News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | European Cloud Providers Cloud the Truth After PRISM—What Should U.S. Providers, and the U.S. Government, Do About It? Related reading: Upper Tribunal dismisses ICO's appeal in Experian case

rss_feed

""

European cloud providers have tried for years to gain a competitive advantage in the European market over U.S.-based counterparts by claiming that content stored with European providers is more protected from government access than data stored with U.S. companies. These European providers have tried to instill fear in potential customers, claiming that the USA PATRIOT Act gives the U.S. government essentially unfettered access to content stored with U.S. companies.

As has been well-documented here and elsewhere, the truth is that the U.S. imposes tighter restrictions on the ability of its law enforcement and security agencies to get data stored in the U.S. than many EU governments face in accessing data stored in their home countries. Moreover, unlike in the U.S., providers in the EU can voluntarily provide content and customer data to the government, and EU providers are required to retain data for up to two years, helping ensure the data is there when the government comes looking for it.

When I was at the Justice Department, it was not uncommon for law enforcement officials in European countries who were seeking their citizens’ content stored in the U.S. to complain that the evidentiary standards that had to be met to obtain that data under U.S. law were too high. No, you didn’t read that wrong: European governments complain to U.S. officials that they can more readily access their citizens’ data if that data is stored in Europe than if that data is stored in the U.S., because they often cannot satisfy our stricter standards for government access—standards that protect data in the U.S. regardless of whether that data is owned by an American or European customer.

Even before anyone ever heard of Edward Snowden, U.S.-based providers and U.S. government officials struggled to combat the misinformation being propagated by EU providers and media, with limited success. The hyperbole and hypocrisy from EU officials in the wake of the PRISM leaks has made that struggle even more difficult. The overheated rhetoric coming out of the EU shows no signs of abating, almost as if EU officials were determined to keep the public’s focus away from the even more permissive national security laws in their own backyard. But despite that rhetoric, the reality is that data belonging to EU citizens and companies is no less protected from government access—and arguably much better protected—if stored with a U.S. provider than with a European provider.

So as European providers seek to exploit the PRISM controversy to further cloud the truth, what should U.S. providers, and the U.S. government, do?

  • ECPA Reform: U.S. providers should continue to play a leading role in forcefully advocating for a uniform warrant standard for all content stored in the U.S. One reason why European providers were initially able to gain traction with their attacks on U.S. laws is that our standards—while still higher than in many EU countries—are rather hard to explain, with different rules for opened and unopened e-mail, and different rules based on the age of certain e-mails. A warrant-for-all-content standard has the benefit of being easy to understand and explain in a foreign market. Google, Microsoft, Facebook, Twitter, Reddit and numerous other tech companies recently wrote to Congress to express support for a warrant requirement for stored content. Continued strong, and public, leadership by those companies is critical.
  • Transparency: Google, Microsoft, Facebook, Apple and Yahoo deserve praise for their aggressive push for greater transparency about national security-related requests. Thus far they’ve pressed the issue in the courts and at the White House. They should not let up, and if necessary should take that fight to Capitol Hill as well. And they should use what data they are able to release to demonstrate that requests by governmental authorities in the U.S.—federal, state and local—in all types of cases combined affect only a fraction of a percent of users.
  • Use economic and political leverage: There are signs that governments in Europe and elsewhere may try to take their frustrations over PRISM out on U.S. providers. Foreign officials are already using PRISM as an excuse to promote what my colleague Stewart Baker refers to as “information protectionism,” suggesting that European companies should not use U.S. providers and even going so far as to suggest laws requiring cloud providers to store data locally. The U.S. government cannot sit back and let European governments beat up on U.S. providers, who have done nothing other than comply with their obligations under U.S. law. The Obama administration and Congress should use all available leverage—economic, political and legal—to help protect U.S. providers from repercussions—including, where appropriate, suspending law enforcement and intelligence assistance to those countries that harass or threaten U.S. providers merely for obeying U.S. law.
  • Fight fiction with facts: The U.S. needs to be much more willing to call out EU officials for their hypocrisy. U.S. providers—and the U.S. government—cannot afford to allow the narrative to harden further that U.S. laws are less protective of stored content than EU laws. The facts are very much on the side of the U.S. providers, and the U.S. government needs to work even harder now to make sure those facts are heard over the noise.
Author
Headshot Jason Weinstein Nonmember Contributor
Tags
Cloud Computing
Enforcement
Infosecurity
Personal Privacy
Surveillance
2 Comments

If you want to comment on this post, you need to login.

