PARIS • A foreign power with possible unbridled access to Europe’s data is causing alarm in the region. No, it’s not China. It’s the US.
As the US pushes ahead with the “Cloud Act” it enacted about a year ago, Europe is scrambling to curb its reach. Under the act, all US cloud service providers from Microsoft Corp and International Business Machines Corp to Amazon.com Inc — when ordered — have to provide American authorities data stored on their servers regardless of where it’s housed.
With those providers controlling much of the cloud market in Europe, the act could potentially give the US the right to access information on large swaths of the region’s people and companies.
The US said the act is aimed at aiding investigations. Some people are drawing parallels between the legislation and the National Intelligence Law that China put in place in 2017 requiring all its organisations and citizens to assist authorities with access to information. The Chinese law, which the US said is a tool for espionage, is cited by US President Donald Trump’s administration as a reason to avoid doing business with companies like Huawei Technologies Co Ltd.
“I don’t mean to compare US and Chinese laws, because obviously they aren’t the same, but what we see is that on both sides, Chinese and American, there is clearly a push to have extraterritorial access to data,” said Laure de la Raudiere, a French lawmaker who co-heads a parliamentary cyber-security and sovereignty group. “This must be a wake up call for Europe to accelerate its own, sovereign offer in the data sector.”
Matters of espionage and foreign interference will be at the centre of talks at Europe’s biggest telecoms and technology conference, the MWC Barcelona, that starts today.
The Cloud Act (or the “Clarifying Lawful Overseas Use of Data Act”) addresses an issue that came up when Microsoft in 2013 refused to provide the Federal Bureau of Investigation access to a server in Ireland in a drug-trafficking investigation, saying it couldn’t be compelled to produce data stored outside the US.
The act’s extraterritoriality spooks the European Union (EU) — an issue that’s become more acute as trans-Atlantic relations fray and the bloc sees the US under Trump as an increasingly unreliable ally.
Europe may seek to mitigate the impact of the law by drawing on a provision in the act that allows the US to reach “executive agreements” with countries allowing a mutual exchange of information and data. The European Commission wants the EU to enter into talks with the US, and negotiations may start this spring.
France and other EU countries like The Netherlands and Belgium are pushing for the bloc to present a common front as they struggle to come up with regulations to protect privacy, avert cyber attacks and secure critical networks in the increasingly amorphous world of information in the cloud.
A Dutch lawmaker at the European Parliament, Sophie in ’t Veld, recently expressed frustration at what she called the EU’s “enormous weakness” in the face of the US’ “unlimited data hunger”.
“Because of the Cloud Act, the long arm of the American authorities reaches European citizens, contradicting all EU law,” she noted. “Would the Americans accept it if the EU would grant itself extraterritorial jurisdiction on US soil?”
An internal memo crafted by the French government in November states that “the Cloud Act could be a test from the US, and they expect a political response, which ought to be European to be strong enough”.
The Cloud Act was enacted just weeks ahead of Europe’s data-protection law, the General Data Protection Regulation, or GDPR, which states that all businesses that collect data from EU citizens have to follow the bloc’s rules, which could put the two laws at odds.
While waiting for the EU to get its response together, some countries are preparing their own, with the French leading the pack. President Emmanuel Macron’s teams are readying legal and technical measures to shield the country, four government officials involved said. The president’s office, the Finance Ministry and the state’s cyber security agency ANSSI have worked on it for the last 10 months.
“The more we dig into the Cloud Act, the more worrying it is,” said ANSSI chief Guillaume Poupard. “It’s a way for the US to enter into negotiations…but it has an immediate extraterritorial effect that’s unbearable.”
The French government has held meetings with banks, defence contractors, energy utilities and others, asking them to use “Cloud Act-safe” data providers.
It’s also studying legal options, a Finance Ministry official said. One way might be to refresh a 1968 “Blocking Statute”, which prohibits French companies and citizens from providing “economic, commercial, industrial, financial, or technical documents or information” as evidence in legal proceedings outside the country.
“No one can accept that a foreign government, even the American one, can come fetch data on companies stored by a US company, without warning and without us being able to respond,” Finance Minister Bruno Le Maire said in a speech on Feb 18.
France has been more vociferous in its opposition to the Cloud Act because its companies have borne the brunt of other extraterritorial US laws. In 2014, BNP Paribas was slapped with an US$8.97 billion (RM36.58 billion) US fine for transactions with countries facing American sanctions. French oil company Total SA walked away from a US$4.8 billion project in Iran after Trump pulled out of its nuclear deal.
One consequence of the Cloud Act is that European companies and organisations will start looking for local alternatives. Europe’s phone operators, many of whom are already being steered away from Huawei, see the act making providers from the US a threat, too.
“On the one hand you have this Chinese expansion and on the other these new US rules are putting American companies at the mercy of the administration,” Gervais Pellissier, deputy CEO of Orange SA, told reporters last Thursday in Paris. “The hardware bricks are either American or Chinese. We need to now find a software layer to deal with the situation.”
Local cloud providers are using the Cloud Act and GDPR in their sales pitches. French company Atos is telling customers it’ll keep their most-sensitive data physically on servers in Europe. It struck a deal with Google to safeguard client data.
OVH Groupe SAS, presenting itself as a Europe-grown rival to Amazon’s cloud business, is growing sales 30% a year and making profit running data centres in Europe.
“We can guarantee our customers the sovereignty of their data, which is more than Amazon or other rivals can offer,” founder and CEO Octave Klaba told reporters in October. — Bloomberg