Foreign Cloud Privacy Issues Dismissed by U.S. Officials

A pair of senior Obama administration officials on Wednesday sought to tamp down recent stirrings of controversy over the privacy protections under U.S. law surrounding content stored in the cloud residing in data centers in foreign jurisdictions.

Speaking to reporters on a conference call, Deputy Assistant Attorney General Bruce Swartz and Philip Verveer, deputy assistant secretary of state and U.S. coordinator for international communications and information policy, argued that as much as cloud computing has reshaped the way businesses store and provide access to data and services, the fundamental legal protections for overseas operations have remained consistent, and that U.S. policies offer privacy safeguards equally rigorous to those found in Europe.

Swartz, echoing remarks Attorney General Eric Holder recently delivered to members of a European Union civil liberties committee, reiterated the Justice Department’s “core belief in the importance of protecting citizens from government intrusion.”

“Any notion that the United States doesn’t value privacy is mistaken,” Swartz said, seeking to debunk a series of “myths” about lax U.S. privacy and data-protection policies.

EU Set to Revise Data Protection Laws

The issue of discrepancies between the laws in the United States and Europe could assume fresh importance as the EU is poised to consider an overhaul of its own laws and regulations concerning data protection, an effort that U.S. privacy advocates hope could precipitate tighter controls in this country.

Microsoft added fuel to that fire last June, when a company executive admitted at the launch event for Office 365 in London that under the Patriot Act, the company could be compelled to turn over information stored overseas to U.S. authorities without providing prior notice or seeking consent from the data owner.

Verveer dismissed the recent controversy as “overblown,” and noted that data sovereignty and other cloud computing issues are the subject of frequent discussions between State Department representatives and foreign officials. That interest owes in large part to the dramatic growth in cloud services at a time when many other segments of the economies of the United States and Europe continue to slump. Verveer cited a Gartner projection that the market for cloud services in Western Europe alone is poised to vault to $47 billion by 2015.

“There is a great deal of money at stake with respect to cloud activities,” he said.

Swartz emphasized the longstanding cooperation between the United States and EU nations on computer security and privacy issues, including the 2001 Convention on Cybercrime the country signed onto that emerged from multilateral negotiations in Budapest.

“The Patriot Act really is in this context a red herring,” Swartz said. “It didn’t work a fundamental change in how we approach the issues of stored data.”

But the concerns over the security of data stored in servers located in Europe has been the subject of considerable discussion among officials in EU member states, and can be traced at least in part to early efforts at a sort of digital protectionism in the form of state efforts to promote European cloud companies over their U.S.-based competitors. And European firms are all too happy to call attention to the potential insecurities of data stored with American providers stemming from U.S. laws.

In November, France arranged for a joint venture including France Telecom SA and Thales SA to offer on-demand cloud technologies stamped as “made in France,” Bloomberg News reported.

“It’s the beginning of a fight between two giants,” Jean- Francois Audenard, an advisor on cloud security to France Telecom, told the news service. “It’s extremely important to have the governments of Europe take care of this issue because if all the data of enterprises were going to be under the control of the U.S., it’s not really good for the future of the European people.”

Cloud Privacy and Data Security Concerns Remain

For all of Swartz and Verveer’s assurances that the United States and EU member states have a thorough and consistent set of agreements concerning privacy and data security in place for the cloud-computing era, many U.S. businesses remain concerned. In November, a group of leading technology and finance companies organized under the National Foreign Trade Council, including Google, Oracle, Microsoft, IBM, Visa and Citi, issued a lengthy policy agenda (PDF available here) for modernizing global trade rules to address the movement of data over national borders.

“Despite the widespread benefits of cross-border data flows to innovation and economic growth, and due in large part to gaps in global rules and inadequate enforcement of existing commitments, digital protectionism is a growing threat around the world,” the companies wrote. “A number of countries have already enacted or are pursuing restrictive policies governing the provision of digital commercial and financial services, technology products, or the treatment of information to favor domestic interests over international competition.”

In urging policy makers to address and harmonize the emerging laws and policies governing cross-border data flow, the companies warned that left unchecked, new regulations “could become significant non-tariff trade barriers to the digital economy.”

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.