EUROPEAN CLOUD COMPUTING
The European cloud as the solution for governments to be able to make use of cloud
computing services without fearing unauthorized US disclosure
Master Thesis Law and Technology
Tilburg University
Jort de Jong
S142380
January 18th 2013
Prof. dr. R.E. Leenes
A study requested by Stichting NLnet
1
European cloud computing
The European cloud as the solution for governments to be able to make use of cloud computing
without fearing unauthorized US disclosure
2
Table of contents
1. Introduction
4
1.1.
Cloud computing
4
1.2.
The problem
6
1.3.
Research question
8
2. Applicable law
11
2.1.
Privacy and data protection
11
2.2.
Data Protection Directive
13
2.3.
Scope and application of the Directive
14
2.4.
Principles of the Directive
20
2.5.
Cloud computing
22
2.6.
Challenging US law
23
2.7.
Access to data in the European Union
33
2.8.
Conclusion
35
3. Towards a European Cloud
3.1.
37
Exclusive jurisdiction
37
3.1.1. International jurisdiction and its bases: a general introduction
37
3.1.2. The American view on jurisdiction and its bases
43
3.1.2.1.
Territoriality
44
3.1.2.2.
Personality
45
3.1.2.3.
Other bases
47
3.1.2.4.
Excluding the US
47
3.2.
Mutual Legal Assistance Treaties
48
3.3.
Conclusion
52
4. The European cloud and public procurement issues
4.1.
European public procurement rules
54
54
4.1.1. Sources of European public procurement
55
4.1.2. The principles of European public procurement
57
4.1.3. The obligation to follow European public procurement rules
58
4.1.4. The procedures for selection
60
4.2.
European procurement rules and the European cloud
62
4.3.
WTO Government Procurement Agreement
67
4.4.
Conclusion
68
5. The European cloud: the solution?
69
6. Conclusion
71
7. Bibliography
75
8. Appendix I: a selection of relevant sections of the United States Code
86
9. Appendix II: text on procurement law by R. Westerdijk
101
3
1.dIntroduction
Cloud computing is hip, hot and happening. Almost everybody in this Western society is making
use of it. Just think about your e-mail service: Microsoft’s Hotmail or Google’s Gmail. But also
social media sites like Facebook, Linked-in, Twitter. Or what did you think about Google Docs or
Dropbox? All these applications are examples of cloud computing, and there are a lot more to
name. This thesis is about cloud computing. It is even more about the legal possibilities to create
a ‘European cloud’. But before going into the depth of the central research question of this thesis,
a short introduction to the general topic of cloud computing will be given.
1.1 Cloud computing
This relatively new 1 method of offering services derived its name from the icon that is often used
to indicate a network or the Internet. Cloud computing should thus be understood as using
computers in a network.2 A more specific and often used working definition is given by the
National Institute of Standards and Technology (NIST) of the United States, stating that cloud
computing is:
“a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of
configurable computing resources (e.g. networks, servers, storage, applications, and services)
that can be rapidly provisioned and released with minimal management effort or service provider
interaction.” 3
Although this definition will not bring universal happiness 4, it does address the main
characteristics of cloud computing, stressing the fact that the offered services can be used in a
flexible, efficient and readily-accessible manner. These characteristics make cloud computing
rather different from for example traditional IT outsourcing arrangements, which typically involve
negotiated contracts in which the service offered is narrowly specified and a specific set of
1
From a purely technological view point cloud computing is not new at all. It is based on the old principle of
time sharing, which has been applied in many ways in the early days of computer technology when several
end-users had to make use of large, expensive and scarce mainframes.
2
L. Ferreira Pires, ‘ Wat is Cloud computing?’, Computerrecht 2011/63.
3
National Institute of Standards and Technology, ‘The NIST Definition of Cloud Computing’, September
2011, NIST SP 800-145 published on line on:
http://rszt.pmmk.pte.hu/uploads/8f/23/8f23a309550830fa62395163ecec6fd3/nist_SP800-145.pdf Last
checked: April 2012.
4
Other definitions that give a clear view on the meaning of cloud computing can be found in for example the
article ‘ Cursing the Cloud (or) Controlling the Cloud?’ by N. Ismail, Computer Law & Security Review 27/3,
June 2011 p. 252; or in S. Bradshaw, C. Millard and I. Walden, ‘Contracts for Clouds: Comparison and
Analysis of the Terms and Conditions of Cloud Computing Services’, Queen Mary University of London,
School of Law, September 1st 2010, p. 3-7.
4
infrastructure (e.g. servers) will be set aside for the customer’s use. Cloud computing just
distinguishes itself from that form of outsourcing by offering the possibility of rapidly and
dynamically adjusting the quantity of IT resources to the fluctuating demand of the customer,
leading to a pay-per-use system. 5
In regard to the offered services a distinction is generally made between three service models in
which three parties, the cloud provider, application provider and consumer, are involved:
software-as-a-service (SaaS), platform-as-a-service (PaaS) and infrastructure-as-a-service
(IaaS). SaaS concerns the offer and use of applications through Internet (the cloud) like e-mail
services (Hotmail) or office-like applications (Google Docs), PaaS offers the consumer the
possibility to create and then use applications on the cloud (Google Apps) and IaaS holds the
provision of the capability to the customer of fundamental computing resources where the
consumer is able to deploy and run arbitrary software (Amazon EC2).6
7
Another common distinction that is made (also used by NIST in its definition paper) has to do with
the accessibility of the cloud. The so called deployment models are characterized by the NIST as
follows (in short): a private cloud when the infrastructure is provisioned for exclusive use by a
single organization comprising multiple consumers; a community cloud when the infrastructure is
provisioned for exclusive use by a specific community of consumers from organizations that have
shared concerns; a public cloud when the infrastructure is provisioned for open use by the
general public; and last a hybrid cloud when the infrastructure is a composition of two or more
distinct cloud infrastructures (private, community, or public) that remain unique entities, but are
bound together by standardized or proprietary technology that enables data and application
portability. 8
The possibilities of cloud computing in all its variety offer several advantages. Business
companies can diminish the burden of buying, installing, maintaining and controlling IT-structures,
by bringing their systems into the cloud. This makes cloud computing very cost-effective.
Besides, because of the easy adjustment of the resources when needed, cloud computing is preeminently decent for companies that have to deal with high peaks in their IT-capacity. In that
5
S. Bradshaw, C. Millard and I. Walden, ‘Contracts for Clouds: Comparison and Analysis of the Terms and
Conditions of Cloud Computing Services’, Queen Mary University of London, School of Law, September 1st
2010.
6
See note 3.
7
See note 2 .
8
See note 3.
5
perspective, cloud computing is often seen as an important element of greencomputing, the
solution for the increase of the use of energy (and thus the decrease of CO2 emissions). 9
The above mentioned benefits make cloud computing a trending topic in the field of IT today. This
is not only shown by the fact that the on line search engine Google gives 238 million hits in less
than two tenths of a second when the words ‘cloud computing’ are given, but comes clear by just
looking at other mere facts. To name just a few: Microsoft did spend 90 % of its total budget for
Research & Design in 2011 on cloud computing10, AMD’s global cloud computing study shows
that 70 % of organizations worldwide are either using or evaluating cloud computing today
already of which percentage 63 % estimates the worth of its storage of data in the cloud over
$250,000 11 and last (but not least) a recently published IBM study subscribing aforementioned
figures, states that the number of enterprises turning to cloud computing to revamp existing
business models will more than double in the next three years, as business leaders move to
capitalize on the rapid availability of data and the growing popularity of social media 12. In the
Netherlands, there even is a television program broadcasted completely devoted to the upcoming
phenomenon, trying to give businesses insight into the (dis)advantages of using ‘the cloud’. 13
1.1. The problem
Cloud computing in its rise is however not undisputed. Several challenges make that one should
be careful when using cloud computing. In particular safety and privacy issues deserve our
attention, as with the outsourcing of the processing/storage of data, the cloud provider has the
possibility to look into or even manipulate the information. Also the accessibility of the cloud (and
the data stored inside) for third parties (other than the cloud provider and the consumer) should
be taken into account. In this perspective the physical location of the data is also of importance,
as it is part of the idea of cloud computing that data is stored at a central place, or even moved
9
See note 2.
10
http://www.forbes.com/sites/kevinjackson/2011/04/19/cloud-to-command-90-of-microsofts-rd-budget/ Last
checked: April 2012.
11
http://blogs.amd.com/work/2011/05/31/mind-the-gap-%E2%80%93-the-rise-of-cloud-computing/ Last
checked: April 2012. For an overview of the inforgraphics see: http://blogs.amd.com/work/amd-2011-globalcloud-computing-adoption-attitudes-and-approaches-study-infographics/ Last checked: April 2012.
12
IBM Institue for Business Values, ‘ The power of cloud; Driving business model innovation’, February
2012, published on line on:
http://public.dhe.ibm.com/common/ssi/ecm/en/gbe03470usen/GBE03470USEN.PDF Last checed: April
2012.
13
‘It-next’, broadcasted on RTL Z each Saturday in the beginning of 2012. See the website:
http://www.rtl.nl/programma/itnext/home/. Last checked: December 2012.
6
between several servers, often not even close to the geographical location of the user, who does
not have any control over the position of the data once brought into the cloud. 14
Besides, most cloud providers are originally American, make use of storage servers on American
soil and thus have to obey US laws. Questions are raised whether the use of cloud computing is
allowed according to the laws of the European Union regarding data protection when personal
data are concerned 15. Specifically in case of the use of cloud computing by governmental bodies
which process highly confidential data (of citizens), it is of great importance that the information in
the cloud is kept safe (i.e. in accordance with data protection rules) and only accessible for
entitled parties.
In regard to this matter of data protection should be noticed that it is presumed that the United
States of America (USA) have a less strict regime regarding privacy and data protection than the
European Union. Besides, since the ‘war on terror’ has started (after the attacks on the World
Trade Center in New York on 9/11) the USA have adopted several laws which should help
governmental bodies (intelligence agencies) to prevent terrorists attacks. The USA PATRIOT
ACT 16 (which is an acronym for Uniting and Strengthening America by Providing Appropriate
Tools Required to Intercept and Obstruct Terrorism) can be considered as the most influential
and thus the most important one. This act gives far reaching authorization for all kinds of methods
used for detecting and preventing acts of terrorism, and seriously constrains the constitutionally
embodied right of judicial review. 17
In Dutch parliament (and in similar cases in Denmark and Norway18) a discussion is going on
whether or not cloud computing should be an option for governmental bodies, when it is clearly
possible that the US government will have instant access to the (confidential) data stored on line
on the base of the USA PATRIOT Act. 19 This is not only a problematic situation for governments,
14
See note 2.
15
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection
of
individuals with regard to the processing of personal data and on the free movement of such data.
16
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism Act of 2001 (USA PATRIOT Act), Public Law 107-56, October 26th 2001.
17
P.L. Bal, ‘De USA Patriot Act I en II; Ongekende uitbreiding van bevoegdheden in de strijd tegen het
terrorisme’, Strafblad, 2004, p. 279.
18
A. de Haes, ‘Noorse privacywaakhond verbiedt Google Apps’, 26 januari 2012, published on:
webwereld.nl/nieuws/109323/noorse-privacywaakhond-verbiedt-google-apps.html Last checked: April 2012.
19
R. Schoenmaker, ‘Minister weet niet waar Nederlandse data blijft’, 10 september 2011, published on:
http://webwereld.nl/nieuws/107879/minister-weet-niet-waar-nederlandse-data-blijft.html and R.
Schoenmaker, ‘Uitsluiting Microsoft bij aanbesteding overheid’, 14 september 2011 published on:
http://webwereld.nl/nieuws/107924/uitsluiting-microsoft-bij-aanbestedingen-overheid.html and R.
7
but also for (American) cloud providers. It is presumed that these last ones will often have to obey
US laws and therefore are obliged to share cloud information on demand of the American
government without notifying the consumer (which could for example be a European
government), but probably will (as they (have to) comply with US law) infringe European Union
privacy and data protection laws. 20
1.3 Research question
The Dutch NLnet Foundation 21, which has been financially supporting organizations and people
that contribute to an open information society since 1997 (in Dutch: Stichting NLnet), has also
raised questions concerning the use of cloud computing by (semi-)governmental bodies in regard
to the possibilities of the American government to peek into the stored data. The NLnet
Foundation is looking for a solution which makes it possible for (semi-)governmental bodies to
make use of the advantages of cloud computing without the risk of losing (highly) confidential
data to third parties, in particular foreign governments (like the USA).
The foundation came up with an initiative to create within the existing infrastructure a purely
‘European cloud’, which means as much as that the cloud would be under European jurisdiction
only (so just laws of the (Member States of the) European Union (EU) do apply). This way there
would be no problem for cloud service provider complying to European privacy and data
protection rules and consequently there would be no risk that the American government could
search the stored data (without notification).
Such a European cloud would be technically possible. The only question left however deals with
the legal possibilities of creating and then using such a European cloud. The foundation has
addressed me to do a research concerning this question. This thesis is the result of the research
and aims at giving an answer to the question
Is it legally possible to provide a purely European cloud service, meaning that only European
authorities do have jurisdiction and solely European rules apply, and subsequently is it legally
permissible that European (semi-)governments will make use of merely this European cloud (so
beforehand excluding all other (non-purely-European) cloud providers)?
Schoenmaker, ‘Geen extra eisen tegen amerikaans datagraaien’, 17 september 2011 published on:
http://webwereld.nl/nieuws/107960/-geen-extra-eisen-tegen-amerikaans-datagraaien-.htmll. Last checked:
April 2012.
20
R. Schoenmaker, ‘Kabinet moet einde maken aan datagraaien VS’, 2 februari 2012, published on:
webwereld.nl/nieuws/109390/-kabinet-moet-einde-maken-aan-datagraaien-vs-.html. Last checked: April
2012.
21
www.nlnet.nl.
8
It is important to stress the fact that the mentioned European cloud service (and its provider) will
only and exclusively be under the jurisdiction of the European Union and its Member States, and
thus will have nothing to do with other than EU jurisdictions. Non-purely European cloud providers
then are providers which do not or not solely fall under EU jurisdiction as described.
I remark at this point already, that the NLnet Foundation aims at creating a cloud computing
service by making use of the existing IT-infrastructure. The possibility of governments setting up
their own private cloud within their network (by adding complete server centers to their internal
network), is therefore excluded. This way of creating a ‘government cloud’ does hamper the
essentials of the original idea of cloud computing (which is mainly an outsourcing business) too
much. It is for example questionable whether it is cost-efficient when governments have to
purchase the actual hard ware to the extent of their maximum needed capacity while most of the
time the maximum capacity is not needed. So the focus is on outsourcing, making use of cloud
computing services which are not exclusively accessible for that government.
Nonetheless, taking into account the requirements as discussed before, it could be the outcome
that the most ‘true’ form of a cloud service (the public cloud), which might also be economically
the most advantageous, is not attainable. Besides, another deployment model (like the private
cloud) is not necessarily economically less advantageous. That depends (inter alia) on the use of
the cloud computing services and the steadiness of the needed capacity (when there is very little
or no fluctuation, on-demand adjustment of resources is not required). It is however beyond the
scope of this thesis to determine which deployment model of cloud computing services suits
governments best, neither shall I discuss the question whether the use of cloud computing
services by governments is at all desirable (taking into account other relevant (risk) factors).
To answer the proposed research question, four sub questions have been formulated.
Sub question 1: What laws of privacy and data protection do apply on cloud services which are
offered and used within the European Union and how are these laws challenged by foreign, more
specific, American laws?
This first question to be answered under chapter 2 ‘The conflict of applicable laws: EU vs. US’,
should give an overview of the applicable law on provided cloud services, in particular the rules
regarding data protection. Furthermore, the question aims at getting an insight in the current
situation and the problem, namely that is presumed that the American government claims to have
jurisdiction over (the information in) the cloud and therefore would have the possibility to see into
the data on first demand on the base of the USA PATRIOT Act, while the (legislation in the
9
countries of the) European Union and its member states would not allow American access to the
data, but could not prevent it either (like stated in this Introduction earlier).
Sub question 2: How can the jurisdiction under which a cloud service (and the data stored inside
the cloud) falls, be limited to the European Union and its Member States and can this legally be
done?
This second question builds on the first question and should lead to an answer concerning the
(im)possibility to exclude the jurisdiction of other (foreign) countries but the European Union and
its Member States. In this perspective attention will be paid to international legal aspects
concerning jurisdiction. This matter will be dealt with in chapter 3 ‘Towards a European cloud’.
Sub question 3: Is it possible that (semi-)governments make use of cloud computing on such
terms and conditions that only purely European clouds services are contracted?
This sub question deals with the rules on (public) procurement, more specific the (im)possibilities
that procurement law offers to exclude certain cloud providers in advance, just because they
cannot guarantee the exclusion of the jurisdiction of the USA (in other words: because they are
not purely European). The answer to sub question 3 can be found under chapter 4 ‘The European
cloud and public procurement issues’.
The fifth chapter ‘The European cloud: the solution?’ will then shortly review the idea of a
European cloud in a broader (non-legal) perspective. Moreover a final answer to the research
question will be given under chapter 6 ‘Conclusion’.
10
2. The conflict of applicable laws: EU vs. US
As put forward in the introduction, several laws of different countries (can) apply on information
which is stored in a cloud. These diverse legal regimes can conflict with each other. The
borderless nature of the internet makes it hard to determine which rules do have effect. In this
chapter I will discuss how privacy and data protection rules concern cloud computing. In doing so,
I will answer the question which data protection laws do apply when cloud computing services are
used by a European legal subject (be it a citizen, business company or (semi-)governmental
body), what these laws look like, and how they can be challenged by foreign laws. In this regard I
stress the fact that, due to the fact that cloud computing providers are mainly established in the
US, I will only discuss the United States of America and its most relevant laws (especially the
USA PATRIOT Act) as foreign country / law.
2.1. Privacy and data protection
Back in 1890, Samuel Warren and Louis Brandeis were the first to address a ‘right to be left
alone’ in their article ‘The right to privacy’. 22 Since then, the world has changed as technology
evolved and so did the term privacy itself, although the basic concept of privacy is still valid 23.
These days one could not imagine our information society without the existence of a privacy right,
being one of the fundamental rights closely related to one’s personal freedom.
Privacy however, is a rather general term which consists of several rights. The most obvious of
these would be the right to respect for the integrity of the human body, but also the right to
determine with whom one holds relationships (which also means the right to be left alone) and the
protection of the space of living (like a home) are covered by this term. Finally, from the 1960’s
on, as a result of the combination of two principal and common elements of postindustrial society,
bureaucracy and information technology, which has created both quantitative and qualitative
changes in the ways that public and private organizations treat personal information, the need for
“information privacy” or “data protection”, as a way to control and restrict the implications of these
changes for the personal privacy of citizens, has quickly increased. 24 Nowadays, taken into
account that the rapid expansion of the Internet has created a world in which data collection and
storage has become so inexpensive and easy 25 that it forms a business market of its own with
22
S. Warren and L. Brandeis, ‘The Right to Privacy’, Harvard Law Review, volume 4, December 15th 1890.
23
N. Robbinson and others, ‘Review of the European Data Protection Directive’, Cambridge: RAND 2009,
p. 1. This research was sponsored by the Information Commissioner’s Office.
