When we talk about compliance issues for cloud providers, there’s one hypothetical use case that comes up so often it’s almost cliché: A cloud provider takes on a business customer that, for regulatory compliance reasons, must ensure all of its data is kept inside the same country where it chiefly operates.
But cloud providers — in this case, U.S.-based ones — may face an entirely different roadblock regarding where they house customer data.
The Netherlands’ minister of security and justice said earlier this month that American cloud providers may not be welcome to sell cloud services to the Dutch government, due to concerns that “the vendors could be compelled to share data with U.S. authorities under the provisions of the Patriot Act,” according to this IDG News Service article. “Similar concerns are being raised in the European Parliament,” and experts are advising private businesses to avoid U.S. cloud providers for the same reasons, according to the report.
‘Excluding U.S. cloud providers is not official policy yet. However, Vincent van Steen, spokesperson for the ministry of the interior, confirmed that the Dutch government is considering a ban on U.S. cloud providers like Microsoft and Google. “The minister is considering this,” he said in an email. “This means that it could be a requirement for tenders and the awarding of contracts.”
Nigel Murray, managing director of the consultancy firm Huron Legal, confirmed the Patriot Act could override European data and privacy legislation in a report by Dutch IDG news site Webwereld on Wednesday. “If data is transferred to the United States under the Safe Harbor protocol or an American injunction, U.S. Regulators can retrieve the data using the Patriot Act. This usually happens without the person concerned knowing anything about it,” Murray told Webwereld.’
Thankfully, one of Microsoft’s lawyers has since told us all not to freak out about the Patriot Act, according to CSO Magazine.
‘Microsoft’s Australasian legal chief says there is nothing to fear from the Patriot Act when considering a move to cloud-based services, because the US government can access your data regardless.
“In fact,” he adds, “US courts have long held that a company with a presence in the US is obligated to respond to a valid demand by the US government for information — regardless of the physical location of the information — so long as the company retains custody or control over the data.”‘
Phew. That’s a relie–oh, wait. Never mind.
If there’s any good news here, it’s that larger and more established cloud providers already working with multinational customers — as telcos or managed hosting providers — know how to navigate these waters. Also, European cloud providers have a business opportunity here if fellow members of the EU follow suit.
But depending on how this plays out (and how many other governments and businesses follow the Netherlands’ lead), younger U.S.-based cloud providers and managed service providers (MSPs) will want to keep an eye on this issue. Their core customers may be smaller U.S.-based companies, but there’s a good chance those companies will have a few satellite offices overseas — potentially in a country where compliance with the Patriot Act is a deal breaker.