Governmental Access to Cloud Data: A Response

August 7, 2013

As the authors of the original article state, it is true that many countries have granted themselves powers to access personal data held by private entities (more’s the pity). It is also true that in some cases providers have disclosed personal data in the context of voluntary arrangements. However, to argue that this in some way excuses the actions of the US governments, or more particularly, its security services, and to somehow imply that that US government is acting merely in line with what everyone else is doing is quite blatantly ignoring the facts and the legal framework that governs government surveillance at least in countries subject to the European Convention on Human Rights (ECHR). It seems right therefore that some of those myths should be debunked:

1.      Any surveillance measure of a signatory state to the ECHR (which includes all EU Member States) is subject to the right to a private life set out in the ECHR, Article 8. This includes measures under primary domestic law, but also taken on the basis of international agreements like mutual legal assurance treaties (which are equally judicially reviewable in many countries). Article 8 requires not only that the relevant measure must be ‘in accordance with the law’ but also that sufficient authorisation and oversight measures must be in place and that the interference must be proportionate to its aim. In this way, the standards are very similar to those required by the US Supreme Court for the protection of US citizens from unreasonable searches and seizures. For example, it is likely that any surveillance measure must be targeted rather than permit the wholesale retention and disclosure of personal data without probable cause. This is borne out, for example, in the contents of the MLATs to which the article refers, which, as a general rule, permit the sharing of limited data sets relating to individual suspects in specific circumstances. Any EU government that operates a surveillance system entirely on a voluntary basis is therefore one ECHR challenge away from being caught out (as the UK has found to its embarrassment several times). Similarly, a government that does not put in place procedures for authorisation and oversight or that grants its law enforcement and security services too far-reaching powers will most probably be sent back to the drawing board (which – again – has happened to the UK on occasion). The safeguards that are in place (or should be in place) at least within the EU are therefore very much comparable to those with which the US protects its own citizens.

2. Although US law may in some cases provide ‘more restrictions to the access of personal data’ than do (some) EU Member States, this is only true with regard to the data of US citizens and legal US residents inside the US. In particular, the restrictions that limit access under section 1881a FISA are largely aimed at ‘minimisation’, that is the process to ensure that the personal data of US citizens is not unlawfully collected as part of the process. The data of non-US citizens, on the other hand, can be collected without probable cause having to be proved (as would be the case with regard to access to US citizens’ data).

3.       In addition, in the light of the US Supreme Court’s decision in United States v Verdugo- Urquidez 494 U.S. 259 (1990), EU citizens are unlikely to be in a position to challenge the lawfulness of the FISA provisions, that is, their compliance with the Fourth Amendment to the US Constitution. The same may not be true for US citizens who want to challenge the laws of EU countries under which those countries’ governments collect their data. Unlike the Fourth Amendment, which only protects the rights of US citizens and legal US residents, Article 8 is generally considered to be a human right. US citizens whose right to privacy is affected by an EU country’s surveillance measure will therefore likely be able to challenge that measure before the European Court of Human Rights in Strasbourg. EU citizens have no such standing before the US Supreme Court. One could therefore argue that the rights of US citizens within the EU are significantly better protected than the other way around.

4.      Although it may be true that the powers of, say, GCHQ under RIPA with regard to ‘external communications’ (ie communications that are sent or received outside the UK) are as far-reaching as, if not wider than, those granted to US services under FISA, those powers are currently under judicial review following at least three separate challenges. It is likely that at least one of those challenges will make it to the Strasbourg court. It remains to be seen whether that court, when it eventually gets to decide on these issues, will permit the extent of surveillance that currently seems to be happening within Europe. It will also be interesting to see whether the court will allow its signatory states to distinguish between the privacy rights of their own citizens and those of other countries. In the light of the court’s previous case law and the human rights nature of Convention rights, many academic scholars feel that the answer to both of those questions is likely to be no. While it must be accepted that all is not necessarily well with regard to the surveillance powers that are currently included in the primary laws of many EU member states, it is, however, entirely premature to draw comparisons between those (often still judicially untested) powers and those included in FISA. I repeat, even if it wanted to, the Supreme Court does not have the competence to protect non-US citizens outside the US from surveillance by the US government. As I understand it (I am happy to be proved wrong) that would require a change to the US Constitution. The same cannot be said the other way round.

5.      It could be argued (and Caspar Bowden and I have argued it here
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2283175) that EU governments are under a positive obligation to protect their citizens from the kind of interference with their right to privacy that FISA surveillance represents. This is of course a highly politicised process and the extent of the measures that will be taken will very much depend on the pressure put on the European Commission and the member states’ governments by their own citizens and political institutions. Realistically, this varies from country to country. The increased support of, and investment in, what is commonly termed a ‘European cloud’ is one of the options on the table. From an EU perspective, this option has a lot of advantages, including possibly increased information security, the economic benefit of generating profits from cloud computing within the EU and the increased control over potentially sensitive information. The latter includes not only personal data but also trade secrets, confidential commercial information and information necessary to maintain essential infrastructure that is otherwise exposed to the discretionary actions of another country’s government (for a broader discussion of these issues see the opinion of the European Economic and Social Committee on the European Commission’s cloud computing strategy at http://www.eesc.europa.eu/?i=portal.en.ten-opinions.24758). Although data stored in a European cloud may arguably still be accessed by EU governments on the basis of their own laws, as shown above, those laws are subject to the limitations provided by the EU fundamental rights framework – however slowly its mills may be grinding. More importantly, information in a European cloud will be protected from wholesale and uncontrolled access by countries whose laws do not include such limitations or where EU citizens cannot enforce those limitations before that country’s courts. From the perspective of the ordinary EU citizen, the storage of their data in an EU cloud is therefore vastly preferable to having that same data stored in, say, the US or China, so that the concept of a ‘safe jurisdiction’ (or at least ‘safer’) cannot be entirely dismissed.

For EU companies that must decide where in the cloud to store their data, the potential fallout of that decision is therefore not only a question of legal compliance but of reputation, given that the data in question are likely to relate to their customers, employees and business partners. And, if recent newspaper articles are anything to go by, US cloud providers are very much aware of that fact. To pretend that those issues don’t exist does a disservice to both EU cloud customers and non-EU cloud providers. It might therefore be wiser for the latter to focus their lobbying powers on persuading their own governments to put in place equal protections for EU citizens under their constitutional frameworks and to enter into negotiations with EU governments and institutions for a comprehensive global privacy framework.’ 

Judith Rauhofer is a Lecturer in IT Law at the University of Edinburgh and an Associate Director of the Centre for Studies of Intellectual Property and Technology Law (SCRIPT).