European Cloud Providers Cloud the Truth After PRISM—What Should U.S. Providers, and the U.S. Government, Do About It?

European cloud providers have tried for years to gain a competitive advantage in the European market over U.S.-based counterparts by claiming that content stored with European providers is more protected from government access than data stored with U.S. companies. These European providers have tried to instill fear in potential customers, claiming that the USA PATRIOT Act gives the U.S. government essentially unfettered access to content stored with U.S. companies.

As has been well-documented here and elsewhere, the truth is that the U.S. imposes tighter restrictions on the ability of its law enforcement and security agencies to get data stored in the U.S. than many EU governments face in accessing data stored in their home countries. Moreover, unlike in the U.S., providers in the EU can voluntarily provide content and customer data to the government, and EU providers are required to retain data for up to two years, helping ensure the data is there when the government comes looking for it.

When I was at the Justice Department, it was not uncommon for law enforcement officials in European countries who were seeking their citizens’ content stored in the U.S. to complain that the evidentiary standards that had to be met to obtain that data under U.S. law were too high. No, you didn’t read that wrong: European governments complain to U.S. officials that they can more readily access their citizens’ data if that data is stored in Europe than if that data is stored in the U.S., because they often cannot satisfy our stricter standards for government access—standards that protect data in the U.S. regardless of whether that data is owned by an American or European customer.

Even before anyone ever heard of Edward Snowden, U.S.-based providers and U.S. government officials struggled to combat the misinformation being propagated by EU providers and media, with limited success. The hyperbole and hypocrisy from EU officials in the wake of the PRISM leaks has made that struggle even more difficult. The overheated rhetoric coming out of the EU shows no signs of abating, almost as if EU officials were determined to keep the public’s focus away from the even more permissive national security laws in their own backyard. But despite that rhetoric, the reality is that data belonging to EU citizens and companies is no less protected from government access—and arguably much better protected—if stored with a U.S. provider than with a European provider.

So as European providers seek to exploit the PRISM controversy to further cloud the truth, what should U.S. providers, and the U.S. government, do?

  • ECPA Reform: U.S. providers should continue to play a leading role in forcefully advocating for a uniform warrant standard for all content stored in the U.S. One reason why European providers were initially able to gain traction with their attacks on U.S. laws is that our standards—while still higher than in many EU countries—are rather hard to explain, with different rules for opened and unopened e-mail, and different rules based on the age of certain e-mails. A warrant-for-all-content standard has the benefit of being easy to understand and explain in a foreign market. Google, Microsoft, Facebook, Twitter, Reddit and numerous other tech companies recently wrote to Congress to express support for a warrant requirement for stored content. Continued strong, and public, leadership by those companies is critical.
  • Transparency: Google, Microsoft, Facebook, Apple and Yahoo deserve praise for their aggressive push for greater transparency about national security-related requests. Thus far they’ve pressed the issue in the courts and at the White House. They should not let up, and if necessary should take that fight to Capitol Hill as well. And they should use what data they are able to release to demonstrate that requests by governmental authorities in the U.S.—federal, state and local—in all types of cases combined affect only a fraction of a percent of users.
  • Use economic and political leverage: There are signs that governments in Europe and elsewhere may try to take their frustrations over PRISM out on U.S. providers. Foreign officials are already using PRISM as an excuse to promote what my colleague Stewart Baker refers to as “information protectionism,” suggesting that European companies should not use U.S. providers and even going so far as to suggest laws requiring cloud providers to store data locally. The U.S. government cannot sit back and let European governments beat up on U.S. providers, who have done nothing other than comply with their obligations under U.S. law. The Obama administration and Congress should use all available leverage—economic, political and legal—to help protect U.S. providers from repercussions—including, where appropriate, suspending law enforcement and intelligence assistance to those countries that harass or threaten U.S. providers merely for obeying U.S. law.    
  • Fight fiction with facts: The U.S. needs to be much more willing to call out EU officials for their hypocrisy. U.S. providers—and the U.S. government—cannot afford to allow the narrative to harden further that U.S. laws are less protective of stored content than EU laws. The facts are very much on the side of the U.S. providers, and the U.S. government needs to work even harder now to make sure those facts are heard over the noise.
More from Jason Weinstein

About the Author

Jason Weinstein is a partner at Steptoe & Johnson LLP specializing in data privacy and security, as well as criminal defense and internal investigations. He is a former federal prosecutor and most recently served as Deputy Assistant Attorney General in the Criminal Division, where he oversaw the Computer Crime and Intellectual Property Section.

See all posts by Jason Weinstein


  • July 26, 2013
    Jon Neiditz

    A great post and agenda, with which I can agree with 3 out of 4.  Point #3 about the arm-twisting is what gives me pause.  The most important privacy news of the week for our global clients and yours may be that the German Conference of Data Protection Commissioners announced that German data protection authorities will not issue any new permissions for data transfers to non-EU countries, including for the use of cloud services (until the German government explains to them how the NSA is complying with German data protection law, which could happen when pigs fly).  The Conference also called on the European Commission to suspend the US Safe Harbor principles, adopted in 2000 and on which, as of today, 3187 corporate registrants rely for the transfer of personal information of their European customers and/or employees to the US.

    Meanwhile, in the US, an analysis of the voting that very narrowly killed the Amash Amendment to defund the NSA’s phone metadata collection program provides a politically powerful narrative for libertarian Amash that “elites fear liberty:”  A majority of Democrats and large numbers of Republicans came close to defeating the bi-partisan leadership of the House and the White House (which issued a statement against the amendment).  To contrast this movement with what your great partner Stewart Baker called “information protectionism” in Europe, let’s call this new bi-partisan uprising “data libertarianism.”

    Given the suddenly-fluid politics of privacy in the US, how should the US respond to Germany and other countries that are erecting obstacles to global cloud computing and the Internet (not to mention trade more generally)?  Let’s say we go ahead and treat the action by the German DPAs as no more than “information protectionism” and making our principal governmental response the protection of “our” internet companies against “theirs.”  Where will that get us? A long trade war helping nobody, perhaps?  The German DPAs are just fulfilling their duty to apply German data protection laws, laws which are not likely to become significantly more liberal, particularly in the current climate.  The NSA disclosures and responses to strong US lobbying have already strengthened the hand of those seeking stronger EU data protection laws.  And speaking of poker, let us not forget what a growing “data libertarian” movement in the US might do to Washington’s hand.

    Here is a radical thought: Earlier this month, German Chancellor Angela Merkel came out in support of her Justice Minister’s proposal to amend the International Covenant on Civil and Political Rights (ICCPR) to create international principles for the Internet.  The Internet could use some rules for trustworthy, transparent and accountable controls, decisions and decisionmakers (as I’ve been writing about in The Big Data Tech Law Blog). Instead of assuming that the world’s privacy laws are nothing more than local protectionism, or barnstorming around the country implicitly including the issue of governmment surveillance in “phony scandals,” maybe we could get the data flowing from Germany again in part by acknowledging to Merkel that she has a point and beginning to contribute to changes to the ICCPR to create some international principles for the Internet that would be better than the alternative.

  • August 01, 2013

    The problem is loss of trust. With secret laws interpreted by secret courts, we have no idea what laws—if any!—are really being followed. Maybe those guys from Europe complaining about lack of access just aren’t talking to the right people in the US.  Who knows?

    Improper secrecy breeds mistrust breeds cynicism and contempt for the law.

To post your comment, please enter the word you see in the image below:

To post your comment, please enter the word you see in the image below:

Get your free study guide now!
Get your free study guide now!