The Netherlands state it will not allow US cloud providers to bid for government contracts until the EU Data Protection Directive is amended because the US Patriot Act conflicts with the EU DP Directive.

This contravenes European law, which states that organisations cannot pass on user data to a third-party outside the European zone without the users’ permission.

Of course, a Dutch official states:

Opstelten admitted that while the Dutch government is “experimenting with Google Docs and Dropbox”, though data is believed to be stored on Dutch territory, it is unknown whether they are managed by U.S. companies.

The article ends with:

Last month, an article published claimed that the power to search suspects with Patriot Act invoked ‘delayed warrants’ — the ability to search without formally making warrants known to the subject, to prevent the loss of vital evidence — were used in 1,618 drug-related cases, 122 cases for fraud, but only 15 cases relating to terrorism.

Let’s dig into this a bit. First, obtaining permission from the data subject is one of several means to transfer data outside of the EU:

1. By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2) may take place on condition that:

(a) the data subject has given his consent unambiguously to the proposed transfer; or

(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject’s request; or

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or

(d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or

(e) the transfer is necessary in order to protect the vital interests of the data subject; or

(f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.

(d) squarely applies re an order under the Patriot Act. (b) and (c) likely allow the transfer of the data to provide cloud services. Once the data is in the US, then it is clearly under the jurisdiction of the US. Do we think the EU governments will have any hesitation in grabbing the data of non-EU citizens where the data center is located in the EU? Let’s see what the law looks like.

Section 28 of the UK Data Protection Act allows for exceptions to the UK DPA notice provisions where national security is involved. Hmmmm . . . sounds a bit like the US Patriot Act. Section 5 of Schedule 4 allows for transfers in legal matters.

The above aside, the Dutch official doesn’t even know where his data is. He think it’s in the EU, but he isn’t sure. Perhaps he ought to read Google Docs Terms of Use and Privacy Policy.

Google processes personal information on our servers in the United States of America and in other countries. In some cases, we process personal information outside your own country.

(I can’t find data transfers addressed in the DropBox privacy policy or terms of use.) It’s well established that the imminent loss of evidence is an exception to the warrant requirement. I am going to go out on a limb and bet there is a similar rule in most EU countries. The article may be referring to government power under The FISA Amendments Act (FAA) of 2008, but it’s direct application to a cloud service provider is unclear (e.g., in the context of O365 or Google Docs):

The FAA explicitly permits collection of information from U.S. telecommunications facilities where it is not possible in advance to know whether a communication is purely international (that is, all parties to it are located outside of the United States) or whether the communication involves a foreign power and or its agents. The collection of this information must be carried out in accordance with certain “targeting procedures” to ensure that the collection is directed at persons located outside the United States. The FISC is to review certifications and the targeting and minimization procedures adopted.

From Privacy Law Fundamentals, Daniel J. Solove & Paul M. Schwartz (2011).

I am not a fan of several provisions of the US Patriot Act, but the Dutch decision appears to be not thought through at all. They are making use of the cloud, but forbidding others to do so for reasons that they don’t want to apply to themselves.