24
C. Bennett, Regulating privacy; Data protection and public policy in Europe and the United States, Cornell
University Press 1992, p. 2-3.
11
companies gaining enormous value 26, data protection is undisputedly seen as one of the major
components of privacy.
The right to privacy has taken a prominent position in the European legal systems and can be
found in both international and national laws. The European Convention on Human Rights
(ECHR) holds in article 8 the right to respect of one’s private and family life, home and
communications. 27 Although all member states of the European Union are party to the ECHR,
they are, since the ratification of the Lisbon Treaty, also bound by the Charter of Fundamental
Rights of the European Union (the Charter), which states in article 7 in almost the same wording
as the ECHR a right to respect of one’s privacy. In article 8 however, the Charter even gives a
specific provision regarding the protection of personal data.28
These general provisions of the Charter concerning the right to privacy and data protection stand
at the base of a specific legal framework consisting of regulations from the EU. The most
important piece of regulation in this regard, is the general directive concerning the processing of
personal data (in short the Data Protection Directive or the Directive) 29. This Directive gives a
detailed regulation about the lawful processing of personal data in general, a regulation about
special categories of processing of personal data, and rules regarding the transfer of personal
data to other (non-EU) countries. In doing so, the directive tries to achieve fair and equitable uses
of information. 30
It should be noted that, although the Data Protection Directive may be the most important piece of
regulation for the subject of this thesis, other European regulations exists which do concern the
processing of data. In this regard the Directive 2002/58 EC concerning privacy and the
processing of personal data in electronic communications (E-privacy Directive) 31 and the
25
J. Strauss, K.S. Rogerson, ‘Policies for online privacy in the United States and the European Union’,
Telematics and Informatics 19 (2002), p. 174-175.
26
For example Facebook, having an estimated worth of over 100 billion US Dolllar according to the value of
its shares ($38) when debuting on the New York Stock Exchange. Even though this value was too
optimistic (as it instantly decreased), Facebook still has a major value (far more than other big and
experienced players like HP or DELL). See http://finance.yahoo.com/news/10-huge-companies-facebooknow-210700763.html. Last checked October 2012.
27
See for the ECHR: http://www.echr.coe.int/NR/rdonlyres/D5CC24A7-DC13-4318-B4575C9014916D7A/0/CONVENTION_ENG_WEB.pdf. Last checked: May 2012.
28
See for the Charter: http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:083:0389:0403:EN:PDF (in English).
29
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection
of individuals with regard to the processing of personal data and on the free movement of such data.
30
See note 25, p. 177.
12
Directive 2006/24 EC concerning data retention 32, should be mentioned. I will however not fully
review these Directives as they are (as a whole) of less relevance in the light of this thesis. Of
course I will refer to them when needful.
Last but not least, the Dutch constitution provides a right to protection of the private life of
individuals under article 10 33. Furthermore the Dutch legislator implemented the EU Directive on
privacy and data protection into Dutch law resulting in the ‘Protection of Personal Data Act’ 34.
2.2. Data Protection Directive
In 1995 the EU truly entered the field of data protection by adopting the Data Protection Directive
which is based on earlier initiatives like the ‘Guidelines on the Protection of Privacy and Transborder flows of Personal Data’ 35 which were adopted by the Organization for Economic
Cooperation and development (OECD) in 1980, the ‘Convention for the Protection of Individuals
with regard to Automatic Processing of Personal Data’ 36 adopted by de Council of Europe (CoE)
in 1981, and the in 1990 published ‘Guidelines for the Regulation of Computerized Personal Data
Files’ 37 of the United Nations (UN).
38
The Directive, which is currently subject of a revision as a part of which the EU Commission has
proposed a comprehensive reform which ultimately has to lead to a single Regulation 39, is a great
31
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the
processing of personal data and the protection of privacy in the electronic communications sector (Directive
on privacy and electronic communications).
32
Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of
data genereated or processed in connection with the provision of publicly available electronic
communications services or of public communications networks and amending Directive 2002/58/EC.
33
See for (more information about) the Dutch Constitution www.denederlandsegrondwet.nl (in Dutch).
34
Wet van 6 juli 2000, houdende regels inzake de bescherming van persoonsgegevens (Wet Bescherming
Persoonsgegevens).
35
OECD Coucil, Guidelines on the Protection of Privacy and Trans-border flows of Personal Data, 23
September 1980, available at:
http://www.oecd.org/document/18/0,3746,en_2649_34223_1815186_1_1_1_1,00.html Last checked: May
2012.
36
Coucil of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of
Personal Data, 28 January 1981, available at:
http://conventions.coe.int/Treaty/Commun/QueVoulezVous.asp?NT=108&CL=ENG Last checked: May
2012.
37
UN General Assembly, Guidelines for the Regulation of Computerized Personal Data Files, 14
December 1990, available at: http://www.unhcr.org/refworld/docid/3ddcafaac.htm Last checked: May 2012.
38
M. Birnhack, ‘The EU Data Protection Directive: an engine of a global regime’, Computer Law & Security
Report 24 (2008), p.511.
13
attempt to serve the (conflicting) goals of protecting data subjects and facilitating free trade
especially within the internal market of the EU. 40 However, instead of presenting these goals as
conflicting, the Directive ties them together as is made clear in recitals 3 and 7 which state in
short that personal data can (and should) only flow freely across Member States when the
fundamental rights of individuals will be safeguarded within all these Member States.
It is therefore not surprising that the first article of the Directive holds the obligation of the Member
States to protect the privacy of individuals with respect to the processing of personal data, directly
followed by the prohibition of the Member States to restrict or prohibit the flow of data between
Member States for reasons connected with the level of protection of such data.
2.3 Scope and application of the Directive
As the Directive only offers protection to the processing of personal data (article 3), these terms
are defined in article 2. ‘Personal data’ is clarified as any information relating to an identified or
identifiable natural person i.e. data subject. 41 Further clarification can be derived from the
opinions of the Working Party on the Protection of Individuals with regard to Processing of
Personal Data. This so called Article 29 Working Party (29 WP) is constituted by article 29 of the
Directive and has primarily the task to advise the European Commission about uniform
application, interpretation and enactment of the Directive, and in general about the level of data
protection within the EU (article 30 of the Directive).
The Article 29 WP published a detailed document about the definition of ‘personal data’, which
shows that it is not always obvious whether or not in some cases information should be declared
as information which (possibly) identifies a natural person.42
On the basis of the mentioned document, the conclusion can be drawn that the 29 WP favors a
broad definition of ‘personal data’, which makes many data personal data. Just to name a few:
personal names, e-mail addresses, ip-adresses, identification numbers, unique combinations of
39
As this Regulation is only a proposal so far, the Directive will be subject of this thesis. Besides, the key
principles as known in the Directive will not be subject to change, although some rights will be
strengthened. More information about the proposed Regulation can be found on:
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm (lasted checked: May 2012).
40
Which is shown by the recitals of the Directive, referring to both the right to privacy (recitals 2, 9-11, 68)
and economic and social progress and trade expansion (recitals 2, 56).
41
Artilcle 2 under a of the Directive.
42
Article 29 Data Protection Working Party, ‘Opinion 4/2007 on the concept of personal data’. 01248/07/EN,
WP 136. Accessible via: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2007/wp136_en.pdf. Last
checked: June 2012.
14
data like address, age and profession, and even cookies. 43 In case of European (semi-)
governmental bodies using cloud computing services, it is, due to this broad definition, inevitable
that personal data (concerning employees, officials, citizens etc.) is stored in the cloud.
‘Processing’ of personal data is another broad term meaning any operation or set of operations
which is performed on personal data, whether or not by automatic means such as collection,
recording, organization, storage, adoption, alteration, retrieval, consultation etc, ex article 2 under
b of the Directive. It is evident that storing personal data in a cloud is covered by this definition.
Because of its legal status, the provisions in the Directive do not have any direct legal effect. The
Member States therefore need to implement these laws into national legislation. In the
Netherlands for example, this has led to the Protection of Personal Data Act. 44 Although the
Directive, which gives a framework of minimum harmonization, makes sure that the national
legislation of all Member States provides an adequate level of data protection, a certain margin of
appreciation is left to the Member States to create the specific conditions of its data protection
regime. This off course leads to differences between the Member States.
As the Directive only applies through national laws, and these laws can differ per Member State
(although they are harmonized at a basic level), the question arises, particularly in case of transborder data processing (which is mostly the case when using cloud computing services), which
(national) legislation is applicable on the processing of personal data.
The Directive gives the answer to this question in article 4 which is titled ‘National law applicable’.
This article however, does not only give a regulation about the applicable (national) data
protection legislation within the internal market of the EU (being a mere choice of law provision,
i.e. a provision limited to the question of which EU Member State data protection law applies to a
particular act of data processing), but is also claimed to have extraterritorial effect: applicability of
a certain Member State’s law to non-EU parties, expanding the jurisdiction of that Member
State. 45
43
These examples are drawn from the whitepaper ‘De wolk in het onderwijs; privacy aspecten bij cloud
computing services’, a research conducted by TILT (Tilburg Institute for Law, Technology, and Society)
commissioned by SURFnet/Kennisnet, p. 17.
44
See note 34.
45
C. Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 1)’, International
Journal of Law and Information Technology Vol. 18, No. 2 (Oxford University Press 2010), published 11
March 2010, p. 180; but also: Article 29 Data Protection Working Party, ‘Opinion 8/2010 on applicable law’
0836-02/10/EN WP 179. Accessible via:
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp179_en.pdf.
15
The provision states that the data protection laws of the Member State apply, in which the
controller of the data is physically (‘the processing is carried out in the context of activities of an
establishment’ article 4 under 1a) or legally (‘the controller is not established on the Member
State’s territory, but in a place where its national law applies by virtue of international public law’
article 4 under 1b) located, or, if the controller is located outside the EU, in which the equipment,
automated or otherwise, is situated which is used by the controller for the purpose of processing
the data (article 4 under 1c).
The place of processing (i.e. the place where the data is stored) is according to the provision not
of relevance, nor is the nationality or the place of habitual residence of the data subject. It is the
location of the establishment of the controller which determines the applicability of the law – or if
the controller does not reside within the EU, the location of the equipment used by the controller
for the purpose of processing the data. 46 This clear connection between controller and applicable
law should be a guarantee of effectiveness and enforceability, especially in a context in which it is
hardly possible to determine the exact location of a file, as will often be the case with cloud
computing.47
The big question then is, who is the ‘controller’ of the data? Article 2 under d of the Directive
defines the term controller as the natural or legal person, public authority, agency or any other
body which alone or jointly with others determines the purposes and means of the processing of
personal data. The Article 29 WP has clarified this definition in one of its opinions, stating that the
determination of the purpose of the processing is a key issue which is always done by the
controller. The determination of the means can however be delegated (to a certain extent) to the
data processor as it concerns technical or organizational aspects like which hardware or software
shall be used. Other issues are inherently and traditionally reserved to the determination of the
controller such as which data shall be processed, how long they shall be processed, and who
shall have access to them. 48
The opinion further states that, as is laid down in the Directive, the controller is responsible for the
correct processing of the data and needs to ensure that the obligations which are laid down in the
data protection legislation (the Directive) are fulfilled. It is however possible that two or more
parties need be regarded as controller, although (depending on the actual influence and input)
46
We will soon find out that the E-privacy Directive does concern an essential issue in this regard, namely
the use of cookies. I will discuss this later.
47
Article 29 Data Protection Working Party, ‘Opinion 8/2010 on applicable law’ 0836-02/10/EN WP 179.
Accessible via: http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp179_en.pdf. Last checked:
June 2012.
48
Article 29 Data Protection Working Party, ‘Opinion 1/2010 on the concepts of “controller” and “processor”’
00264/10/EN WP 169. Accessible via:
http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_en.pdf. Last checked: June 2012.
16
the extent of liability can differ. When another party (legally independent of the controller) only
processes the personal data on behalf of the controller, it is recognized as a mere ‘processor’ 49
(which is defined as such in article 2 under e of the Directive).
Although the distinction between ‘controller’ and ‘processor’ seems fairly clear at first sight, it can
be rather difficult to distinguish them in case of cloud computing. One might think it is obvious that
the ‘customer’/end-user (being an individual or a business (group)/governmental body) is the
controller of the data and the cloud service provider a mere processor. Nevertheless, it is no
exception if the cloud service provider determines certain means and sometimes even the
purposes of the processing and thus acting as a controller. In the view of the nature of the cloud
services, which may be made clear in a contract, it should be determined case-by-case what role
is played, as that role implies which duties, obligations and relevant liabilities are carried. 5051
In its opinion of late 2010 which is an elaboration on the applicable law, the 29 WP also gave its
view on the interpretation of article 4 in regard to the question what an ‘establishment’ 52 of the
controller (article 4 under 1a) means. Uncertainty had arisen whether such an establishment had
to be understood as a head quarters only (narrow interpretation), or just any establishment (broad
interpretation).53 The 29 WP ended this discussion by confirming the broad interpretation,
explicitly acknowledging the fact that it could be possible that the laws of different Member States
apply at the same time. The purpose of this broad scope of application is primarily to ensure that
individuals are not deprived of the protection to which they are entitled under the Directive, and,
at the same time, to prevent circumvention of the law. The 29 WP however, does acknowledge
the advantages of a ‘country of origin principle’, which means that all establishments of a
controller within the EU are subject to the legislation of the Member State in which the head
quarters is established, but states that this principle can only be followed when all national laws
are truly harmonized including harmonization of safety obligations. 54
49
The processor has, according to article 17 of the Directive, also some obligations regarding safety
measures.
50
P. Balboni, Data Protection and Data Security Issues Related to Cloud Computing in the EU, Tilburg
University Legal Studies Working Paper Series, no. 022/2010, August 2010, p. 6-7.
51
The difficulty of determining the roles played by different parties in a cloud computing scenario is also
clearly illustrated in: R. Leenes, ‘Who Controls the Cloud?’, IDP. Revista de Internet, Derecho y Política no.
11 (2010), published December 2010.
52
The definition of the term ‘establishment’ has to be determined in conformity with the case law of the
European Court of Justice which gave a definition already in Case C-221/89 Factorame (1991) ECR 13905.
53
This discussion did also take place in the Netherlands and was clearly described by C. Cuijpers in
‘Toepasselijk privacyrecht in de wolk’, Computerrecht 2011/65 (in Dutch).
54
See note 42.
17
Like stated earlier, the Directive can also be applicable on the processing of personal data when
the controller is not (physically nor legally) located in the EU. Article 4 under 1c gives a regulation
which extends the scope of the Directive outside the EU when equipment is used for
gathering/processing personal data which is located on EU territory (meaning on territory of EU
Member States). Such equipment is quickly associated with computers, servers, inquiries etc.
The interpretation of the 29 WP55 does however cover a broader collection of tools. All human
and technical intermediaries seem to be concerned, including cookies56 and java scripts.57
This broad scope of the EU Data Protection Directive has not been undisputed, in particular in
cases concerning the Internet. Christopher Kuner points out that for example US government
officials have claimed that European data protection law has extraterritorial effect, and business
groups have complained about assertions of jurisdiction under the EU Directive, leading to
disputes with European data protection authorities (DPAs, article 28 of the Directive) about the
jurisdictional scope of EU data protection law. 58
Bernhard Maier points out that article 4 of the Directive is technically just a choice of law provision
instead of one allocating jurisdiction to national courts and DPAs. In his view, article 28 of the
directive, more precisely article 28 under 6, does the latter, determining that each DPA (each
country has his own) is to have jurisdiction over data processing occurring on its own territory,
and that there is no authority for a DPA to exercise jurisdiction except on its own territory.
Furthermore, DPAs are expected to cooperate with one another to the extent necessary for the
performance of their duties. In doing so, they prevent the simultaneous exposure to multiple
jurisdiction, as well as they emphasize cooperation to promote trust, confidence and of course
effective enforcement. 59
Kuner however, refers to article 4 of the Directive as the example of the close interface between
jurisdiction and choice of law. According to this author, article 28 under 6 seems to be as much
55
Article 29 Data Protection Working Party, ‘Working document on determining the international application
of EU data protection law to personal data processing on the Internet by non-EU based web sites’ WP 56,
5035/01/EN/Final, adopted on 30 May 2002. More recently: Article 29 Data Protection Working Party,
‘Opinion 1/2008 on data protection issues related to search engines’, WP 148, 00737/EN, adopted on 4
April 2008.
56
The view of the Article 29 WP corresponds with the regulation of cookies and spyware as laid down in
articles 5 (3) and 13 of the E-privacy Directive.
57
C. Cuijpers in ‘Toepasselijk privacyrecht in de wolk’, Computerrecht 2011/65.
58
C. Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 1), International Journal
of Law and Information Technology, vol. 18 no.2, Oxford University Press 2010, published on 11 March
2010, p. 177.
59
B. Maier, ‘How Has the Law Attempted to Tackle the Borderless Nature of the Internet?’, International
Journal of Law and Information Technology, Vol. 18 no. 2, Oxford University Press 2010, published 15
March 2010, p. 158.
18
about allocating the jurisdiction of the EU DPAs among themselves as it is about determining
what the proper boundaries of international jurisdiction under the Directive be. He states
furthermore that DPAs often (incorrectly) equate jurisdiction and choice of law, but concludes that
in the context of data protection law, both rules may serve much the same purpose.60 As article 4
does set up a structure for determining whether a Member State’s law applies, Maier agrees that
it is therefore relevant to the discussion of adjudicative competence. 61
Maier criticizes the expansive interpretation of the underlying concepts (‘personal data’,
‘controller’, ‘equipment’ etc.) of data protection law, which have the effect of making the whole
Internet subject to EU law. He underlines the issue of ‘regulatory overreaching’. Quoting
Bygrave 62, Maier states that such a practice comprises situations ‘in which rules are expressed
so generally and non-discriminatingly that they apply prima facie to a large range of activities
without having much of a realistic chance of being enforced’. To make things more concrete,
Maier points out that ultimately, the result of cookies being considered ‘equipment’ is that any
entity operating online and using cookies will, regardless of the location of its establishment,
(also) be subject to European data protection law, which will lead to problems like
unforeseeability, unpredictability and liability under a multitude of legal systems. 63
On the other hand Maier acknowledges that the broad interpretation (and thus the wide scope) of
the Directive enables the Member States to optimally protect their individuals. 64 This strong
protective element to data protection law, which derives from its origins in human rights law and
which is referred to by the 29 WP in its opinion on the applicability of the Directive 65, is also seen
by Kuner as the main reason why courts and DPAs are often concerned with ensuring that
personal data are not deprived of the protection of their national law (even) once they are
transferred outside their territory. He notes that, while enforcement actions can usually not be
taken against the entity processing the data once they have been transferred to a foreign country,
DPAs may assert that the processing abroad should be conducted under its own law (choice of
law), even if there is little or no chance of that law being enforced (jurisdiction). In other words: by
declaring EU law applicable to the processing of data transferred, the assertion of regulatory
60
See note 58, p. 179-180
61
See note 59, p. 159.