  • comment Jon Neiditz • Jul 26, 2013 
    A great post and agenda, with which I can agree with 3 out of 4.  Point #3 about the arm-twisting is what gives me pause.  The most important privacy news of the week for our global clients and yours may be that the German Conference of Data Protection Commissioners announced that German data protection authorities will not issue any new permissions for data transfers to non-EU countries, including for the use of cloud services (until the German government explains to them how the NSA is complying with German data protection law, which could happen when pigs fly).  The Conference also called on the European Commission to suspend the US Safe Harbor principles, adopted in 2000 and on which, as of today, 3187 corporate registrants rely for the transfer of personal information of their European customers and/or employees to the US.

Meanwhile, in the US, an analysis of the voting that very narrowly killed the Amash Amendment to defund the NSA’s phone metadata collection program provides a politically powerful narrative for libertarian Amash that “elites fear liberty:”  A majority of Democrats and large numbers of Republicans came close to defeating the bi-partisan leadership of the House and the White House (which issued a statement against the amendment).  To contrast this movement with what your great partner Stewart Baker called “information protectionism” in Europe, let’s call this new bi-partisan uprising “data libertarianism.”

Given the suddenly-fluid politics of privacy in the US, how should the US respond to Germany and other countries that are erecting obstacles to global cloud computing and the Internet (not to mention trade more generally)?  Let’s say we go ahead and treat the action by the German DPAs as no more than “information protectionism” and making our principal governmental response the protection of “our” internet companies against “theirs.”  Where will that get us? A long trade war helping nobody, perhaps?  The German DPAs are just fulfilling their duty to apply German data protection laws, laws which are not likely to become significantly more liberal, particularly in the current climate.  The NSA disclosures and responses to strong US lobbying have already strengthened the hand of those seeking stronger EU data protection laws.  And speaking of poker, let us not forget what a growing “data libertarian” movement in the US might do to Washington’s hand.

Here is a radical thought: Earlier this month, German Chancellor Angela Merkel came out in support of her Justice Minister’s proposal to amend the International Covenant on Civil and Political Rights (ICCPR) to create international principles for the Internet.  The Internet could use some rules for trustworthy, transparent and accountable controls, decisions and decisionmakers (as I've been writing about in The Big Data Tech Law Blog). Instead of assuming that the world’s privacy laws are nothing more than local protectionism, or barnstorming around the country implicitly including the issue of governmment surveillance in “phony scandals,” maybe we could get the data flowing from Germany again in part by acknowledging to Merkel that she has a point and beginning to contribute to changes to the ICCPR to create some international principles for the Internet that would be better than the alternative.
  • comment DaveM • Aug 1, 2013 
    The problem is loss of trust. With secret laws interpreted by secret courts, we have no idea what laws -- if any! -- are really being followed. Maybe those guys from Europe complaining about lack of access just aren't talking to the right people in the US.  Who knows?

Improper secrecy breeds mistrust breeds cynicism and contempt for the law.
Related Stories
Czech Republic DPA issues CZK351M GDPR fine
The Czech Republic's data protection authority, Úřad pro ochranu osobních údajů, fined Avast Software CZK351 million for allegedly giving users' personal data to marketers without properly anonymizing it. The UOOU also claimed Avast misinformed users about how their data would be used.Full story...
Read More queue Save This
Related Stories
Tags
Cloud Computing
Enforcement
Infosecurity
Personal Privacy
Surveillance
Recent Comments