American cloud providers may find themselves unable to sell to the Dutch government due to concerns that the vendors could be compelled to share data with U.S. authorities under the provisions of the Patriot Act. Similar concerns are being raised in the European Parliament.
Ivo Opstelten, the Dutch minister of security and justice, informed the Tweede Kamer (the Dutch lower house) last week that the government is contemplating excluding American cloud providers from government bids. Dutch government agencies need to protect government information and citizen data from being accessed by the U.S., and so bids must be able to meet demands that cloud providers do not hand over any information to the U.S.
"That basically means that companies form the United States are excluded from such [government] bids and contracts," Opstelten said in the letter.
Excluding U.S. cloud providers is not official policy yet. However, Vincent van Steen, spokesperson for the ministry of the interior, confirmed that the Dutch government is considering a ban on U.S. cloud providers like Microsoft and Google. "The minister is considering this", he said in an email. "This means that it could be a requirement for tenders and the awarding of contracts."
Nigel Murray, managing director of the consultancy firm Huron Legal, confirmed the Patriot Act could override European data and privacy legislation in a report by Dutch IDG news site Webwereld on Wednesday. "If data is transferred to the United States under the Safe Harbor protocol or an American injunction, U.S. Regulators can retrieve the data using the Patriot Act. This usually happens without the person concerned knowing anything about it," Murray told Webwereld.
Not only governments but also businesses should refrain from doing business with American cloud providers, experts advised in the Webwereld article. Professor Jeanne Mifsud Bonnic, expert in European technology law and human rights at the University of Groningen, reckoned that the current situation creates a "beautiful opportunity" for European cloud providers to make some headway in the European market.
Concerns about the affect the Patriot Act has on data stored by U.S. companies in Europe have also been raised in the European Parliament (EP).
According to Sophie in 't Veld, MP for the democratic ALDE party in the EP, this is a very serious problem "This is not how we deal with each other," In 't Veld said in a phone interview. "The European Commission should say to the American government: 'You have to respect our rules.'"
According to In 't Veld, the American government should not be allowed to have a back door into cloud data stored in Europe.
However, simply excluding American cloud providers from government bids is not the way to solve the problem, In 't Veld said. She called the approach the Dutch government is considering "economically and politically unwise." American cloud providers should be able to provide services in the European Union and should do that abiding by European laws; the American government has to stay out of that, she said.
The ALDE party asked Viviane Reding, European commissioner for justice, fundamental rights and citizenship, to remedy the situation. Reding should contact the U.S. government to "ensure that EU data protection rules can be effectively enforced and that third-country legislation does not take precedence over E.U. legislation," ALDE said.
Jim Dempsey, vice president for public policy at the Center for Democracy and Technology (CDT), said he is not sure if the questions raised about American cloud providers in Europe are truly about privacy. "Is this a privacy issue? Or do governments want to keep the access to data in their own hands?" he said in a phone interview.
According to Dempsey, every country in the world has its own version of the Patriot Act. "No company in the world can guarantee that it will not disclose information to governments," he said. The Dutch government itself could easily decide to turn over information to the U.S. "Also the Dutch government is likely to demand access to data of Dutch citizens stored in the U.S.," he said.
In the meantime, U.S. cloud providers tiptoe around the subject. Neither Microsoft nor Google were willing to comment on the issue, and IBM and Amazon did not immediately respond to questions. The White House press office also remained silent on the matter.
(René Schoemaker from Webwereld.nl contributed with this story.)
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.