62
L. Bygrave, ‘European Data Portection - Determining Applicable Law Pursuant to European Data
Protection Legislation’, 2002 16 C.L.S.R., p. 255.
63
See note 59, p. 161.
64
See note 59, p. 162.
65
Article 29 Data Protection Working Party, ‘Working document on determining the international application
of EU data protection law to personal data processing on the Internet by non-EU based web sites’ WP 56,
5035/01/EN/Final, adopted on 30 May 2002, p. 3-5.
19
authority over these data is allowed without having the entity processing be subject to any legal
power of the EU Member States. So instead of asserting jurisdiction, declaring its own law
applicable to the processing of data, is used to protect the individuals of a EU Member State
against privacy infringements 66, albeit of a more symbolic character. Chapter 3 will provide more
insight in these jurisdictional issues.
2.4 Principles of the Directive
If it is clear that the Directive does apply, it gives certain basic rights to the data subject with
respect to his or her personal data, while requiring data controllers (and to a lesser extent
processors) to follow rules and restrictions with respect to the processing of these personal data.
The principles with which controllers must comply when processing personal data, are laid down
in article 6 of the Directive and require that the data must be:
-
processed fairly and lawfully;
-
collected for specified, explicit and legitimate purposes and not further processed in a way
incompatible with those purposes;
-
adequate, relevant and not excessive in relation to the purposes for which they are
collected and/or further processed;
-
accurate and, where necessary, kept up to date;
-
kept in a form which permits identification of data subjects for no longer than is necessary
for the purpose for which data were collected or for which they are further processed;
In the articles following article 6 of the Directive these principles are specified in a way that data
can only be processed lawfully after having obtained the data subject’s unambiguous consent (or
without its consent when one of the other criteria listed is met) 67, the data subject is provided
with the necessary information before the processing of the personal data68, appropriate technical
and organizational security measures to protect personal data against accidental loss, alteration,
unauthorized disclosure or access, and against all other unlawful forms of processing are
implemented, and, if made use of a processor, making sure the processor provides sufficient
guarantees in respect of the technical security measures and organizational measures governing
the processing to be carried out, and ensuring compliance with those measures.
66
See note 58, p. 180-181.
67
Article 7 of the Directive.
68
Article 10 and 11 of the Directive.
69
Article 17 of the Directive.
20
69
The Directive does however provide for an opportunity to limit the scope of the principles relating
to the quality of the data, information to be given to the data subject, right of access and the
publicizing of processing in order to safeguard aspects such as national security, defense, public
security, the prosecution of criminal offences, an important economic or financial interest of the
Member State or of the EU, or the protection of the data subject.70
Last but not least, on the base of article 25 of the Directive the controller is prohibited to transfer
personal data outside the territory of the EU Member States for processing, unless the third
country (Non-EU Member State) provides for an adequate level of protection , the data subject
has given his consent unambiguously to the proposed transfer or under the condition that other
procedures are in place as per article 26 of the Directive (for example ‘model contracts for
transfer of personal data to third countries’, the ‘safe harbor principles’ (for the US) or ‘binding
corporate rules’).
Personal data may thus not be transferred to a country outside the EU with the consequence that
the strict regime of data protection as offered by the Directive will be circumvented. Whether a
third country ensures adequate protection is assessed in accordance with applicable data
protection laws.
The EU Commission can determine that a third country does provide an adequate level of
protection (either as a whole or for specific areas within its territory). Member States are bound by
such a decision of the Commission. So far, only a few countries have been recognized providing
an adequate level of protection, namely Andorra, Argentina, Australia, Canada (if the data
recipient is subject to the Canadian Personal Information Protection and Electronic Documents
Act), Faeroe Islands, Guernsey, the Isle of Man, Israel, Jersey and Switzerland. 71 The USA is
only found adequate if the data recipient subscribes to the US Department of Commerce’s Safe
Harbor Privacy Principles. 72
These ‘safe harbor principles’ are an agreement between the EU Commission and the US
Government and function as a security label. Any company which is subject to the jurisdiction of
the Federal Trade Commission (FTC) may participate in the scheme. The US Department of
Transport is also recognized as a government enforcement body, so air carriers and ticket agent
70
http://europa.eu/legislation_summaries/information_society/data_protection/l14012_en.htm. Last
checked: September 2012.
71
A list with the decisions of the Commission on the adequacy of the protection of personal data in third
countries, can be found on http://ec.europa.eu/justice/policies/privacy/thridcountries/index_en.htm. Last
checked: May 2012.
72
R. Jones and D. Tahri, ‘An overview of EU data protection rules on use of data collected online’,
Computer Law & Security Review, 27 (2011), p. 635.
21
are permitted to join in. Participation is voluntarily and reached by declaring that they conform to
and comply with the safe harbor principles. Once they self-certify, companies are automatically
authorized to accept personal data transfers from the EU and do not need to achieve further
approval of the data protection agency or compliance with other regulatory requirements. Recent
research has shown though, that a lack of oversight by the US Department of Commerce (which
is burdened with that task) has led to fraud resulting in the use of the security label by several US
companies without them fulfilling the conditions set by the principles or even without subscription
to the scheme.
73
2.5. Cloud computing
In July 2012, the Article 29 WP presented its opinion on cloud computing.74 In this opinion the
Working Party analyzes the applicable law and obligations for controllers in the European
Economic Area (EEA) and for cloud service providers with clients in the EEA. In doing so, the
opinion outlines how the wide scale deployment of cloud computing services can trigger a
number of data protection risks.75 The main conclusion of the opinion is that business companies
or public bodies who wish to use cloud computing services, should conduct a thorough risk
analysis to ensure that the principles of the EU legislation on data protection are respected.
According to the Working Party, key elements in deciding whether or not to adopt such a service
should be security, transparency and legal certainty. 76
The opinion focuses mainly on the general issues which are related to cloud computing in
specific, like the risks of the sharing of resources with other parties, the risk of lack of
transparency of an outsourcing chain consisting of (sub)processors, and the lawfulness of data
transfers outside the EEA. Nevertheless, the opinion does not elaborate on the problems which
might arise when the processed data are (or become) subject to yet another legal regime, like
that of the United States of America. The 29 WP does however acknowledge this issue, showing
concern about the absence of a provision in the Commission proposal for a Regulation
prohibiting controllers operating in the EU from disclosing personal data to a third country if so
requested by a third country’s judicial or administrative authority, unless this is expressly
authorized by an international agreement or provided for by mutual legal assistance treaties or
approved by a supervisory authority. 77 Later on, I will elaborate on this matter more extensively.
73
See note 57.
74
Article 29 Data Protection Working Party, ‘Opinion 05/2012 on cloud computing’. 01037/12/EN, WP 196.
Accessible via: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinionrecommendation/files/2012/wp196_en.pdf. Last checked: November 2012.
75
Ibid., p. 2.
76
Ibid.
77
Ibid., p. 23.
22
2.6. Challenging US law
Up till now I only discussed the EU Data Protection Directive as being applicable on the
(personal) data stored in a cloud. This may however not be the only relevant law regime in case
of cloud computing. Although the Directive declares itself applicable in (almost) any case in which
cloud computing services are used by a European legal subject (whether it is a EU citizen,
business (group) or governmental body) and personal data are processed (which is nearly always
the case, as mentioned above), other laws of other countries may affect the data (processing)
too. Many times these laws do not concern the data processing as such (like the Directive),
neither do they provide a (strict) regime of data protection (the lack of which is the reason why the
Directive prohibits data transfers to third countries), but otherwise they can still be of relevance
because they can affect the accessibility or disclosure of the information.
Because of the nature of cloud computing, namely that data is stored on several servers
throughout the entire world, the legal frameworks of every country could be relevant.
Nevertheless, this thesis does not aim at getting insight in all legal frameworks concerning privacy
and data protection in regard to cloud computing around the world. In the light of the research
question as presented in the ‘Introduction’ plus the fact that most cloud service providers have an
American origin and make use of ‘server farms’ 78 which stand on US soil, I will focus on US law
only. To begin with US privacy regulation.
Whereas EU law identifies privacy as a fundamental right, US law conceives of privacy as one
interest among others. 79 Unlike the situation in the EU, privacy is not explicitly protected by the
Constitution of the US. Americans however, have traditionally considered privacy a valued right.
The government did pass some laws specifically guarding individual privacy, but historically
Americans have been more concerned with government violations of privacy than with private
sector intrusions. 80
This thought reflects in the Fourth Amendment of the Constitution, which should form a shield to
protect citizens against unnecessary and too radical restrictions of their privacy by stating that
‘the right of the people to be secure in their persons, houses, papers, and effects, against
unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon
78
The term ‘server farm’ is used to refer to a collection of servers (hard ware) that are connected, and thus
has a total capacity that is far beyond the capacity of a regular/singular computer, and which forms part of a
network (often the Internet). Server farms are yet to be seen as major hard drives which can be used by
computers who are connected to the network they are part of, for example to store data on.
79
A. Raul, E. McNIcholas and E. Jillson, ‘Reconciling European Data Privacy Concerns with US Discovery
Rules: Conflict and Comity’, G.C.L.R. issue 3 2009, p. 119-120.
80
J. Strauss, K. Rogerson, ‘Policies for online privacy in the United States and the European Union’,
Telematics and Informatics vol. 19 (2002), p.175.
23
probable cause, supported by Oath or affirmation, and particularly describing the place to be
searched, and the persons or things to be seized.’ 81
The scope of the protection offered by the Fourth Amendment is however limited. Firstly because
of the fact that it only concerns ‘searches and seizures’ (in a criminal investigation). Secondly
because it only protects US citizens and US residents, as was declared by the US Supreme
Court. 82 Hence, non-US citizens which do not reside within the US may not rely on it. 83
To date the US have not chosen for a federal approach of data protection on the base of a single
piece of law comparable to the EU Directive (and alike the Fourth Amendment concerning ‘search
and seizures’). It has rather taken a sectoral approach, relying on a combination of legislation,
regulation and self-regulation. Consequently, the (scarce) legislation on data protection has been
ad hoc and piecemeal. The result is a highly variable pattern across sectors, in which some
operate to the standard of the EU Directive, while others fall far short of it. 8485
It is however not only this lack of structural data protection legislation in the US that is of great
concern in regard to the use of cloud computing by EU subjects, as other US laws which may be
applicable can demand actions of controllers or processors of data that are not in line with the
principles as prescribed by the EU Directive. In that manner, deliberately created US legislation
challenges EU law and puts the person(s) responsible for the processing of information in a
rather difficult position.
One of these laws 86 which is often called 87 to challenge (the principles of) the EU Directive is the
USA PATRIOT ACT (Patriot Act). This acronym for Uniting and Strengthening America by
81
Text and back ground information about the Constitution can be found on:
http://caselaw.lp.findlaw.com/data/constitution/amendment04/
82
United States v. Verdugo-Urquidez, 494 U.S. 259, 265 (1990).
83
See note 80.
84
P. Carroll, ‘Standards of Data Protection’, Computer Fraud & Security vol. 2012 issue 2, February 2012,
p. 5-7.
85
A clear view on the differences between the US approach and the EU approach on data protection is
found in S. Hinde, ‘Privacy Legislation: a comparison of the US and European approaches’, Computer &
Security vol. 22 issue 5, July 2003, p. 378-387.
86
For the sake of completeness I have to mention that the Patriot Act is not the only law that challenges EU
law. The US discovery rules which apply in a civil litigation do also raise concern. This problem is described
in: ‘A. Raul, E. McNicholas and E. Jillson, ‘Reconciling European Data Privacy Concerns with US Discovery
Rules: Conflict and Comity’, Global Competition Litigation Review Issue 3, 2009.
87
See for example: C. Cuijpers in ‘Toepasselijk privacyrecht in de wolk’, Computerrecht 2011/65; and the
whitepaper ‘De wolk in het onderwijs; privacy aspecten bij cloud computing services’, a research conducted
by TILT (Tilburg Institute for Law, Technology, and Society) commissioned by SURFnet/Kennisnet; or: A.
24
Providing Appropriate Tools Required to Intercept and Obstruct Terrorism 88, is a reaction to the
9/11 attacks on the Twin Towers of the World Trade Center in New York.
The Patriot Act is a complex piece of legislation which provides far reaching powers to the federal
police, department of justice and intelligence agencies with respect to counter-terrorism law
enforcement, trying to strike a balance between national security and the protection of rights of
individuals. It was adopted by a great majority of the American Congress and signed by the
president George W. Bush on the 26th of October 2001. The Act holds provisions which amend or
complement more than 15 existing laws 89 concerning several subjects in different fields of law,
such as immigration, money laundering, border protection, intelligence sharing (between
governmental institutions), and the prosecution of terrorists.
90
Many provisions of the Patriot Act
were, due to their controversial character, set to expire within five years (so called ‘sunset’
provisions). 91 Therefore, the USA PATRIOT Act Improvement and Reauthorization Act92 was
(needed to be) adopted in 2005 which extended the validity of most provisions (while at the same
time some changes were made concerning some provisions which raised questions of
(un)constitutionality 93). President Obama extended the validity of the key provisions of the Patriot
Act with four years again in 2011.94
95
Engelfried, ‘Waarom is de Patriot Act nou eigenlijk een problem voor cloudgebruikers?’, published 17
October 2011 on http://www.hostingrecht.nl/telecommunicatie/waarom-is-de-patriot-act-nou-eigenlijk-eenprobleem-voor-cloudgebruikers/ (last checked June 2012). But also: Z. Whittaker, ‘Case study: How the
USA PATRIOT Act can be used to access EU data’ published 26 April 2011 on
http://www.zdnet.com/blog/igeneration/case-study-how-the-usa-patriot-act-can-be-used-to-access-eudata/8805 (last checked June 2012).
88
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct
Terrorism (USA PATRIOT ACT) Act of October 2001, Pub. L. No. 107-56, 115 Stat. 272, available at
http://frwebgate.access.gpo.gov/cgibin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ056.107.pdf Last checked: May 2012.
89
To name just a few: Foreign Intelligence Surveillance Act (FISA); Federal wiretap laws; Electronic
Communications Privacy Act of 1986 (ECPA); Computer Fraud and Abuse Act (CFAA); Family Education
Rights and Privacy Act (FERPA).
90
P. Bal, ‘De USA Patriot Act I en II; ongekende uitbreiding van bevoegdheden in de strijd tegen het
terrorisme’, Strafblad 2004, p. 279-280.
91
J. Kollar, ‘USA PATRIOT Act, the Fourth Amendment, and Paranoia: Can They Read this While I’m
Typing?’, Journal of High Technology Law 67 (2004), p. 74.
92
USA PATRIOT Improvement and Reauthorization Act of 2005, Public Law No. 109-177, 120 Stat. 192.
93
Section 505 of the Patriot Act. See for example: Doe v. Ashcroft, Southern District of New York, 29
September 2004, 04CV2614.
94
‘Patriot Act Extension Signed By Obama’, published 27 May 2011 on
http://www.huffingtonpost.com/2011/05/27/patriot-act-extension-signed-obama-autopen_n_867851.html
95
The PATRIOT Sunsets Extensions Act of 2011 (H.R. 514) Public Law. 112-14 (May 26th 2011).
25
Because of its massive scope and reach, which can and will not be dealt with in the context of
this thesis 96, the Patriot Act soon became a ‘flashpoint of controversy in the contemporary civil
liberties lexicon’ 97, constraining several civil rights. This controversy is mainly due to the fact that
significant changes were made to the Foreign Intelligence Surveillance Act (FISA: Title 50 USC
§ 1801-1885c) 98, blurring the line between foreign intelligence activities and the ‘usual’
prosecution of (conventional) domestic crimes. Besides, the Patriot Act greatly expanded the
statutory authority to require disclosure of records or any tangible object to federal investigators
while making it a crime to report that the disclosure had been requested and/or made. 99
In particular the use of National Security Letters and FISA orders changed due to the USA
PATRIOT Act. 100 Based on the FISA, it was already possible for US investigative institutions (CIA
and FBI) to gather information about activities of non-US citizens (especially foreign
powers/agents) via so called FISA orders. This information is not meant to be used in court to
prove criminal matters, which implies that the US government does not need to have any clue of
a probable cause to justify the collection of the information.101 Judicial review is provided by
special FISA courts (FISC), but the review is very minimal and it most often takes place in secret.
The persons concerned do usually not even get to know that they are subject to an
investigation. 102
The Patriot Act, inter alia section 215, expands the scope of the use of FISA orders ex Section
1861 of Title 50 USC (concerning the collection of business records in case of suspicion of
espionage or terrorism), which means that the judicial review in many more cases is minimized,
probable cause is no longer needed, and the scope of materials sought for is enlarged to ‘any
tangible things’, which includes books, records, papers, floppy disks, data tapes, computers and
96
To get an insight in the provisions of the USA PATRIOT Act and the way it enhances law enforcement
(providing far reaching powers to investigative institutions), see: P. Bal, ‘De USA Patriot Act I en II;
ongekende uitbreiding van bevoegdheden in de strijd tegen het terrorisme’, Strafblad 2004 p. 279-288; or:
J. Kollar, ‘USA PATRIOT Act, the Fourth Amendment, and Paranoia: Can They Read this While I’m
Typing?’, Journal of High Technology Law 67 (2004), p. 67-94.
97
See note 91, p. 67-68.
98
Foreign Intelligence Surveillance Act of 1978, Public Law 95-511 October 25, 1978, 92 Stat. 1783.
99
P. Swire, ‘The System of Foreign Intelligence Surveillance Law’, George Washington Law Review vol. 72
(2004), freely accessible via: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=586616 (lasted checked:
June 2012), p. 5.
100
The relevant sections of United States Code as referred to in the upcoming pages are not integrally
included in this text. A selection of the provisions can be found in Appendix I of this thesis.
101
See note 90, p. 282.
102
Ibid.
26
their hard drives, and any type of record in any format. 103 Besides, the mentioned FISA orders
can now be used even if the gathering of information is not the primary goal, but just a significant
factor. That way the division between counterintelligence and the more straightforward criminal
investigation (of domestic crimes) has faded. 104 This expansion of the FISA powers mainly affects
American citizens, because by using FISA orders the requirements set in the Fourth Amendment
of the Constitution (concerning searches and seizures) are easily circumvented. 105 Non-US
citizens could already not rely on the protection offered by the Constitution.
