By EDRi

The European Commission’s Communication on Cloud Computing (pdf) forecasts a spend of 45 billion Euro on such services in the EU in 2020. The stakes are therefore huge for the countries and regions that can show themselves to be trustworthy for the processing of both personal and business data.

With no comprehensive federal privacy legislation and spying measures like the PATRIOT Act and FISAAA in place, the starting position of the US administration and industry is clearly very weak. Worse still, the constitution only covers US citizens, creating a loophole that gives foreign users of cloud services even less protection from US government intrusion. FISAA specifically targets cloud computing data of non-US citizens.

On the other hand, the EU has a comprehensive legal framework, surveillance measures are subject to constitutional safeguards and our protections (such as the European Convention on Human Rights and the Charter of Fundamental Rights of the European Union) are based on fundamental rights of individuals, regardless of citizenship. The strategic value of comprehensive and well-enforced privacy rights for the European Union is clear. Or it should be.

With no possibility of creating comprehensive privacy legislation in the USA and no possibility of repealing its spying measures, it was only a matter of time before a scandal about the uses of data – whether by businesses or government became headline news, undermining the interests of the cloud computing industry in the USA. Strategically, the only option left available to the US administration was to seek to water down the European legal framework as much as possible. This is exactly what has been happening.

The US has very successfully and expertly lobbied against the data protection package directly, it has mobilised and supported US industry lobbying. US industry has lobbied in its own name and mobilised malleable European trade associations to lobby on their behalf to amplify their message, “independent” “think tanks” have been created to amplify their message again. The result is not just the biggest lobbying effort that Brussels has ever seen, but also the broadest.

Compliant Members of the European Parliament (MEPs) and EU Member States (see recent leak, pdf) have been imposing a “death by a thousand cuts” on the Regulation. Where previously there was a clear obligation to collect the “minimum necessary” data for any given service, the vague requirement to retain “not excessive” data is now preferred. Where previously companies could only use data for purposes that were “compatible” with the original reason for collecting the data, the Irish EU Presidency (pdf) has proposed a comical definition of “compatible” based on five elements, only one of which is related to the dictionary definition of the word.(1)

Members of the European Parliament and EU Member States are falling over themselves to ensure that the EU does not maintain its strategic advantage over the US. In addition to dismantling the proposed Regulation, countries like the UK desperately seek to delay the whole process and subsume it into the EU-US free trade agreement (the so-called “investment partnership” TTIP/TAFTA), which would subordinate a fundamental rights discussion in a trade negotiation. The UK government is even prepared to humiliate itself by arguing in favour of the US position on the basis that two and a half years (see Communication from 2010, pdf) of discussion is too fast!

The US administration is acting in a completely coherent, logical, predictable, self-interested way. The big question is why EU policy-makers appear to be so keen to act against the EU’s strategic interests.

(Footnote 1)

3a.
In order to ascertain whether a purpose of further processing is compatible with the one for which the data are initially collected, the controller shall take
into account:

(a) any link between the purposes for which the data have been collected and the purposes of the intended further processing;
(b) the context in which the data have been collected (…);
(c) the nature of the personal data;
(d) the possible consequences of the intended further processing for data subjects (…);
(e) appropriate safeguards