State Dept., AG address EU cloud data privacy concerns
According to the U.S. Dept. of State, cloud computing, while a new and fast-growing technology, doesn't present any new issues when it comes to ensuring privacy of data within that cloud from law enforcement, and should not affect current treaties the U.S. has with law enforcement agencies in Europe and elsewhere.
In a conference call hosted by U.S. Ambassador Philip Verveer, Deputy Assistant Attorney General Bruce Swartz noted that "Cloud computing has important advantages to consumers (but) doesn't present any issues that have not always been present. Certainly not regarding Internet service issues, but even before that."
Concern about the way U.S. law enforcement obtains information about private citizens of the EU has been roiling in Europe for several months. Network World reported last fall that Patriot Act provisions could have the Dutch government cold-shouldering American cloud services vendors trying to bid on its contracts, because U.S. law enforcement can compel those vendors to release information on Dutch citizens to them. The European Parliament is also debating the Patriot Act's effect on its own data privacy laws.
In December, BAE Systems announced it was dropping Microsoft 365 specifically due to those data concerns, arstechnica reported.
Swartz, who recently returned from a meeting with EU law enforcement counterparts in Copenhagen, listed several assumptions or "myths" that he said are commonly believed about U.S. law enforcement in regard to the privacy of individuals' data stored in the cloud.
Answering to the myths that the EU "cares more about privacy than the U.S." and "does a better job of protecting privacy than the U.S.," Swartz pointed out that the United States has a "core belief" in protection from intrusion, and that the idea that the EU does a better job with protecting privacy is "a misunderstanding."
"Our systems have evolved over time in response to particular circumstances but we have in place protections that are fundamentally similar. The conclusion of our high level meetings group is that ... both the US and EU have important commonalities and a deeply rooted commitment to the protection of personal data privacy," Swartz said, adding that there is also a legal framework and that the United States has perhaps the most stringent requirements in the world for obtaining data on individuals.
Addressing the assumption that the advent of cloud computing presents law enforcement officials with new issues, Swartz cited the example of law enforcement in one country obtaining data stored in another country, saying that the Budapest Cybercrime Convention in 2001 addressed this issue. "That convention sets out a framework by law enforcement regarding computer access in another country, enabling law enforcement to compel (computer access) in that country. This is a problem that predated the Internet, much less the cloud."