Another controversial measure that was introduced by the USA PATRIOT Act, is the expansion of
the use of National Security Letters (NSLs), often holding the requirement of nondisclosure and
therefore also called ‘gag-orders’. This is arranged in section 505 of the Patriot Act, which led to
much discussion about the constitutionality of NSLs. 106
National Security Letters are tools given by several laws to the FBI, inter alia the Electronic
Communications Privacy Act (ECPA: Title 18 USC § 2510-2522, §2701-2712, §3121-3127)107, to
request certain information. As a result of the cumulative effect of the NSL authorities provided for
in the mentioned laws, the FBI is granted access to subscriber information, toll billing records,
electronic subscriber information, electronic communications transactional records, financial
records, identification of financial institutions and consumer identifying information.108
Section 505 of the Patriot Act, amending Section 2709 (b) of Title 18 USC, provides a regulation
according which the FBI can demand disclosure of information about users from Internet service
providers through a NSL 109, which lead to a dramatic rise in the range and frequency of the uses
of NSLs. 110
103
Title II of the USA PATRIOT Act.
104
See note 91, p. 84-86.
105
See note 90, p. 282.
106
U. Gorham-Ocilowski and P. Jaeger, ‘National Security Letters, the USA PATRIOT Act, and the
Constitution: The tensions between national security and civil right’, Government Information Quarterly vol
25, issue 4, October 2008.
107
Electronic Communications Privacy Act of 1986, Pub.L. 99-508, 100 Stat. 1848, enacted October 21,
1986. Other laws which grant the FBI authority to use NSLs are the Right to Financial Privacy Act, National
Security Ac and the Fair Credit Reporting Act.
108
See note 106.
109
See note 90, p. 282.
110
See note 106.
27
At first, such a demand for information could only be given when there was a suspicion of
espionage and the issuance was approved for by the FBI headquarters. The Patriot Act took
away both requirements in a way that an individualized suspicion was no longer needed, the case
did no longer need to concern espionage and FBI headquarters’ approval was no longer required
in all cases. The FBI does not need to have a judicial authorization to send a National Security
Letter, neither can the order be appealed in court. And of course, the Internet service provider is
deemed to keep the disclosure of information secret. 111
Section 505 came under fire because it was seen as a violation of the First and Fourth
Amendment of the Constitution: it limited the free speech through the requirement of
nondisclosure (secrecy); it did not provide an opportunity for judicial review (prior to the issuance
of a NSL or even afterwards); and the government could get a NSL too easily, more specific
because of the fact that no individualized suspicion was needed. In Doe v. Ashcroft 112 the court
acknowledges that Section 2709 of the ECPA was alien to the First and Fourth Amendment.
Hence the court suggested that the NSL statutes could not withstand constitutional scrutiny
unless more explicit provisions were made for judicial review and permissible disclosure by
recipients.
113
Through the Reauthorization Act the US government amended the regulation concerning NSLs,
trying to take away the conflict with the Constitution by introducing (in Section 115) a possibility
for the recipient of a NSL to petition the US district court ‘for an order modifying or setting aside
the request’. Such an order will be given by the courts if complying to the request would be
unreasonable, oppressive, or otherwise unlawful.114
Furthermore section 116 of the Reauthorization Act puts limits to the nondisclosure in a way that
disclosure of the request remains prohibited when doing so ‘may endanger the national security
of the US, interfere with a criminal, counterterrorism, or counterintelligence investigation, interfere
with diplomatic relations, or endanger the life or physical safety of any person.’ This means that
when nondisclosure is deemed necessary by the authorities, a nondisclosure order should be
attached to the NSL. This nondisclosure order could be appealed too. 115
111
See note 90, p. 282.
112
See note 93.
113
See note 106.
114
Ibid.
115
Ibid.
28
Critics however do state that the changes which are brought forward by the Reauthorization Act
have not effectively eliminated the constitutional shortcomings of the USA PATRIOT Act. There
still is no prior judicial review. Moreover, it is unlikely that a court would overturn a request on the
ground that it is unreasonable or oppressive, and in case of petition for judicial review of a
nondisclosure order, the court has no authority to actually weigh factors in determining whether a
gag is appropriate.116 Moreover, critics stress the fact that the Reauthorization Act did not raise
the bar in terms of the showing required before issuance of a NSL. They urge that at least
specific and articulable facts that the individual is a terrorist or is reasonably suspected of being
associated with such a person in suspicious circumstances, should be required before issuing a
NSL. 117
Although the Patriot Act has been made an icon of the far reaching expansion (of the scope of)
investigative powers of American intelligence agencies, the recently published IViR-report118
justly indicates that other pieces of legislation greatly contribute to the increase of investigation
rights too.
The most important act in this regard, providing the most radical (alteration of) regulation, is the
FISA Amendments Act (FAA) 119, which introduced a new regulation regarding the right to collect
data of non-US citizens residing outside the US by US foreign intelligence agencies for the sake
of national security. This Section 1881 of Title 50 USC is applicable to different kinds of electronic
communication services, including telecommunication services, electronic communication
services and remote computing services. The latter means, according to Section 2711 (2) of Title
18 USC, ‘the provision to the public of computer storage or processing services by means of an
electronic communications system’. Hence it includes cloud computing services. 120
Section 1881 of Title 50 USC differs from Section 1861 of Title 50 USC which was altered by the
Patriot act as mentioned before, in a way that it offers a broader definition of foreign intelligence
information that can be collected. It focuses on the gathering of foreign data in general, not just
116
Ibid.
117
Ibid.
118
J. van Hoboken, A. Arnbak, N. van Eijk and N. Kruijsen, ‘Cloud diensten in hoger onderwijs en
onderzoek en de USA patriot act’, a research report commissioned by IViR, University of Amsterdam,
September 2012. To be found on:
http://www.surfsites.nl/cloud/download/Clouddiensten_in_HO_en_USA_Patriot_Act.pdf, last checked
October 2012.
119
Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008 (H.R. 6304), Public Law 110-261
July 10 2008, 122 Stat. 2436. Reauthorized by FAA Reauthorization Act of 2012 (H.R. 5949), Public Law
September 11 2012,
120
See note 118, p. 16.
29
on the collection of business records in case of suspicion of espionage or terrorism. The legal
definition of foreign intelligence information 121 is extensive, including information about foreign
powers or regions regarding national defense, national security or acts of US foreign affairs.
Besides, the gathering of such information need not be the primary goal, nor does the subject of
investigation need to be a foreign power, like a terrorist or foreign spy. 122 It does not even have
to concern a suspicious individual, but can also affect NGO’s or geographical regions. 123 The few
safeguards against abusive use of the possibilities offered by Section 1881 of Title 50 USC 124,
are designed to make sure that the protection offered by the Constitution is not hampered. As
mentioned earlier, only US citizens and US residents are covered by the Constitution. Hence,
non-US citizens residing outside the US do not get any (significant) legal protection.125
In short aforementioned comes down to the expansion of the possibilities of federal investigative
institutions to gather information, like stored data in a cloud, on non-US as well as US persons by
broadening the definitions of ‘terrorism’ and by lowering the conditions for using wire taps and
conducting searches and seizures, while at the same time judicial oversight is diminished to an
absolute minimum and secrecy is often required of all persons involved. 126
Therefore the US government is assumed to have easy access to data which is stored in a cloud
by simply demanding (in some cases even without a court order) the cloud service provider to
disclose such data in the context of an(y) investigation, without the person concerning the data
(the data subject) getting to know about this (unauthorized) disclosure.127
121
Section 1801 (d) of Title. 50 USC.
122
Section 1801 (a) of Title 50 USC.
123
See note 118, p. 19.
124
The safeguards mainly exist out of review by the FISC (FISA Court) on certain points.
125
See note 118, p.18-19.
126
See note 90.
127
Whitepaper ‘De wolk in het onderwijs; privacy aspecten bij cloud computing services’, a research
conducted by TILT (Tilburg Institute for Law, Technology, and Society) commissioned by
SURFnet/Kennisnet, p. 23 and 42; C. Cuijpers in ‘Toepasselijk privacyrecht in de wolk’, Computerrecht
2011/65; Z. Whittaker, ‘Case study: How the USA PATRIOT Act can be used to access EU data’, published
26 April 2011 on: http://www.zdnet.com/blog/igeneration/case-study-how-the-usa-patriot-act-can-be-usedto-access-eu-data/8805?pg=6&tag=content;siu-container. Last checked: June 2012.
30
The US government128 as well as some authors, on the other hand, point out that the Patriot Act
is not at all the ‘executive grab for power’ 129 that others portray it as. Maxwell and Wolf subscribe
to the view that most of the investigatory methods in the Patriot Act were already available long
before it was enacted, but acknowledge the expansion. Moreover, they stress the fact that these
investigative tools had, and still have under the Patriot Act, limitations imposed by the US
Constitution and by statute to prevent abuse. Furthermore these authors point out that on the
base of legislation, the US government does not have access to data stored in a cloud more
easily than any other government (including EU governments) in the world.130
131
In the next
paragraph I will pay short attention to the possibilities to access data in the European Union.
Dinh underlines the fact that the Patriot Act is to be understood as a necessary tool to fight
terrorism while observing the cherished liberties of Americans. In his view the Patriot Act
succeeds in striking this balance, by improving the cooperation between US investigation
agencies, expanding their powers while restraining them.
132
One can strongly argue that fighting terrorism is a noble and respectable goal. States will of
course need to have the powers to prevent what happened on 9/11. And of course, citizens are
willing to help reach that goal. But at what cost?
In essence, the Patriot act is just a piece of anti-terrorist legislation as any other. A tool to prevent
America from another horror. But it is one that comes with a high price. When a government
needs to fight against something as abstract as terrorist organizations, they must be able to fight
against anything and anyone. The Patriot Act provides the tools to do just that. Eventually,
anyone can be a terrorist, and if you are not, why would you have anything to hide?
In his essay 133 Daniel Solove shows that the assumption that lays at the base of just this
question, namely that privacy is about hiding a wrong, holds a too narrow conception of privacy.
128
There even is a government website to distinguish between ‘myths’ and ‘facts’ concerning the USA
PATRIOT Act: http://www.justice.gov/archive/ll/subs/u_myths.htm.
129
V. Dinh, ‘USA Patriot Act’, German Law Journal vol. 5, no. 5 2004, p. 467.
130
W. Maxwell and C. Wolf, A Hogan Lovells White Paper; A Global Reality: Governmental Access to Data
in the Cloud, published 23 May 2012.
131
These authors direct to the existence of Mutual Legal Assistance Treaties (MLATs). I will discuss MLATs
in the next chapter.
132
See note 118.
133
D. Solove, ‘ “I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy’, San Diego Law Review
vol. 44 2008, p. 745.
31
Instead of pointing to things that people do actually want to hide, the author ‘reveals the flaw of
the nothing to hide argument at its roots.’ 134
Solove remarks that instead of thinking of privacy as a form or a right of concealment or secrecy,
which has a relatively low value in comparison to (national) security, it should be understood ‘as a
set of family resemblances.’ 135 This means that privacy is not reducible to one singular essence;
it is a plurality of different things that do not share one element in common but that nevertheless
bear a resemblance to each other.
Due to this pluralistic view on privacy, the (social) value of privacy is different depending upon
which particular problem or harm is being protected.136 In regard to investigative powers of US
government authorities, Solove demonstrates that concealment of bad things is just one among
many problems, pointing to possible chilling effects of ‘dataveillance’, lack of transparency which
makes it impossible to know what information is (all together) known, the absence of a possibility
to know about how the information is used, as well as being barred from being able to access and
correct errors in the data, and the problem of ‘secondary use’: the potential future uses of any
piece of personal information.137
Furthermore Solove notes that although most privacy problems lack dead bodies as well as a
major spill (most often they are the result of a slow series of relatively minor acts which gradually
add up), they are still harmful, involving violations of trust within a relationship as well as power
imbalances.138
So I am willing to believe the best, namely that the US government can be trusted and will use
our personal information confidentially, in a proper manner and only for the right reasons. Yet still
the conclusion may be drawn that it might not be necessary to place any government in a position
that it can just as easy as that look into our lives. Knowledge, even seemingly trivial, leads to
power and power can be used in a wrong way. Therefore, and in Europe this thought might be
stronger than anywhere else in the world, the governments should remain at a proper distance
from the people as long as there is no good reason (i.e. probable cause) to interfere.
134
See note 133, p. 764.
135
See note 133, p. 756.
136
See note 133, p. 763.
137
See note 133, p. 764-767.
138
See note 133, p. 770.
32
The same conclusion is also drawn by Solove at the end of his essay. 139 Remaining at a proper
distance in this sense does not (necessarily) have to mean that a particular government
information collection activity should be barred, but does imply a certain – sufficient - degree of
transparency, accountability and oversight in such cases. The question is, does the USA
PATRIOT Act keep the government at a great enough distance?
Based on the information given in this paragraph, I would have to answer no. Due to the
enormous scope of the provisions, the nondisclosure requirements and the minimal judicial
oversight, it is my opinion that the US government does not succeed in reaching a sufficient level
of transparency, accountability and (judicial) supervision in the way it uses its far reaching
investigative powers, at least in case non-US citizens residing outside the US are concerned.
2.7. Access to data in the European Union
The attribution of far reaching powers to investigative authorities in the USA is not unique in the
world. In the European Union, authorities are entitled to do much of the same. The Data
Protection Directive which I discussed earlier, also acknowledges situations in which authorities
demand disclosure of data. 140 There are however some differences.
I started this chapter with the notion that the right to privacy has taken a prominent position in the
European legal systems and that it can be found in both international and national laws. Article 8
of the European Convention on Human Rights (ECHR) should be seen as the most important one
in this regard. This provision is always applicable to acts within the jurisdiction of the countries
which are party to the ECHR (which are (at least) all Member States of the European Union),
regardless citizenship, origin or residence. So its protection has, in contrast with the protection
offered by the Fourth Amendment, a very wide range.
Besides, the prominence of the right to privacy on the European continent, is shown by the fact
that each infringement of one’s privacy should be ruled by law. So the right to privacy must be
understood as a given, the infringement of it as the exception. In the US on the contrary, one’s
privacy - in case the Fourth Amendment does not give shelter - is only protected when ruled so
by law. 141 I must however remark that the US Supreme Court does recognize a general right to
139
See note 133, p. 771.
140
Data may be disclosed without the unambiguous consent of the data subject on the base of an obligation
prescribed by law ex art. 16 of the Directive.
141
See note 118, p 23.
33
privacy in the Constitution, although the Constitution does not hold such a right explicitly. 142 This
right to privacy (perhaps due to the fact that it lacks a clear basis in the Constitution) is yet less
prominent than its European counterpart.
The condition that infringements of article 8 ECHR (i.e. privacy infringements) should be ruled by
law, is created by the European Court of Human Rights (ECtHR) in its massive case law. The
court has provided a set of criteria which should be met to legitimize the infringement. To be
legitimate, an infringement should be (1) in accordance with the law, (2) pursue a legitimate aim
and (3) be necessary in a democratic society. 143
By doing so the ECtHR obliges European governments to lay down investigative powers and
safeguards regarding government access to data and the content of communication in
legislation. 144 The Court justifies these strict conditions by stating that society should be informed
about privacy infringements by governments, that governments should be able to solidly justify
the public interest of data mining, and that citizens should be able to defend themselves against
government access.145
Opposite the privacy legislation stand the European rules providing investigative tools, which
interfere with the right of privacy. Although regulation of information disclosure abilities of
authorities has become possible since the ratification of the Lisbon Treaty, the European Union
has not taken any action in this field yet. Up till now, each Member State makes its own rules
regarding this subject (which are of course still subject to binding European rules like article 8
ECHR). 146
It is however beyond the scope of this thesis to give a detailed overview of the legal possibilities
to demand disclosure of information of all Member States of the EU. The authors of the IViR
report nevertheless note that the legal possibilities to gather information in the EU are similar to
the abilities in the US, pointing to the examples of systematic monitoring of cross-border
telecommunication without court order in Sweden and the proposed Communications Data Bill in
the United Kingdom, providing far reaching powers to demand disclosure of Internet data. 147 It is
142
Griswold v. Connecticut, 381 U.S. 479 (1965).
143
See for example ECtHRM 26 April 1979 (Sunday Times v. UK).
144
See for example ECtHRM 1 July 2008 (Liberty v. UK).
145
See note 118, p. 22-23.
146
Ibid.
147
See note 118, p. 24.
34
important in this respect to stress the fact that however far reaching legal possibilities may be
created by Member States, the overarching strong European privacy regime ultimately governed
by article 8 of the ECHR is ever present, offering protection against and prevention from
unjustified (abusive) use of privacy infringing investigation methods by ensuring a basic (yet high)
level of transparency, accountability and judicial oversight.
Furhtermore, the IViR report, in regard to European corporation in this field, rightfully points to the
review of the Data Protection Directive, which is proposed to be replaced by a Regulation.148 In
this perspective the Article 29 Working Party remarks in its Opinion concerning cloud computing
in regard to access to personal data for national security and law enforcement purposes the
following:
‘It is of the utmost importance to add to the future Regulation that controllers operating in the EU must be
prohibited from disclosing personal data to a third country if so requested by a third country’s judicial or
administrative authority, unless this is expressly authorized by an international agreement or provided for by
mutual legal assistance treaties or approved by a supervisory authority.’ 149
Such a prohibition is however not included in the latest proposal for a new Regulation 150,
although earlier versions did hold such a provision. 151 The Working Party is aware of this gap in
the Regulation and stresses the need to include the obligatory use of Mutual Legal Assistance
Treaties (MLATs), which will be the center of attention at the end of the next chapter, in case of
disclosures not authorized by Union or Member States Law. 152
2.8. Conclusion
Based on the information given in this chapter, the conclusion may be drawn that the USA
PATRIOT Act, although I cannot find any direct clues which point in the direction of ‘abusive use’
148
See note 118, p. 23.
149
See note 74, p. 23.
150
European Commission, Proposal for a Regulation of the European Parliament and of the Council on the
protection of individuals with regard to the processing of personal data and on the free movement of such
data (General Data Protection Regulation), Brussels, 25 January 2012, COM (2012) 11 final, 2012/0011
(COD).
151
Article 42 of the proposed Regulation version 56. European Commission, Proposal for a Regulation of
the European Parliament and of the Council on the protection of individuals with regard to the processing of
personal data and on the free movement of such data (General Data Protection Regulation), version 56, 29
November 2011 (leaked draft), http://www.statewatch.org/news/2011/dec/eu-com-draft-dp-reg-inter-serviceconsultation.pdf. Last checked: November 2012.
152
See note 74, p.23.
