with Sidley Austin and former vice chairman of the White House Privacy and Civil Liberties Oversight Board.