Oh dear, it looks like Microsoft may have just opened a can of worms when it comes to our data on the cloud.
Last week Microsoft admitted that thanks to the Patriot Act that they would be forced to hand over any cloud data even if it is stored on European servers without notifying anyone .
Needless to say this that the European Union (EU) up in arms as this totally contradicts not only the Safe Habor agreements but also European law, mainly the Data Protection Directive.
As it stands right now the bi-lateral Safe Harbor agreement; which allows companies like Microsoft to transfer data from European facilities, guarantees some level of security and enforcement and with that the EU’s directive requires companies to notify users if/when their data is handed over to third parties.
The problem is, as Microsoft stated, that if the Patriot Act is trotted out it then supersedes any other laws or agreements and companies like Microsoft would be required to hand over the data, regardless of whether that data is on European servers or not, without notifying the user in any fashion.
This understandably has the EU more than a little concerned:
“Does the Commission consider that the U.S. Patriot Act thus effectively overrules the E.U. Directive on Data Protection? What will the Commission do to remedy this situation, and ensure that E.U. data protection rules can be effectively enforced and that third country legislation does not take precedence over E.U. legislation?”
As far as the Safe Harbor agreement, well Theo Bosboom, an IT lawyer with Dirkzager Lawyers, makes this point:
“I’m afraid that Safe Harbor has very little value anymore, since it came out that it might be possible that U.S. companies that offer to keep data in a European cloud are still obliged to allow the U.S. government access to these data on basis of the Patriot Act…”
I don’ think this isn’t the last we have heard of this.