35
of the power laid down therein by the US government 153, seems to provide too short a distance
between the people (especially non-US citizens residing outside the US) and their privacy on the
one hand and the government and its fight against crime and terrorism on the other. Further
research would however be necessary to give a more exact answer to the question whether or
not the basic principles of the EU legislation concerning privacy and data protection are actually
infringed by the US government due to the powers attributed to US authorities through antiterrorism legislation like the Patriot Act.
For now I would conclude that the lack of transparency on US side on the use of the possibility to
request disclosure of certain data in a cloud, which is foremost caused by the requirement of
secrecy of disclosure combined with the minimal judicial oversight, makes it hardly possible to
determine whether or not the actual use of the powers provided by the USA PATRIOT Act are in
line with the EU perception of the need to protect individuals against privacy infringements.
The obligation for both private and public parties to account for privacy infringing acts is the key
element of the European idea of privacy and data protection. As long as the US government is
not clear (transparent) about the exact use of the possibilities offered by their anti-terrorism
legislation, there is no way they can account for any of it, nor can they be held accountable. Due
to this lack of accountability the US government shows great disrespect for the valuable interests
of (its) citizens.
Therefore, in my opinion, it is justified to suppose that the Patriot Act offers the possibility to
access data which is not in conformity with EU morals and thus – although the EU Directive
provides that data may be disclosed without the unambiguous consent of the data subject on the
base of an obligation prescribed by law 154 – conflicting with the EU Directive.
As the Patriot Act is a US law, it will of course only have legal effect within the US jurisdiction, so
the data must then in any way be within this US jurisdiction. These jurisdictional issues will be
dealt with in the next chapter.
153
Which is directly related to the fact that in most cases absolute secrecy is required from the parties
involved.
154
Article 16 of the Directive.
36
3. Towards a European cloud
In the previous chapter we saw that different laws can be applicable on data which is processed
in case of cloud computing. Moreover, these laws can conflict with each other, especially taken
into account that the European laws concerning data protection provide (and therefore also
require) a high level of protection which is not at all times met by laws of other countries.
When a European legal subject wants to make use of cloud computing services in a truly safe
manner, meaning that its data are at least given the minimum protection required by the
European Union, there should be no way that foreign governments, especially the United States
of America, could have legal access to data stored in the cloud based on their own - in this case
American – legislation (instead of European rules).
Therefore, it is time to focus on the core question of this thesis: what criteria should a cloud
computing service meet to make sure that European governments could make use of it without
the fear of foreign (non-EU) countries (especially the United States of America on the base of its
USA PATRIOT Act) glancing through the stored data without authorization of the rightful
owner(s).
This question shall be answered in the upcoming chapter. First I will focus on the question how a
‘clash’ of laws can be prevented. In other words: is it possible to create a cloud computing service
which is subject to a single legal regime, namely that of the European Union (or at least that of its
member states)? In this regard I will discuss the rules of (international) jurisdiction.
3.1. Exclusive jurisdiction
The first question to be answered is clear: is it possible to exclude all jurisdictions but the
jurisdiction(s) of the member states of the European Union which I will from now refer to as
‘European jurisdiction’ 155.
3.1.1. International jurisdiction and its bases: a general introduction
To answer this question, we first have to look into the concept of jurisdiction itself. It all starts with
the mutual respect of states to their sovereignty and the absence of interference with aspects by
which sovereignty is manifested by other states. ‘Territoriality to that extent is an inevitable
155
I again stress the fact that there is no such thing as ‘European jurisdiction’. The European Union as such
has no jurisdiction of its own, only the jurisdiction of the countries which are part of it. European jurisdiction
is therefore a fiction only used in this thesis to easily refer to a jurisdiction which is limited to the whole of
jurisdictions of the Member States of the European Union.
37
consequence of sovereign equality of states and peaceful coexistence’ as stated by Sachdeva.156
Reasons of political practicality and the idea of absolute boundaries and sovereign power within
them, were accordingly at the roots of jurisdictional principles. 157
It is therefore not surprising that professor Kooijmans starts its description of the concept of
jurisdiction with an explanation of territorial jurisdiction: the exclusive power of a state to govern
its territory by setting, implementing and enforcing rules, which has to be understood as a
component of the sovereignty of state. Although there are some limitations158 in regard to the
scope of this exclusive jurisdiction, each state has the right to rule its territory and all people who
reside within regardless their nationality conform its own discretion.
159
Kuner also starts his essay about the issue of (international) jurisdiction in data protection law
with territoriality as a jurisdictional base. He points out that jurisdiction under this principle is
based on acts that have been committed within the territoriality of the state in question, but also
remarks that acts which are initiated abroad but completed within the territory of the state, or if a
constitutive element of the conduct occurred within the territory, can give a sufficient base to
claim jurisdiction.160 Although the Internet complicates the application of the territoriality principle
(since it is a truly borderless world which refuses to accord to the (traditional) geopolitical
boundaries 161 and therefore makes it hardly possible to determine the exact location where an
online action has occurred), it (still) plays a major role in data protection law according to Kuner.
He finds his belief amplified by article 4 under 1c of the DPD, which should be seen as an
expression of the objective territoriality principle since it declares the European rules of data
protection applicable on the basis of a performance of an act (the use of equipment) occurring
within the EU.
Territoriality however, although it might be the most common jurisdictional base, is not the only
possible foundation of jurisdiction. But before looking into the other bases on which jurisdiction
can be claimed, we will first shortly discuss the term jurisdiction.
156
A.M. Sachdeva, ‘International Jurisdiction In Cyberspace: A Comparative Perspective’, C.T.L.R., 2007, p.
246.
157
Ibid.
158
For example: the resolution of the General Assembly of the United Nations 2625 (XXV) of October 24th
1970, concerning the prohibition of a state to use its territory to organize activities which aim to disturb the
order or bring down the government of another state; or: the exclusion of jurisdiction over representatives of
another state; or: the transfer of certain parts of jurisdiction to a higher unity, like the transfer of legislative
powers to the European Union by its member states.
159
P.H. Kooijmans, Internationaal publiekrecht in vogelvlucht, Kluwer: Deventer 2002, p. 40.
160
See note 58, p. 188.
161
See note 156, p. 245.
38
At the top of the previous page I gave a short description about (territorial) jurisdiction as given by
professor Kooijmans. He describes jurisdiction as the right of a state to prescribe, give effect to,
and adjudicate upon violations of, normative standards for regulation of human conduct. It
simultaneously defines the legitimate scope of governmental powers.
162
From this definition, one can derive that the term jurisdiction is threefold. Although there is some
overlap between the three elements, (international) jurisdiction is often divided into legislative,
adjudicative and enforcement jurisdiction.
Legislative jurisdiction covers the right of a state to make legislation and to declare those laws
applicable to certain cases. These cases can even involve a foreign element. Therefore Kuner, in
my opinion correctly, remarks that legislative jurisdiction is rather concurrent instead of
exclusive. 163 Sachdeva points out that the legislative jurisdiction of a state is however not
unlimited, for no legislature may be deemed to have intended to prescribe a conduct for the
enforcement of which it has no means or basis and whose recognition beyond its own (political)
boundaries is itself doubtful. 164 On the other hand, one could say that the appliance of legislation,
although enforcement beyond the borders is not possible, can have symbolic value. 165
In addition to legislative jurisdiction, there is the so called adjudicative jurisdiction, concerning the
power of a sovereign, acting through its judicial organ, to hear disputes and to render judgments
binding upon the parties thereto. 166 In other words: adjudicative jurisdiction determines whether a
court of a state has competence to take notice of a dispute or prosecution. In case of data
protection this could be a European DPA deciding a complaint brought by an individual located in
the EU concerning the unlawful processing of its personal data by an entity located within or even
outside the EU. 167
Last but not least, there is enforcement jurisdiction. This category ‘concerns not the law
prescribed by a state to regulate acts (even outside its own territory), but the lawfulness of the
162
See note 156, p. 246-247.
163
See note 58, p. 184.
164
See note 156, p. 247.
165
In this regard I point out that in cases concerning non-EU nationals residing outside the territory of the
EU Member States, article 4 under 1c DPD offers a more symbolic protection, as enforcement jurisdiction is
not at hand.
166
See note 156, p. 247.
167
The example is drawn from Kuner (see note 58, p. 184).
39
state’s own act to give effect to such regulation’. 168 In other words: enforcement jurisdiction
embodies the power to give action to the regulation prescribed. Enforcement jurisdiction is in
regard to the subject of this thesis and the question stated at the beginning of this chapter, the
most important of the three forms, as the United States claims jurisdiction to enforce its laws (i.e.
demand disclosure of data). Therefore, one should bear in mind that when speaking in the
following of jurisdiction, at least enforcement jurisdiction is meant.
It seems obvious that a state has complete jurisdiction (meaning all three forms of jurisdiction)
within its own territory. However, when a state claims jurisdiction outside its territory on another
base, ‘complete jurisdiction’ is not a given, for specifically enforcement jurisdiction outside the
territory (especially in case the territory of another state is involved) is rare and at least ‘tricky’, as
it directly interferes with the sovereignty of and thus the respect for another state.
The famous Yahoo!-case illustrates this issue of the tension between extraterritorial jurisdiction
and (un)enforceability very clearly. 169 In this case the French supreme court ordered Yahoo!, a
US Internet portal, to take such measures that French users could no longer buy Nazi
memorabilia via online auctions on the company’s US-website as the visualization in France of
the objects in question is forbidden under French law. This court order, was however declared
unenforceable by the US District Court of California because (to put it short and simple) the
French court could according to the US court not regulate the activities of a US corporation within
the US on the basis that such activities can be accessed by Internet users in France. Therefore
Maier rightfully remarks that the Yahoo-case is ‘a good example of the legal intricacies involved in
a state in determining its jurisdiction over an act originating in another state.’ 170
Then back to the foundations of jurisdiction. What other bases than territoriality can be used to
claim (a form of) jurisdiction?
A second principle (as the territoriality principle is the first) under which jurisdiction can be
claimed is personality (or nationality). It comes in two different forms: the active personality
principle and the passive personality principle. The former means that jurisdiction is asserted by
the state of nationality of the perpetrator, the latter of the victim. Hence, the personality principle
(no matter which form) takes citizenship as a starting point to attribute jurisdiction.
168
See note 156, p. 247.
169
UEJF et LICRA v. Yahoo! Inc. et Yahoo France, Tribunal de Grande Instance de Paris, NO RG:
00/05308, November 20, 2000. This case is reviewed by Bernhard Maier in its article ‘How Has the Law
Attempted to Tackle the Borderless Nature of the Internet?’, International Journal of Law and Information
Technology vol. 18, no. 2, Oxford: Oxford University Press 2010, p. 145.
170
Idem, p. 146.
40
It is mainly used in criminal law, and mostly only in regard to the most violent of crimes, but can
be of relevance in other legal areas as well like taxation, voting entitlements and diplomatic
protection 171 (of course the terms ‘perpetrator’ and ‘victim’ then ask for a different interpretation).
In the Netherlands for example, the active personality principle is valid in regard to some crimes
which concern the security of the state and the royal dignity. Moreover, the Dutch criminal courts
have competence to rule about crimes (not offences) which are committed outside the state
boundaries if those acts are also punishable according to the laws of the state in which the crimes
are committed. Hence, when a crime is committed outside the Dutch territory by a Dutch citizen,
there will nearly always be concurrent jurisdiction. However, the state of nationality can only
effectuate its jurisdiction when the citizen returns to its ‘home country’. 172
The passive personality principle is on the other hand not undisputed, even rather controversial.
Many states deny this basis for asserting jurisdiction, and the Dutch legislator for instance has
shown much abstention in regard to the applicability of this principle.173 In general it can be
concluded that the application of the passive personality principle as such is still internationally
disputed, but it has been accepted in case of prosecution of crimes which are recognized as such
by international law.
174
Kuner gives an example of the personality principle in data protection law: the Greek legislator
extended the jurisdiction of the Greek DPA over data controllers outside of Greece who
processed data on Greek residents, by requiring them to appoint a representative in Greece who
would be legally liable for such data processing. However, this Greek provision was changed in
2006 after objections made by the European Commission. 175
Furthermore, Kuner points at the Asia Pacific Economic Cooperation Privacy Framework 176 which
protects personal data transferred outside the APEC Member State where they were collected by
using the principle of ‘accountability’, meaning that the original collector of the personal data
remains accountable for compliance with the original privacy framework that applied when and
171
See note 58, p. 188
172
See note 159, p. 58-59.
173
A form of application can be found in for example article 4 and 10 under O of the Dutch Criminal Code
and article 3 under 2 and 4 of the Act on War Crimes.
174
See note 159, p. 59-60.
175
See note 58, p. 188-189.
176
See for more information about the APEC Privacy Framework: http://www.apec.org/About-Us/AboutAPEC/Fact-Sheets/APEC-Privacy-Framework.aspx. (Last checked: June 2012). Full text of the framework
can be found on: http://www.apec.org/About-Us/About-APEC/Fact-Sheets/APEC-Privacy-Framework.aspx.
(Last checked: June 2012).
41
where the data was collected, regardless of the other organizations or countries to which the
personal data is transferred subsequently. That way, the applicable data protection provisions at
the moment and place of collection, are ‘attached’ to the collected data and continue to be
applicable as the data are transferred abroad. In other words: the nationality of the person of
which personal data is collected or at least the nationality of the personal data itself (being the
nationality of the state in which the data are collected), I note that these two will not necessarily
be the same (but most of time they will be), will determine the applicable law.
177
Even more controversial than the passive personality principle is the effects doctrine, under which
jurisdiction is based on the fact that conduct outside a state has effects within the state. Kuner
describes the basic problem of this doctrine by quoting Michaels: ‘in a globalized economy,
everything has an effect on everything’. 178
179
Kuner continues by stating that although article 4 under 1c of the DPD seems to apply the
objective territoriality principle, it focuses not on the use of equipment per se, but on preventing
data controllers from evading EU rules by relocating outside the EU. He concludes that, as article
4 under 1c also has a focus on the effect produced in the EU by data processing outside the EU,
and the protection of EU citizens, this provision can also be viewed as an application of the
effects doctrine. 180
In my opinion however, article 4 under 1c has to be understood as an attempt to achieve a similar
effect as the principle of accountability as put down in the APEC Privacy Framework (as
mentioned before) including a way to determine the location of collection of the personal data
when occurring via the Internet by bringing in the ‘use of equipment’ phrase. To me, article 4
under 1c should therefore be seen, besides the application of the objective territoriality principle,
as the application of the (passive) personality principle instead. Due to the ‘use of equipment’
condition, data of (European) citizens that are gathered within the European Union (with the help
of equipment on EU soil, for example a computer physically located in Italy with Internet
connection making use of cookies) are automatically marked as EU data and consequently
subject to EU legislation (the Data Protection Directive). So the origin of the data, being the place
where they were collected (in this case the European Union), defines what laws do apply. In
addition I remark once more that the application of article 4 under 1c DPD on non-EU nationals
has a more symbolic function, as enforcement will be challenging.
177
See note 58, p. 189.
178
R. Michaels, ‘Territorial jurisdiction after territoriality’, in: P. Slot and M. Bulterman (eds.), Globalisation
and Jurisdiction, Kluwer Law International 2004.
179
See note 58, p. 190.
180
Idem.
42
The last relevant base of jurisdiction is found in the protective principle. This is again a
jurisdictional base which is mainly used in criminal law and in case of real endangerment of the
security of the state. The Dutch Criminal Code for example, has a provision which allows the
Dutch court to take notice of committed crimes by foreigners (others than Dutch citizens) outside
Dutch territory which endanger the security of the state or in case of the use of counterfeit Dutch
money. 181
182
Kuner adds that such jurisdiction would normally not include data protection violations. In addition
he states that under the protective principle the focus is on protection of the state instead of the
protection of the individuals. Data protection laws are meant to offer protection to the latter.
However, EU member states seem to interpret the protective principle extensively, so that it does
resemble an application of the objective territoriality or the effects doctrine. The Article 29 WP has
even explicitly indicated that the protection of individuals inside the EU is one of the core
purposes of article 4 under 1c. 183 It seems thus justified to conclude that the function of this
provision is largely to protect individuals in the EU, even if that does not fulfill the traditional
criteria of protective jurisdiction.184
3.1.2. The American view on jurisdiction and its bases
The above shows that states can claim jurisdiction over certain acts, objects or persons on
different bases which are not all undisputed. When speaking of the applicability of the USA
PATRIOT Act, these rules of jurisdiction determine if and in what way the American government
is to give effect to the provisions laid down in this piece of legislation.
In regard to the problematic relation between the European legislation concerning privacy and
data protection and the aforementioned USA PATRIOT Act, as described in the previous chapter,
the question arises whether it is possible to create a cloud service which is only subject to the
‘European jurisdiction’, meaning the explicit exclusion of the American jurisdiction and so the
applicability of the USA PATRIOT Act.
The answer to this question should be (in proper American): ‘yes we can’. As we have seen,
jurisdiction can effectively be claimed on several bases. When limiting the possibilities of other
181
Article 4 Dutch Criminal Code.
182
See note 159, p. 60.
183
Article 29 Working Party, ‘Working document on determining the international application of EU data
protection law to personal data processing on the Internet by non-EU based websites’(WP 56, 30 May
2002).
184
See note 57, p. 191.
43
sovereign states (non EU Member States) to successfully put a jurisdictional claim on any
subject (in the light of this thesis a cloud computing service including the data stored in the cloud),
these jurisdictional bases need to be absent.
In the concrete this means that a ‘European cloud’ 185, which leaves no room for other states (non
EU Member States) to claim jurisdiction, should be constructed. This European cloud should
meet certain conditions to guarantee the exclusion of other jurisdictions than the European
jurisdiction. These conditions can be derived from the jurisdictional bases described earlier in this
chapter in combination with the perception of these bases in foreign countries. As this thesis
focuses on excluding the US from having jurisdiction over a cloud service, I will only deal with the
way the US sees its jurisdictional reach.
3.1.2.1. Territoriality
A first necessity strikes as rather evident: the cloud computer service should be entirely located
within the European Union, so on the territory of its Member States. The territoriality principle is a
strong and probably the most obvious ground to base jurisdiction on. Therefore, when the cloud
service with all its components, is exclusively located within the European Union, the territoriality
principle cannot form a basis on which non EU Member States, like the US, may rely.
The location of the cloud service does not only mean the location of the office of the service
provider. The stored content could not leave the territory of the EU member states at all. So the
used servers on which the information is stored (the actual ‘cloud’) should be located within the
territory of the European Union too.
3.1.2.2. Personality
Next, this cloud service should be provided by purely European cloud service providers which
only collaborate with purely European subcontractors. ‘Purely European’ means that a company
(in this case a cloud service provider) has no (in)direct legal ties with foreign (non-EU)
companies. Let me make this clear with an example.
