German Data Protection Legislation and the USA PATRIOT Act - codecentric AG Blog
On Tuesday, 6th December, several it news tickers (see, e.g., heise online) announced that Microsoft is about to change the end user agreement for its cloud service Office 365 in such a way that it conforms to German and European data protection legislation. The data protection officer from the state of Bavaria in Germany is reported to attest conformance. So let’s see whether Microsoft found a new solution to a known problem.
The ongoing conflict between the German data protection law and the USA PATRIOT act forms the background. According to the data protection law personal data may only be exported into countries that provide a data protection level at least as high as in the European Union. Data circulation may only happen after the customer agreed to this step. This agreement cannot be asked for by general statements in terms and conditions. Rather each individual case requires an individual agreement from the customer’s side.
The USA Patriot Act allows US authorities like, e.g., the FBI to access data that are hosted by companies doing business in the USA. These access rights are pretty general. They were introduced to ease fighting terrorism. In principle customers whose data were screened have to be notified of this by the authorities. But the act does not contain a statement until when this has to happen. The authorities decide about this by themselves in each case individually. That means it would still be conformant to US law if customers are notified only after the usual time period that classified documents get declassified – normally 50 years. Cloud service providers like Microsoft can be committed to remain silent to their customers. This means that potentially affected customers are in principle incapable of establishing whether or not their data have been screened. As a consequence, no German data protection officer can ever attest whether a cloud service provider that is subject to the patriot act adheres to the German data protection law. He can state at best whether the terms and conditions as written on paper are in line with German law. But such a statement would be of quite a low value, since all it says is that the provider wants to obey German laws. Isn’t this something we should expect from every company doing business in Germany?
Every cloud service provider who offers his services in the EU and who is based in the USA or does a substantial part of his business there faces an unsolvable conflict. It is impossible for him to respect European data protection laws and the USA Patriot act at the same time. For all US based service providers – and all the big players are – priorities are pretty clear. The US authorities can always enforce conformance to the patriot act. In case of doubt it will be the European laws that will be broken by the service providers. European customers probably have the right to sue for damage compensation. But as long as a customer does not even get to know of the infringement this right is of very limited use.
EU based cloud service providers have in principle the option to refuse the cooperation with the US authorities referring them to EU data protection legislation, if their servers are located in the EU. That would probably lead to the US authorities to close down their US business rather quickly. That this threat is real is something the Swiss Bank UBS had to learn when negotiating the transfer of customer data to US tax authorities. The tax office took hostage of the US branch of UBS thereby forcing UBS to hand over the demanded customer data. In case where the servers are located in the US there is no chance of escaping from the patriot act. US authorities would always be capable of enforcing physical access to servers.
This leaves just two alternatives to the customers. Either they accept that US authorities have in principle access to their data and that in case these data are screened they will only be notified much later. Or they decide to choose cloud service providers that are based in the EU and do not offer their services in the USA.
Although the considerations here refer to German law, the situation is pretty much the same in all EU countries, because the national data protection laws all implement the same EU data protection directive. And no member state has the right to weaken the data protection standard spelled out in this directive.