Well apparently the answer is ..Probably
It is never fashionable to highlight the positive role that the European Union plays in setting the regulatory framework for business and personal rights however, a recent report from the directorate general for internal policies (entitled Fighting cyber crime and protecting privacy in the cloud), highlights serious concerns over the safeguarding of cloud-based data from European companies and citizens in a multi-jurisdictional framework.
The report accepts that cloud computing is making data processing global but warns that “jurisdiction still matters”. It said: “Where the infrastructure underpinning cloud computing (i.e. data centres) is located, and the legal framework that cloud service providers are subject to are key issues.”
This is particularly so with regard to the US, home of many large technology companies and cloud computing providers, and two specific pieces of legislation, the US Patriot Act and the US Foreign Intelligence Surveillance Amendment Act (FISAA) of 2008.
The report believes both acts give rise to conflicts in the relationships between states and companies.
“Major cloud providers are transnational companies subject to conflicts of international public law,” the report states.
“Which law they choose to obey will be governed by the penalties applicable and exigencies of the situation, and in practice the predominant allegiances of the company management.”
Those allegiances are likely to be sorely tested by the scope of FISAA, which essentially authorises the mass-surveillance of foreigners outside US territory whose data is within range of US jurisdiction, including data accessible in US clouds. The question that needs to be addressed is whether EU-based businesses and citizens should be prepared to gamble the integrity, security and privacy of their data against the loyalties of managers of US-based companies.
The report warns that cloud computing breaks the 40-year-old model for international data transfers because once data is transferred into a cloud “sovereignty is surrendered” and it advocates the use of prominent warnings concerning the dangers of cloud data being exported to US jurisdiction.
It's a concern EU businesses should heed very carefully if they don't want to put their data at risk from being accessed on by US authorities. For those already ‘in the cloud', the report represents an opportune moment to ask what country their cloud provider is storing their data in.
Many cloud providers are global operations, which leave them (and their customers' data) vulnerable to surveillance from the authorities in the US and other jurisdictions.
One way for UK businesses to ensure their data is safe and not being snooped on by the US or any other country's authorities is to choose a cloud provider with a geographically diverse cloud platform spread across the EU. A EU company can at least give the comfort of being able to visit the data centre and gain an understanding of where their data lives. There is also scope for CIO's to insist on an audit of the storage facility and security arrangements in place to protect data.
Until the US authorities change or amend the Patriot Act and FISAA, the only way businesses in the EU can begin to guarantee their most critical asset is to stay outside the jurisdiction of the US authorities.