Google Inc. is an originally American company and main corporation of the Google entity with its
headquarters (so called Googleplex) in Mountain View, California in the United States of America.
Beside the headquarters, Google has over 70 offices in 40 different countries. In each country
where Google has an office, it has its own Google business company. So in the Netherlands
185
The term ‘European cloud’ is used to refer to a cloud service which is only subject to the ‘European
jurisdiction’.
44
there is Google Nederland B.V. and in the UK there is Google UK Ltd. All these Google
corporations in different countries do however not stand alone, but are legally ‘tied’ to the main
corporation Google Inc. In fact, Google Inc. is the owner of all ‘subsidiary’ Google companies. 186
Although Google Nederland B.V. is a Dutch company, founded according to Dutch law and
located in Amsterdam, it is not ‘purely’ European as it is an incorporation of Google Inc. It is
rather just a part of a bigger entity which is undoubtedly a US company. Even if Google Inc.
would originally be a European company, which now has its headquarters or even just a
subsidiary or office in the US, Google cannot be seen as purely European. For that matter, it is
necessary that the company is founded and located within the European Union alone.
Why is it that important that the cloud service providers and all its subcontractors are purely
European? This has everything to do with the American conception of the personality principle as
a jurisdictional basis, which I will now explain.
According to American law personal (adjudicatory) jurisdiction can be based on citizenship
(active/passive personality principle as explained under 3.1.1.), consent or waiver. In case of a
non-resident, citizenship will not apply. The non-resident can however consent to the authority’s
jurisdiction (which is often the case in business contracts, when parties agree on the jurisdiction
of a certain court). Furthermore, when a non-resident does not (actively) object to the
jurisdictional claim (of a court), it is assumed to waive that right, as a result of which jurisdiction
over him or her is inevitable. Jurisdiction based on consent and waiver however, is mostly limited
to cases concerning adjudicatory jurisdiction, so the jurisdiction of a court to hear and rule a
case.187 In case of enforcement jurisdiction it is my view (although already unlikely that a nonresident would consent or not object) that consent and waiver seem to provide an insufficient
base for a jurisdictional claim.
With citizenship as the first base of jurisdiction, it is obvious that US nationals (including business
companies) are subject to US jurisdiction. Even this rather clear criterion however, can cause
problematic situations. Maxwell and Wolf point out in their White Paper that significant discussion
is going on today about the power of a government to demand a party in its jurisdiction to disclose
information or data stored in a cloud, which is physically located in another jurisdiction. In
addition they remark that, like many other countries, the US has taken the position that it can
base a request for disclosure of data from any cloud server located anywhere in the world on its
186
This information can be derived from the Google web site:
http://www.google.com/about/company/facts/locations/. Last checked: August 2012.
187
Http://www.lexisnexis.com/lawschool/study/outlines/html/civpro/civpro02.htm. Last checked: November
2012.
45
own legislation, as long as the cloud service provider is subject to US jurisdiction. 188 This is an
application of the (active) personality principle, as a cloud service provider is subject to US
jurisdiction when the entity is based (and/or founded according to US law) in the US (as it is then
a US company) or has a subsidiary or office in the US. The US Supreme Court made already
clear in Pennoyer v. Neff 189 that an out-of-state-resident could be brought under a state’s
jurisdiction when it can be found and served within that state. 190 Furthermore in United States v.
Bank of Nova Scotia, the court decided against the Bank of Nova Scotia, who refused to respond
to a request from the US authorities for banking information because the information was kept in
the Bahamas or Cayman Islands and granting access to this information would break Bahamian
or Cayman banking secrecy laws. The court held that ‘the foreign origin of the subpoenaed
documents should not be a decisive factor. The nationality of the Bank is Canadian, but its
presence is pervasive in the United States 191 (…) It cannot expect to avail itself of the benefits of
doing business here without accepting the concomitant obligations.’
192
Sachdeva discusses the ‘active personality principle’ as a US base of jurisdiction too. She
remarks that the law of personal jurisdiction has followed the changes of a more global and
mobile society, relying on a sufficient nexus between the res (the legal subject, for example the
cloud service provider) and the forum (the court representing the law). This led to an approach
which constitutes jurisdiction based on the ‘minimum contacts’ of the out-of-state party. This rule
of ‘minimum contact’ was first introduced by the US Supreme Court in International Shoe v.
Washington 193 . The criterion determines that to subject a party to personal jurisdiction ‘if he be
not present within the territory of the forum, he have certain minimum contacts with it such that
the maintenance of the suit does not offend traditional notions of fair play and substantial justice.’
So when determining whether personal jurisdiction can be exercised over a party, both the
amount and nature of the party’s contacts with the state should be considered. 194
Besides, the legal subjects making use of the cloud services (so not the providers but the
customers, whether these are natural persons, business companies or (semi)governments)
cannot be of any other nationality than one of the nationalities of the Member States of the EU.
188
W. Maxwell and C. Wolf, A Hogan Lovells White Paper; A Global Reality: Governmental Access to Data
in the Cloud, published 23 May 2012.
189
Pennoyer v. Neff, 95 U.S. 714 (1877).
190
See note 178.
191
The Bank of Nova Scotia had a US branch with numerous offices throughout the entire country.
192
United States v. Bank of Nova Scotia, 740 F.2d 817 (11th Cir. 1984).
193
International Shoe v. Washington, 326 U.S. 310 (1945).
194
See note 156, p. 248-249.
46
Otherwise, according to the (passive) personality principle, although internationally very
controversial, the US could still claim jurisdiction over data stored in a cloud regarding the
processing of data of American subjects. 195 Furthermore, the fact that American citizens would
make use of the cloud computing services, directly affects the (active) personality principle, more
specific the minimum contact doctrine.
3.1.2.3. Other bases
Finally, the effects doctrine and the protective principle as bases for jurisdiction can hardly be
excluded just by designing a European cloud, nor could any other typical cloud service or any
offline storage system. Besides, both are rather controversial and not really suitable in cases of
data protection, so that a government planning to give effect to its powers based on for example
the effects doctrine, will first have to build a very strong case (of evidence) to defend its motives
and actions. But if suspicions are raised and on the base of known evidence it is likely that, for
example, a terrorist action is planned of which essential information is stored in a European
cloud, the US government could gather this information via other ways which are far less
controversial.
3.1.2.4. Excluding the US
So in the end, based on aforementioned, the following criteria should be met to successfully
exclude a US jurisdictional claim:
-
the cloud computing service is physically entirely located within the territory of the EU
Member States
-
the cloud service provider solely has the nationality of one of the Member States of the
EU
-
the cloud service provider contracts only with subcontractors who solely have the
nationality of one of the Member States of the EU and who only and exclusively operate
within the territory of the Member States of the EU
-
the cloud service provider operates only and exclusively within the territory of the Member
States of the EU
-
the cloud service provider only processes data of legal persons who solely have the
nationality of one of the Member States of the EU
195
I remark that this situation shows some similarities with the former Greek provision brought forward by
Kuner, which I discussed earlier.
47
3.2.Mutual legal assistance treaties
Even if just European Union member states can successfully claim jurisdiction, in other words all
jurisdictional bases for non-EU member states are absent and thus the American government
cannot successfully demand disclosure of data stored in a European cloud on the basis of its own
legislation like the USA PATRIOT Act, there still is a (legal) possibility for the United States’
government (as well as for other countries) to get disclosure of certain data when necessary (i.e.
in case of criminal matters).
In combating crime states are more often confronted with the need for help of other states as new
technologies make cross border or transnational crimes flourish. Bilateral agreements between
countries make it possible to request this help and to form a weapon against criminals. These
agreements are called Mutual Legal Assistance Treaties, in short MLATs. The Senate Executive
Report 110-13 which accompanies several bilateral treaties between the USA and the Member
States of the EU (among which also the Netherlands 196) and the mutual legal assistance treaty
between the USA and the EU (as a whole) 197 gives an excellent definition:
‘MLATs are international agreements that establish a formal, streamlined process by which States may
gather information and evidence in other countries for use in criminal investigations and prosecutions. While
the specific provisions of MLATs vary, they generally obligate treaty partners to take steps on behalf of a
requesting treaty partner when certain conditions are met. MLATs typically contain provisions concerning
the sharing of collected information between parties, locating and identifying persons and potential
witnesses within the parties' territories, the taking of depositions and witness testimony, and the serving of
subpoenas duces tecum on behalf of a requesting treaty party.’ 198
This definition makes the purpose of MLATs very clear: making collaboration between states in
regard to their (common) fight against crime easier. It means that states who enter into such an
agreement, are mutually obliged to take efforts and disclose information (what kind of efforts
should be taken and / or what kind of information should be shared is subject to the exact
provisions in the MLAT) at request of one of these states.
196
Treaty between the Kingdom of the Netherlands and the United States of America concerning the mutual
legal assistance in criminal matters (Verdrag tussen het Koninkrijk der Nederlanden en de Verenigde Staten
van Amerika aangaande wederzijdse rechtshulp in strafzaken), the Hague , June 12 1981, to be found on:
http://wetten.overheid.nl/BWBV0001033/geldigheidsdatum_03-09-2012 (in Dutch). Last checked: July 2012.
197
Agreement on mutual legal assistance between the European Union and the United States of America,
to be found on: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:181:0034:0042:EN:PDF.
Last checked July 2012.
198
Senate Executive Report 110-13, which can be found on: http://www.gpo.gov/fdsys/pkg/CRPT110erpt13/html/CRPT-110erpt13.htm. Last checked: August 2012.
48
Maxwell and Wolf use the existence of MLATs as an argument that subscribes their view,
namely that it does not matter in which jurisdiction data (which is stored in a cloud) is located.
They conclude that, due to MLATs, foreign governments (and not only the United States of
America) can get the information located in another state anyway.
Although it is true that MLATs offer the opportunity to request the sharing of data located in
another state (that is even their sole purpose) and the grounds on which such a request can be
refused are very limited, they do provide a higher level of protection against unlawful or unjustified
disclosure of information, and even more relevant they create more transparency and openness. I
will now explain what I mean by this.
The big difference between a request for information based on a MLAT and an action based on a
jurisdictional claim is that in the first case the requesting state will have to provide the requested
state with rather specific information about the nature of the procedure for which the information
is needed, the reasons why the information is needed and what kind of information it is looking
for. These are formal standards which have to be met for the request being granted. 199 That way,
the requested state gets to know exactly what information need to be shared and also gets to
know the purpose of the information sharing.
Besides, it is the requested state (not the requesting state) that demands disclosure of the
information from for example the cloud service provider, which then passes on the selected
information to the requesting state. So, a request for information does not at all mean that the
requesting state can just ‘look around’ by itself. It will have to specify the information needed to
receive just that information from the authorities of the requested state. 200
Moreover, a request based on a MLAT can be refused, although on very limited grounds. Article
10 of the MLAT between the Netherlands and the USA gives an enumeration of these limitations.
Two grounds for denial are relevant in the light of this thesis:
-
the execution of the request may lead to endangerment of the state security or other
genuine interests of the requested state
-
the request does not meet the formal standards put down in the treaty (art. 13)
So, states never have to grant requests which are unnecessary and too vague, and they do not
have to provide the other state with state secrets or documents which contain highly confident
information which could bring the state or its interests into danger. It is at least doubtful whether a
199
See for an example of such requirements art. 13 of the MLAT between the Netherlands and the USA (as
referred to in note 195).
200
The IndyMedia case however shows another practice as will be discussed later on.
49
state would take these interests of another state into account when acting itself on a jurisdictional
claim.
The famous ‘IndyMedia’ (IMC) case shows however that the use of MLATs is less sophisticated
than the provisions of the treaties suggest. On October 7, 2004 over 20 websites administered by
the Independent Media Center were taken off-line as a result of the seizing of two servers. Those
servers, physically located in London (UK), were hosted by Rackspace Managed Hosting, an
Internet hosting company based in San Antonio (USA). After receiving a subpoena from a
requesting US agency, Rackspace cooperated by acting in compliance with the court order. 201
Afterwards it became clear (via court proceedings of IMC) that Italy had requested the US
through a MLAT for assistance in obtaining records of log files in relation to the creation and
updating of the web spaces of specific URLs during the period in which a number of attacks on
European officials using explosives in delivery packages had occurred. The US officials did not
just seize the records requested, but the two complete servers with their content and provided
them to Italy. 202
Besides, this case makes (again) clear that at least the US does not use MLATs when it can act
upon its own (although controversial and internationally doubtful) jurisdictional claim. The US did
not request the United Kingdom via a MLAT to provide the information sought for (forwarding the
request of Italy), but seized the data itself on the basis of its jurisdiction (Rackspace Managed
Hosting was a US company with offices in the UK). 203
As sovereign states are free to determine the conditions of a MLAT between them, it is possible
that the scope of such an agreement (now or in the future) is broader and/or the provisions
stricter than the rather specific and relatively narrow MLATs between the USA and the
Netherlands or the USA and the European Union: covering more subjects or leaving less room to
the requested state to review the necessity and/or range of the request itself.204
201
G. Hosein, ‘International co-operation gone awry – what happened to Indymedia?’, published on:
https://www.privacyinternational.org/blog/international-co-operation-gone-awry-what-happened-toindymedia. Last checked: November 2012. This article is an excerpt from a chapter of the book:
Cybrercrime and jurisdiction: a global survey, edited by B. Koops and S. Brenner, published in 2006 by
T.M.C. Asser Press.
202
Ibid.
203
Ibid.
204
Beside possible bilateral agreements which cover more/other subjects than the treaties referred to,
several multilateral treaties exist which provide for some kind of mutual judicial aid different from the
assistance provided for in the mentioned treaties. To name just a few (without going into detail): the Vienna
Convention on Consular Relations; the Hague Convention on the Service Abroad of Judicial and ExtraJudicial Documents in Civil and Commercial Matters; the Hague Convention on the Taking of Evidence
Abroad in Civil and Commercial Matters; the Hague Convention Abolishing the Requirement for
Legalization of Foreign Public Documents. These treaties are however of less significance regarding the
topic of this thesis than treaties concerning legal assistance in criminal matters.
50
It seems obvious that such differences in what is provided for in MLATs, directly affect the extent
of the discretion left to the requested state to review the request and to decide whether not to
cooperate. I could for example imagine that countries who have to rely on each other very often
(for instance because they are neighbors), both can profit from closer cooperation which might be
established by enlarging the scope of the MLAT, reducing the formalities and/or limiting the
grounds of refusal. 205
In regard to the question stated at the beginning of this chapter, this means that the level of
cooperation between countries based on a MLAT (which is affected by the scope of the
agreement, the required formalities and the grounds of refusal) determines the degree of
accessibility of the data stored in a cloud by third countries. This level may vary per treaty and per
country.
This variation in the scope of MLATs, is of special interest in case of cloud computing because of
the fact that data in a cloud can be stored on servers throughout the entire world, and in case of a
European cloud throughout the entire European Union. When making use of such a European
cloud, I could well be that data that belongs to a Dutch governmental institution, is in fact stored
on a server in Germany. What if US authorities address German authorities with the request to
disclose information which turns out to be confidential data of the Dutch government?
I could imagine that the German authorities treat such a request less prudent than the Dutch
authorities would have. Besides, the Dutch government is of course not involved in the drafting of
MLATs between Germany and any other state. Therefore it might be that the MLAT between
Germany and the US has a broader scope than the MLAT between the Netherlands and the US,
as a result of which the German authorities will grant the US access to the data. In both
scenario’s, the request will not even pass Dutch authorities. In other words: the Dutch authorities
would be completely sidelined and the MLAT between the Netherlands and the US easily
circumvented.
It is however questionable whether this theoretical fear, will translate into an actual threat. When
the US government would want to peek into data of the Dutch government which is stored in a
cloud, they would first have to find out on which server the data are stored. In cloud computing,
most of the times the controller nor the processor do know the exact location of the data, let alone
a third party like the US government. Besides, I think we may assume that (in contrast to the
suggestion of aforementioned example with Germany) no Member State of the European will
blindly and without objection disclose (confidential) information to US authorities.
205
The Benelux (Belgium, the Netherlands and Luxemburg) and the European Union itself can be seen as
examples of such cooperation.
51
Anyway, to completely eliminate the possibility of ‘MLAT-shopping’, as a result of which Member
States would (have to) disclose (confidential) governmental information (of other Member States)
to third country authorities, fully harmonizing the (provisions of) MLATs of the EU Member States
(or replacing all bilateral MLATs between Member States and third countries by MLATs to which
the European Union (representing all Member States) is party) would be a necessary step. 206
These new treaties should stress the need for mutual legal assistance by providing tools to
cooperate while at the same time ensuring a sufficient level of protection regarding the disclosure
of (confidential) personal and government data. Furthermore, in this scenario I deem necessary
that eventually an EU authority should play a central/supervisory role in the handling of all MLATrequests addressed to (one of) the Member States. This authority should audit the execution of
the requests to assure that the protection offered by the treaties is not just an empty formality. I
doubt whether the Member States are willing to go this far on short term.
In the end the conclusion may be drawn that MLATs indeed are an important constraint on the
possibility to create an exclusive ‘EU-jurisdiction’. However, they do not offer a license to freely
look into all kinds of information located in another jurisdiction, and therefore, by providing some
guarantees, make it possible to ensure a higher level of protection. On the other hand, the
Indymedia case shows that their practical use is less prudent than one may have believed. On
the other hand, when it is governmental information that is requested by another state, it may be
assumed that the requested state will be more mindful. 207
Finally, in regard to cloud computing in specific, an important notion should be made: MLATs do
not provide an easier way to get to data stored in a cloud than data stored differently (whether
online or offline). At this moment in time, requests based on MLATs already occur and these
requests for information (whether it is stored online or offline) need to be treated equally. The
actual physical location of the data can however (as mentioned above) lead to the situation that
requests are not addressed to the Member State that owns the data, but to the Member State that
just has jurisdiction over them.
3.3 Conclusion
To prevent foreign governments from making use of their own legislation to grant themselves
access to data certain governmental data stored in a cloud, it could be necessary to limit the
jurisdiction to which a cloud service is subject to a single legal regime. This chapter proves that it
is possible to limit that jurisdiction to the ‘European jurisdiction’, excluding all other jurisdictions
206
The earlier mentioned MLAT between the EU and the US is a beginning of such (minimum)
harmonization, as it provides for the application of certain rules in addition to the existing MLATs between
the individual Member States and the US.
207
But I once more notice that it is, within the concept of a European cloud, not always the case that the
requested state is also the ‘owner’ of the data sought for.
52
especially the jurisdiction of the United States of America. Such an exclusive jurisdiction can only
be realized when certain conditions are met: the absence of any base on which other countries
could claim to have jurisdiction over ‘the cloud’. Firstly, the cloud should be entirely located within
the territory of the European Union. Secondly, the cloud service providers should be purely
European. Finally, the users of the cloud service should be solely of the nationality of one of the
member states of the European Union as well. When these requirements are fulfilled, the US has
no (respected) legal ground to claim jurisdiction. Nevertheless, even without jurisdiction, states
can demand disclosure of information if needed in case of a criminal investigation. So called
MLATs prescribe when and what kind of information should be provided by the requested state.
However, although states do not always proceed accordingly, the procedures in case of a request
based on a MLAT provide enough safeguards against unnecessary and unlawful disclosure of
information. Besides, MLATs do not affect data stored in a cloud differently than data that is
stored otherwise.
53
4. The European Cloud and procurement issues
At the beginning of the previous chapter I asked the core question of this thesis. Subsequently I
answered the first part of this question by discussing the rules of international jurisdiction: is
possible to create a cloud computing service that excludes all but the European jurisdiction? Yes,
it is possible to design a cloud computing service which is subject to the ‘European jurisdiction’
only. To reach that goal certain conditions should be met, namely that the ‘cloud’ and thus the
data are at all times physically located on EU territory, the cloud service providers (and the
subcontractors) are originally and ‘purely’ European and the users of the cloud computing service
are ‘purely’ European too.
Hence, it is clear what kind of cloud services European governments could make use of. But is it
legally possible for governments to link such a set of conditions to their demand for cloud
computing services? In this chapter I will provide an answer to that question as I will discuss the
rules of public procurement to which governments are bound when entering into a contract with a
(cloud) service provider.
But before doing so, I like to address one more remark. As mentioned in the third paragraph of
the Introduction, this thesis aims at looking at the legal possibilities for governments to use a
cloud computing service within the existing IT-infrastructure. Therefore the idea of governments
setting up their own clouds (which results in the creation of a private cloud), although such a
cloud could ensure the protection sought for (without having as much trouble of putting all kinds
of requirements on cloud service providers), is excluded. For the aim of this thesis, a private
cloud would hamper the essentials of cloud computing in optima forma too much.
4.1. European public procurement rules
When a government wants to enter into a contract to purchase certain goods or services (like
buildings, computers, coffee, anything actually) it is bound by certain rules to prevent corruption
and unfair competition. Besides, these rules try to raise competition so that the public money is
spent well (best value for money) 208. To reach that goal, the rules prescribe how the purchasing
governmental body should find a contracting party. This process of finding a contracting party is
called (public) procurement.
208
See for example: ‘Public procurement: Commission calls on Slovakia to respect EU rules for electronic
toll collection contracts’, Press Releases, Brussels 30 September 2010, IP/10/1244. To be found on:
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/1244&format=HTML&aged=0&language=e
n&guiLanguage=en. Last checked September 2012.
54
4.1.1. Sources of European public procurement
In the European Union, the rules of public procurement are mainly laid down in the procurement
directives (and the national laws which are conversions thereof), but the provision of the EC
Treaty 209 (hereinafter: the Treaty) concerning the internal market (free movement of goods,
persons and services) are of relevance too. 210
Since march 2004, when the old procurement directives were thoroughly revised, there have
been two procurement directives: Directive 2004/17 211 that concerns the coordination of
procurement procedures of entities operating in the water, energy, transport and postal service
sectors (the so called ‘special sectors Directive), and the general Directive 2004/18 212 (hereafter:
General Directive or just Directive) concerning the coordination of procurement procedures for the
award of public works contracts, public supply contracts and public service contracts.
Peter Trepte remarks that the Directives do not seek to impose a new common regulatory regime
on the member states in the field of procurement. The Directives rather limit their scope to those
measures required for the coordination exercise and permit the member states to maintain or
adopt substantive and procedural rules to the extent that these are not in conflict with the
Directives of Treaty provisions.213
In the Netherlands, both Directives are implemented through two ‘general measures of
governance’ or decrees (in Dutch: ‘algemene maatregelen van bestuur’ or amvb’s) based on the
‘Dutch Framework Act EEC-provisions’ 214: the Decree public procurement rules 215 and the
209
The Treaty on establishing the European Community, known as the Treaty of Rome 1957, as amended
by the Single European Act 1986, the Treaty of Maastricht 1992, officially known as the Treaty on European
Union (TEU), the Treaty of Amsterdam 1997, the Treaty of Nice 2001 and the Treaty of Lisbon 2007.
210
E.H Pijnacker Hordijk e.a., Aanbestedingsrecht; Handboek van het Europese en het Nederlandse
Aanbestedingsrecht, Den Haag: Sdu Uitgevers bv 2004, p. 12.
211
Directive 2004/17/EC of the European Parliament and of the Council of 31 March 2004 on the
coordination of procedures of entities operating in the water, energy, transport and postal service sectors.
This Directive can be found on: http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2004L0017:20100101:EN:PDF.
212
Directive 2004/18/EC of the European Parliament and of the Council of 31 March 2004 on the
coordination of procedures for the award of public works contracts, public supply contracts and public
service contracts. This Directive can be found on: http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:134:0114:0240:EN:PDF.
213
P. Trepte, Public Procurement in the EU; a practioner’s guide, Oxford: Oxford University Press 2007, p.
2.
214
Dutch Act of 31 March 1993, Stb. 1992, 212, to execute the EEG-measures in regard to the public
procurement procedures for the award of public works contracts, public supply contracts and public service
contracts. (In Dutch: Wet van 31 maart 1993, Stb. 212, tot uitvoering van EEG-maatregelen inzake het
55
Decree procurement rules for special sectors 216. These decrees are practically direct
implementations of the Directive, and (therefore) momentarily subject to revision. 217 The old
‘Framework Act’ is also being revised. Recently the Dutch Parliament enacted the new
Procurement Act 2012, which will probably enter into force in (early) 2013. 218
Based on the mentioned Decrees, the government has developed certain policies219 and terms of
use 220 which are necessary in determining what and how procurement rules should be applied.
Besides the procurement rules based on the two mentioned Directives, there is Directive
2007/66 221 which sets forth the rules for review and enforcement of public procurement rules.
In regard to the subject of this thesis i.e. the possibility for European governments to use cloud
computing services, I will only focus on the rules of public procurement as laid down in the
general Directive 2004/18.
But first I will pay short attention to a few provisions of the EC Treaty which are applicable to
procurement. Although the Treaty does not contain any explicit provisions concerning public
procurement, it does provide rules which affect public procurement within the European Union.
Article 12 of the Treaty states that ‘any discrimination on grounds of nationality shall be
prohibited’. This non-discrimination provision embodies a standard of national treatment which
requires that regardless of their nationality, people, companies or governmental bodies should be
treated completely equal in a situation that is governed by Community law, according to the Court
of Justice.222 Non-Community nationals cannot rely on it, unless they are resident in any of the
member states, meaning that subsidiaries and branch offices of non-Community companies do
plaatsen van opdrachten voor de levering van producten, de uitvoering van werken en de verrichting van
diensten).
215
Stb. 2005, 408.
216
Stb. 2005, 409.
217
http://www.rijksoverheid.nl/onderwerpen/aanbesteden/regelgeving-aanbestedingen. Last checked:
September 2012.
218
A first attempt to realize a General Procurement Act failed in 2008. See for up to date information:
http://www.rijksoverheid.nl/onderwerpen/aanbesteden/nieuwe-aanbestedingsregels. Last checked:
December 2012.
219
For example: Beleidsregels aanbesteding van werken 2005, Stcrt. 2005, 207.
220
For example: Aanbestedingsreglement Werken 2012, which can be found on:
http://www.rijksoverheid.nl/documenten-en-publicaties/rapporten/2012/07/10/aanbestedingsreglementwerken-2012.html. Last checked September 2012.
221
Directive 2007/66/EC of the European Parliament and of the Council of 11 December 2007, amending
Council Directives 89/665/EEC and 92/13/EEC with regard to improving the effectiveness of review
procedures concerning the award of public contracts.
222
Case 186/87 Ian William Cowan v Trésor Public 1989 ECR 195 at 219.
56
profit the protection given by article 12.223 Besides, the role of article 12 (lex generalis) is limited,
because the more specific rules on public procurement (the Directives, i.e. legis specialis) already
cover this issue.
Furthermore the provisions concerning the free movement of goods (art. 28 and 29 EC-Treaty),
free movement of employees (art. 39 EC-Treaty), the freedom of establishment (art. 43 ECTreaty) and the freedom to provide services (art. 49 EC-treaty) have repeatedly been appealed to
in cases concerning public procurement. 224
4.1.2.The principles of European public procurement
As mentioned before, the government is in many ways a special contracting party. The interests
involved are in many cases of high value and need to be of constant quality. Besides, the
acquisition of certain works, supplies or services should occur objectively, preventing unjustified
state aid, corruption and unfair competition. The main principles of public procurement law have
to secure a fair acquisition by governments or public bodies.
Westerdijk 225 names four core principles of public procurement which are in his view of
‘paramount importance’, these are the principles of:
-
Equal competition
-
Transparency
-
Non-discrimination
-
Proportionality.
These basic principles firstly aim at creating a level playing field for suppliers to have a real
chance of entering into a contract with government bodies (equal competition). Furthermore the
principle of transparency determines that governments, when starting a procedure to get into a
contract, should make their requests for proposal public, and within the procedure, obliges the
contracting authorities to explicitly set forth which conditions they wish to apply during the
proceedings. Besides they are obliged to treat each tenderer in an equal manner (nondiscrimination), and the criteria used to determine the selection of the suppliers and the award of
223
See note 213, p. 6.
224
I refer to a good overview of procurement cases in which these provisions were infringed, given by
Pijnacker Hordijk and others. See note 210, p. 12.
225
R. Westerdijk, ‘Open Standards and open source software v. public procurement’, p. 10. This text is
attached to this thesis under Appendix II.
57
the contract should be proportionate to the scope and context of the contract at hand (principle of
proportionality). 226
Pijnacker Hordijk underlines that the Court of Justice of the EU (former Court of Justice of the EC)
considers the principle of equal treatment of tenderers to be the basic principle of public
procurement law, as follows from the decision in the case C-243/89 227. The Court of Justice then
declared that the principle of equal treatment, although not explicitly mentioned in the (former)
Directive, flows from the main goal of the Directive, namely to create fair competition in the field of
government acquisitions. In addition, the author refers to the case C-87/94 228 of the Court of
Justice as the introduction of the transparency principle.229 Both principles are incorporated in the
‘new’ (current) Directives.230
The principle of non-discrimination is also clearly seen in article 23 of the General Directive which
concerns the technical specifications. These specifications play an important role for the definition
of the scope of the public contract, as they set out and describe in an equal and open manner
which technical solution is sought. Article 23 provides that they shall be clearly documented and
must ‘afford equal access for tenderers and not have the effect of creating unjustified obstacles to
the opening up of public procurement to competition.’
4.1.3. The obligation to follow European public procurement rules
The General Directive (the Directive) itself contains provisions which determine the scope of its
rules. In this regard, article 1 is particularly of relevance as it provides several definitions of key
concepts of the Directive.
The entities identified by the Directive to follow its rules, are by article 1 sub 9 of the Directive
defined as ‘the State, regional or local authorities, bodies governed by public law, associations
formed by one or several of such authorities or one or several of such bodies governed by public
law.’ A ‘body governed by public law’ is further described as ‘any body (a) established for the
specific purpose of meeting needs in the general interest, not having an industrial or commercial
character; (b) having legal personality; and (c) financed, for the most part, by the State, regional
226
Ibid.
227
Case C-243/89 Commission v. Denmark (Storebaelt), Court of Justice of the EC, 22 June 1993.
228
Case C-87/94 Commission v. Belgium (Waalse bussen), Court of Justice of the EC, 25 April 1996.
229
See note 208, p. 30-31.
230
Art. 2 of the General Directive and art. 10 of the Special Sectors Directive.
58
or local authorities, or other bodies governed by public law, or subject to management
supervision by those bodies; or having an administrative, managerial or supervisory board, more
than half of whose members are appointed by the State, regional or local authorities, or by other
bodies governed by public law.’ 231
Moreover, public procurement rules are only to be followed for the award of public contracts.
Article 1 sub 2 under a of the Directive gives a definitions of such contracts, stating that ‘public
contracts are contracts for pecuniary interest concluded in writing between one or more economic
operators and one or more contracting authorities and having as their object the execution of
works, the supply of product or the provision of services within the meaning of this Directive.’ 232
Within the scope of this thesis, I will only deal with public service contracts, which are also
defined in article 1 sub 2 under d of the Directive as ‘public contracts other than public works or
supply contracts having as their object the provision of services referred to in Annex II.’ 233
Important in this regard is that article 20 of the Directive determines that the full set of public
procurement rules applies to the acquisition of services listed in Annex II A only. Computer and
related services are indeed listed in Annex II A, so that the procurement rules as laid down in the
Directive do fully apply. 234
When it is clear that a contracting authority which falls within the scope of the Directive and ditto
public contract235 are concerned, one should determine whether the estimated value (exclusive
of value added tax) equals or surpasses the threshold amount set out for the kind of contract. 236
These threshold amounts are set each two years in a Regulation of the European Commission.
Regulation 1251/2011 237 holds the thresholds for public contracts for the years 2012 and 2013:
-
EUR 130.000,- for central governments conform Annex IV (art. 7a of the Directive)
-
EUR 200.000,- for all other contracting authorities (art. 7b of the Directive).
231
Art. 1 sub 9 of the General Directive.
232
Art. 1 sub 2 under a of the General Directive.
233
Art. 1 sub 2 under d of the General Directive.
234
Art. 20 of the General Directive. Services which are not listed in Annex II A (but in Annex II B instead) are
subject to a less strict regime provided by the Directive ex art. 21 of the General Directive.
235
Certain types of contracts are explicitly excluded by the Directive, see art. 10 and art. 12-18 of the
General Directive.
236
Art. 7 of the General Directive.
237
Commission Regulation (EC) No 1251/2011 of 20 November 2011 amending Directives 2004/17/EC,
2004/18/EC and 2009/81/EC of the European Parliament and of the Council in respect of their application
thresholds for the procedures for the award of contracts, Official Journal L 319/43 of 2 December 2011.
59
Pijnacker Hordijk points out, however, that even though the Directive is not applicable (because
the value of the contract is below the threshold, the contracting authority does not qualify or the
public contract itself is outside the scope of the Directive) the Court of Justice of the EC has
declared that the contracting authority is ‘bound to comply with the fundamental rules of the
Treaty, in general, and the principle of non-discrimination on the ground of nationality, in
particular, that principle implying, in particular, an obligation of transparency in order to enable the
contracting authority to satisfy itself that the principle has been complied with. That obligation of
transparency which is imposed on the contracting authority consists in ensuring for the benefit of
any potential tenderer, a degree of advertising sufficient to enable the services market to be
opened up to competition and the impartiality of procurement procedures to be reviewed.’ 238
The Commission has further described this obligation in a Commission Interpretative
Communication of 2006 239, which sets out guidelines on how to apply these principles. The view
of the Commission is however not undisputed. Pijnacker Hordijk defends a strict(er) interpretation
of the obligation described by the Court of Justice. Unfortunately, it is beyond the scope of this
thesis to go deeper into this matter. 240
4.1.4. The procedures for selection
The award of a public contract which is subject to the rules laid down in the General Directive,
normally follows the ‘open’ or the ‘restricted’ procedure. It is up to the contracting authority to
choose one of these procedures.241
The open procedure comes down to the following. Upon publication of the prescribed notice,
suppliers send in one package providing information with respect to their own identity (which is
relevant for the selection) as well as their offer. 242
The restricted procedure differs from the open procedure in a way that suppliers, upon publication
of the prescribed notice, send in only information with respect to their identity. Subsequently, the
contracting authority makes a selection based on the information provided by the tenderers and
238
Case C-324/98 Telaustria, Court of Justice of the EC, 7 December 2000, paragraphs 60-63.
239
Commission Interpretative Communication on the Community law applicable to contract awards not or
not fully subject to the provisions of the Public Procurement Directives (2006/C 179/02), Official Journal C
179/2 of 1 August 2006.
240
See note 210, p. 34-35 and 99.
241
Art. 28 of the General Directive.
242
Art. 1 sub 11 under a of the General Directive.
60
invites at least five 243 suppliers to submit an offer. Only the invited suppliers may submit an
offer. 244
In very specific situations, which are restrictively prescribed in the Directive, other procedures can
be followed. These are the competitive dialogue (art. 29), the negotiated procedure with prior
publication of contract notice (art. 30), and the negotiated procedure without prior publication of
contract notice (art. 31).
In case of particularly complex contracts (i.e. contracts where the contracting authority is not
objectively able to define the technical means capable of satisfying its needs or objectives, and /
or is not objectively able to specify the legal and / or financial make-up of a project245) the
competitive dialogue can be used. This procedure is similar to the restricted procedure, but after
the selection of a minimum of three 246 candidates there is a dialogue phase prior to the
submission of the tenders.
If the negotiated procedure with or without the publication of contract notice is followed, the
contracting authority can get into negotiation with the tenderer(s) of its choice to determine the
specifications and terms of the contract. Under the General Directive, these procedures can
however only be used in very specific (and strict) situations given in the articles 30 and 31 of the
Directive.
Whatever procedure may be followed, the goal is the same: selection of a tender to award the
public contract to. The first selection to be made, is the determination of the contracting authority
whether a supplier is suitable to enter into a public contract. Therefore it is important that the
candidates supply sufficient information about their identity. With this information in mind, the
selection occurs based on the criteria for qualitative selection which are laid down in artt. 45-52 of
the General Directive. These concern the so called mandatory exclusion criteria (participation in a
criminal organization, corruption, fraud or money laundering)247, optional exclusion criteria (for
example bankruptcy) 248, and criteria establishing the suitability of the candidate or tenderer with
243
Art. 44 sub 3 of the General Directive.
244
Art. 1 sub 11 under b of the General Directive.
245
Art. 1 sub 11 under c of the General Directive.
246
Art. 44 sub 3 of the General Directive.
247
Art. 45 sub 1 of the General Directive.
248
Art. 45 sub 2 of the General Directive.
61
regard to its economic and financial standing 249 as well as its technical and / or professional
ability. 250251
After the qualitative selection, the contracting authority has to decide to which tenderer the
contract will be awarded. The contract award criteria are laid down in article 53 of the General
Directive, which leaves no room for any discussion: the contract is awarded to either
-
the most economically advantageous tender, or
-
the lowest price only.
The most economically advantageous tender must be determined form the view point of the
contracting authority making use of various criteria linked to the subject-matter of the contract,
like quality, price, technical merit, aesthetic and functional characteristics, environmental
characteristics, running costs, cost-effectiveness, after-sales service and technical assistance,
delivery date and delivery period or period of completion. 252
When the contract is awarded to the most economically advantageous tender, the contracting
authority has to specify in the contract notice or in the contract documents the relative weighting
which it gives to the criteria used (transparency). 253 That way, candidates or tenderers know the
relevant (or even decisive) factors in advance.
Westerdijk points out that for ICT related public service contracts (like an arrangement for cloud
computing services) the criterion of the most economically advantageous award is commonly
used. The contracting party thus has some freedom to establish the criteria of its choosing as
long as these are relevant and proportionate to the subject matter. He furthermore remarks that
courts will only marginally test such choice. 254
4.2. European procurement rules and the European cloud
Now that we have seen (in a nut shell) how public procurement works, it is time to concentrate on
the main question of this chapter. Bearing in mind the European procurement rules, is it possible
249
Art. 47 of the General Directive.
250
Art. 48 of the General Directive.
251
See note 225, p. 13.
252
Art. 53 sub 1 under a of the General Directive.
253
Art. 53 sub 2 of the General Directive.
254
See note 225, p. 14.
62
for European governments to seek for a cloud computing service which meets the requirements
as set in the previous chapter, namely that of the European cloud.
The most important requirement in this regard, is the need for the providers of the cloud
computing service, as well as the (sub)contractors which play a key part in making the cloud
service possible, to be ‘originally and purely European’.
This comes down to the exclusion of all providers which are (also) (in)directly subject to another
jurisdiction than just that of the member states of the European Union. The American jurisdiction
in particular. It seems obvious that such a criterion is at odds with the principle of nondiscrimination which is, as we have seen, a key element of public procurement law.
Before considering the (tense) relationship between the criterion of being ‘purely European’ and
the principles found in the procurement Directives, the question must be answered how this
condition should be qualified. It is most likely to describe it as one of the technical specifications
of the requested service, namely that the offered cloud computing service needs to secure that
the data stored are solely subject to the jurisdiction of the European Union (its member states), so
to prevent the possibility of foreign (non-EU) countries, especially the USA, to demand disclosure
of the data on the basis of their own legislation. I remark that of course all kind of other (technical)
specifications about the exact design of the (cloud computing) service need to be added.
When formulated like above in the contract notice, the condition of exclusive jurisdiction seems
transparent to me. It gives a clear and open view on the requirements of the service demanded
by the contracting authority, which are known by all candidates.
It is however at least doubtful whether the mentioned criterion is non-discriminatory and
proportionate (and thus in line with the legislation of the European Community in general and the
General Directive in specific). Article 23 of the General Directive states that a technical
specification may not create ‘unjustified obstacles in the opening up of public procurement to
competition’ and therefore must afford equal access for all tenderers. 255 Furthermore the General
Directive prohibits an unequal treatment and discriminatory approach of candidates in article 2,
which is supported by the general non-discrimination clause of article 12 of the Treaty which
provides the equal treatment of people (including businesses) regardless of their nationality.
The specialty (and at the same time the difficulty) of the mentioned condition is that it does not
initiate direct discrimination on the ground of nationality, but indirectly. Although the requirement
that the exclusion of all but the ‘European jurisdiction’ is guaranteed is in itself non255
Art. 23 sub 2 of the General Directive.
63
discriminatory), it does imply for instance, as set out in the previous chapter, the necessity of a
purely European provider.
Hence some candidates drop out or have actually never (had) a real chance due to reasons
connected to their nationality or working area. That seems however not always problematic, as
Community law does not primarily 256 aim for protecting non-Community members (third country
nationals). 257 Subsidiaries from companies with a non-EU nationality or EU-based companies
with subsidiaries in non-EU countries on the other hand, certainly do fall within the protecting
scope of Community law and thus may rely on EU legislation.
Still I strongly doubt whether such companies, which cannot fulfill the obligation to exclude foreign
(American) jurisdiction in regard to the offered cloud computing service, can successfully appeal
to the non-discrimination clauses of European legislation, in regard to procurement law especially
art. 2 and art. 23 of the General Directive .
First of all, these provisions must be interpreted in the light of Community law as a whole and in
connection with article 12 of the Treaty in particular. Then one has to acknowledge that the aim of
the non-discrimination principle within EU-law is, has been and will be to prevent the creation of
unjustified obstacles which hamper the accomplishment of the common internal market. 258 Hublet
remarks that the principle that is in the first place a condition sine qua non for the creation of the
this market and that holds that neither the nationality of individuals nor the origin of goods,
services or capital should be relevant criteria for its development, should be considered a
keystone of the system of European integration. 259
With this idea behind the non-discrimination principle in mind, it is not astonishing that both in
doctrine 260 and in case law of the Court of Justice of the European Union 261, regardless of the
256
The view that so called third country nationals do not fall within the protecting scope of the nondiscrimination principle (concerning grounds of nationality) of EU law (art. 12 of the Treaty) is under
discussion. For example in the article ‘The scope of Article 12 of the Treaty of the European Communities
vis-à-vis Third Country Nationals: Evolution at Last?’ (see note 52), the author challenges the ‘classical
interpretation’ of the scope of application of article 12 of the Treaty. It is however beyond the scope of this
thesis to have an in-depth analysis on this subject.
257
See note 222.
258
In this regard it is meaningful that the prohibition to discriminate on grounds of nationality was already
present in the text of the Treaty of Rome of 1957 (formerly article 4) in the exact same wording as
nowadays (article 12).
259
C. Hublet, ‘The Scope of Article 12 of the Treaty of the European Communities vis-à-vis Third-Country
Nationals: Evolution at Last?’, European Law Journal vol. 15, no. 6, November 2009 (Blackwell Publishing
2009), p. 758.
64
unconditional text in article 12 of the Treaty, the possibility of justification of direct or indirect
discrimination on the ground of nationality, is confirmed.
When specifically looking at public procurement law (as a subject of Community law) and its
specific goals (i.e. to forestall corruption and fraud and at the same time raising competition to get
best value for money), the same can be concluded. In cases concerning (discriminating) technical
specifications article 23 of the General Directive explicitly states that no such specification will be
required, that the equal access of tenderers is constrained or unjustified obstacles to the opening
up of public procurement to competition are created.
So, the distinction that is indirectly made on the basis of nationality, namely the condition that the
tenderer can guarantee that all but the European jurisdiction are excluded (hence the exclusion of
non-purely European tenderers), would thus not be discriminatory, other than when it cannot be
objectively and reasonably justified. Question is whether or not the specification in casu is
objectively and reasonably justified.
Answering that question, the Court of Justice of the EU always begins with considering that it is
settled case law that comparable situations should not be treated unequally and that different
situations should not be treated equally. It then adds that such treatment may however be
justified only if it is based on objective considerations independent from the nationality of the
persons concerned and is proportionate to the objective being legitimately pursued.262
Aforementioned is the objective justification test. It has two key elements: is there a legitimate aim
to discriminate, in other words ‘a good reason why to discriminate’, and furthermore are the
means chosen proportionate?
Proportionality is defined by the Court of Justice of the EU in various cases (not necessarily
concerning discrimination on the basis of nationality and/or public procurement). 263 It constitutes
two criteria: firstly do the means chosen successfully achieve the aim of the discrimination, and
260
See for example J. Gerards, ‘Discrimination grounds’, in D Schiek, L. Waddington, M. Bell, Cases,
Materials and Text on National Supranational and International Non-Discrimination Law, Hart Publishing,
2007, p. 33 and 64.
261
See for instance: Case C-323/95 of the Court of Justice of the EC Hayes [1996] ECR I-4661; Case C85/96 of the Court of Justice of the EC Maria Martinez [1998] ECR I-2691; Case C-164/07 of the Court of
Justice of the EU Wood [2008] ECR I-4143.
262
See for example Case C-148/02 Garcia Avello [2003] ECR I-11613, paragraph 31.
263
For example: Case C-170/84 of the Court of Justice of the EC 13 May 1986, paragraph 37. Although
this case concerns discrimination on the ground of sex in employment, it provides the view of the court on
the objective justification test which is the same in all cases of discrimination.
65
secondly is the discriminating factor necessary and proportionate to reach the legitimate goal
which is pursued (no other, less radical possibility is at hand).
Applying all this to the procurement issue raised in this thesis, I come to the following conclusion.
The aim of the requirement or technical specification to guarantee the exclusion of all but the
European jurisdiction, is to (absolutely) secure the safety and confidentiality of the data which are
eventually processed by the cloud computing service and its provider (data stored in the cloud),
and in doing so fully complying with the European legislation which reflects the European view on
the need for privacy of individuals. In my view, that is an objective and legitimate purpose. It
answers to a real need of European governments, namely to benefit from the advantages offered
by cloud computing services in a truly safe manner. Besides, the means chosen (i.e. the
requirement to guarantee the exclusion of foreign jurisdiction and thus excluding non-purely
European providers) is suitable to achieve that aim and furthermore the only possible way to
go. 264
Article 23 of the General Directive states, as an equivalent of the proportionality test designed by
the Court of Justice of the EU, that technical specification which lead to difficulties because of
factors of nationality (for example when a Dutch standard is used, this might affect the
possibilities of foreign tenderers due to their ability to perform according to this specific standard)
need to be accompanied by the words ‘or equivalent’. One could therefore say that the
requirement to guarantee the exclusion of foreign jurisdictions does not necessarily have to
include the exclusion of foreign (American) or European tenderers who are themselves subject to
such a foreign jurisdiction. If these candidates can effectively guarantee that the cloud computing
service is provided in such a way that foreign governments cannot execute their jurisdiction, in
other words when the cloud is located entirely on European soil and that at all costs they will not
yield in case of a request concerning disclosure of processed data from foreign governments.
The problem however in my opinion, is that these providers cannot effectively guarantee such
exclusion of jurisdiction. Due to the fact that they are intensely connected to the American market
and thus obtain a position in which they are (economically) dependent on it, they lack the
possibility to ignore the American government at all costs and so form an easy target. Moreover,
even if the cloud service provider is persistent, the American government could on the ground of
their jurisdictional claim, collect the data itself (even without the permission of the service
provider).
Last but not least, the exclusion of certain providers based on their nationality, origin or global
working field, does not particularly infringe the primary goals and corresponding principles of
264
As is made clear in the previous chapter.
66
procurement law, like promoting competition and preventing corruption and fraud. The exclusion
leaves room for (purely) European providers within the boundaries of the request, to enter into
competition and thus for governments to get best value for money. And as long as the
requirements are made public openly and clearly in the contract notice, so that all possible
candidates know what is requested, there is no reason to believe that the principle of
transparency is constrained.
In case the Court of Justice of the European Union would take a different approach in the future,
ruling that exclusion of non-purely European cloud service providers is prohibited (a view point I
would certainly not subscribe), or in case there would be no cloud service provider who can meet
the specific requirements, governments setting up their own (private) clouds (with in-house
expertise) would be the only way to go. Although bound to public procurement rules when
purchasing the needed hard ware to do so, they will probably not be confronted with - and
restrained by - dubious (or debatable) grounds of discrimination.
4.3. WTO Government Procurement Agreement
For the sake of completeness, I have to mention that next to the European public procurement
rules as laid down in the General Directive and the Special Sectors Directive, European public
procurement is also governed by the WTO Government Procurement Agreement of 1994265
(hereinafter: GPA). Just like the European Directives, the GPA gives rules on how contracting
authorities (or ‘entities’ in the wording of the GPA) should purchase public works, public services
or public supplies.
On main lines the regulation in the GPA is similar to that of the EU Directives 266, which is a
necessity for the European Union being bound to it. For that reason, I will not discuss the GPA
extensively. But as the WTO and thus the GPA tries to stimulate international trade, it provides for
equal treatment of tenderers from all countries which are party to the agreement. That way the
GPA enlarges the scope of the European legislation to all countries (among which the member
states of the EU) party to the GPA. This means that the tenderers from the USA (which is party to
265
WTO Government Procurement Agreement of 1994 (Uruguay Round), PB 1994, L 336/273. The Council
of the European Union ratified the agreement, so that the entire European Union (inter alia the Netherlands)
is bound by its rules: Council Decision 94/800/EC of 22 December 1994 concerning the conclusion on
behalf of the European Community, as regards matters within its competence, of the agreements reached
in the Uruguay Round multilateral negotiations (1986-1994).
266
Pijnacker Hordijk remarks that there are several (minor) differences among which a few are doubtful.
See note 210, p. 10-11. I will not discuss these in the light of this thesis.
67
the GPA 267) must be treated in a non-discriminatory way, meaning that they must be treated
equally to European Union nationals. 268
There is however no reason to presume that the objective justification of the exclusion of certain
tenderers as described above, would not be sufficient under GPA law. So the conclusion can be
drawn that, even though US companies can engage in procurement procedures in the European
Union on the same terms as EU companies, the GPA does not prohibit indirect discrimination on
the ground of nationality as long as it is objectively justified. 269
4.3. Conclusion
This chapter aimed at getting a general insight in public procurement rules which govern
contracting authorities when purchasing public works, public supplies or public services. It
specifically tried to answer the question whether it is legally possible for European governments
to give effect to their wish to make use of cloud computing services in a truly safe manner within
the existing IT-infrastructure. Taking into account the reasons why the exclusion on the ground of
nationality or origin is made and the fact that it does not affect the primary goals of procurement
law like promoting competition and preventing corruption and fraud, it is my view that European
contracting authorities are free, when wishing to make use of cloud computing services, to require
that the provider can guarantee that the data stored in the cloud (and thus the cloud itself) are
subject to the ‘European jurisdiction’ only. It is my opinion that such a treatment endures the
‘objective justification test’ which is designed by the Court of Justice of the EU, at least when it is
made clear that otherwise (when the data is also subject to the jurisdiction of non-EU Member
States) the data is not offered the protection required according to European rules.
267
A list of countries which are party to the GPA can be found on:
http://www.wto.org/english/tratop_e/gproc_e/memobs_e.htm#parties. Last checked: September 2012.
268
Article III of the GPA.
269
Article VI of the GPA which contains a similar regulation concerning technical specifications as art. 23 of
the General Directive.
68
5. The European cloud: the solution?
At the end of this thesis, but before drawing the general conclusion answering the central
research question given in the Introduction, I would like to consider the motives for a European
cloud once more.
The NLnet foundation brought forward the question whether it would be possible to create a cloud
computing service which would ensure that the stored data would remain out of foreign
(American) hands under all conditions, so that EU governments could use cloud computing
services for the processing of their (highly confidential) data without fearing unauthorized
disclosure of these data to third parties (US government).
When confronted with such a problem, one can of course look at the existing legal framework and
try to find solutions within. That is what this study is about. It shows that an exclusive European
cloud service can be achieved, but it is one with all kind of (difficult) restrictions. One can
therefore raise questions whether this problem can be solved legally, when the cause of the
problem, (a feeling of) great mistrust, may be at a whole other level.
Although the European Commission recognizes both the high potential of the cloud and the risks
involved, it looks for a possibility to ‘ensure a high level of protection without falling into the trap
that would restrict users to only a European cloud.’ 270 According to the Commission, as well as
many authors, the free flow of data across continents is necessary to provide access to the best
cloud services regardless of geography. Besides, a ‘balkanized system’ of clouds around the
world constrains the essence of the success of the Internet (globalization) and would forestall
enjoying the full benefits of cloud computing.271 In fact, it is quite obvious that the idea of limited
cloud services is rather incompatible with the borderless nature of the Internet (which is a great
part of both successes).
The Vice-President of the European Commission responsible for the Digital Agenda for Europe,
the Dutch Neelie Kroes, therefore presented the so called ‘European Cloud Strategy’ late
September 2012. 272 In this document, the EU Commission sets out the high potential of using the
270
These are the words of vice-president of the EU commission, Justice commissioner Vivian, drawn from
her speech of 7 December 2011 ‘Privacy in the Cloud: Data Protection and Security in Cloud Computing’
(SPEECH/11/859) can be found on http://europa.eu/rapid/press-release_SPEECH-11-859_en.htm. Last
checked: November 2012.
271
C. Wolf and W. Maxwell ‘Dangerous assumptions about clouds’, CSO 31 July 2012, published online on:
http://www.csoonline.com/article/712565/dangerous-assumptions-about-clouds?page=1. Last checked:
November 2012.
272
Communication from the Commission to the European Parliament, the Council, the European Economic
and Social Committee and the Committee of the Regions, Unleashing the potential of cloud computing in
69
cloud 273, and subsequently provides the key areas where action is needed to be taken. In this
regard, the Commission pays special attention to the possibilities for cloud computing to lower
public costs, push the public benefits up by providing the opportunity to enjoy full electronic public
services instead of a paper bureaucracy. Thus giving a broader base for economic activity
involving the entire population. 274
The Commission reckons that creating trust in cloud solutions is of utmost importance to reach its
full potential. In this regard the report mentions three key actions:275
-
cutting through the jungle of standards;
-
safe and fair contract terms and conditions;
-
establishing a European Cloud Partnership to drive innovation and growth from the public
sector.
In addition to these actions concerning stimulation of the European single market, the report
mentions that, without barriers to stop cloud computing services at geographical borders, there is
a need to look beyond the EU at the wider international situation. The commission shows to be
aware of the need to reinforce international dialogue on safe and seamless cross-border use, and
specifically mentions data protection and the access to data by foreign law enforcement agencies
and the use of MLATs as a key theme to be dealt with. 276
So instead of raising a wall by putting restrictions to the key elements (use, location and provider)
of cloud computing services 277, barring it from living up to its full potential, building trust and using
diplomatic ways to ensure a sufficient level of data protection may be a more fruitful solution to
the problem.
In my view it might be the only possible solution. Both the US and the EU are among the leading
players on the world market. That way they are more or less convicted to each other, as the US
needs the EU and vice versa. To keep their economies up and running, trans-continental trade
and cooperation is crucial. In such a relationship, there is no place for mistrust. Therefore I think
Europe, Brussels, 27 September 2012, COM(2012), 529 final. To be found on:
http://ec.europa.eu/information_society/activities/cloudcomputing/docs/com/com_cloud.pdf. Last checked:
November 2012.
273
In the report, figures are mentioned of an estimated increase of GDP with € 250 billion in 2020,
translating into the creation of 2,5 million jobs (p.6).
274
See note 272, p. 5.
275
See note 272, p. 10.
276
See note 272, p. 16
277
Alike the European cloud which has been discussed in this thesis.
70
that keeping up the international dialogue between the EU and the US (and other countries as
well) for discussing matters like data protection and law enforcement, is of utmost importance.
Ultimately such dialogue could (or should) lead to a(n) (in)formal agreement on how to cope with
such issues.
Besides, the legal possibilities to keep the US government from access to data stored in a cloud,
could only prevent unauthorized disclosure of data to a certain level. Technical tools, like
encryption of data can (and should) also help to secure the confidentiality of the information
stored on line. However, complete foreclosure probably is an illusion. When the American
government really suspects important data to be stored in a European cloud, it will most likely find
a legal or illegal way to get possession over that information.
I am truly convinced that the EU and the US have enough confidence in, and mutual respect for
each other to make sure that European legal subjects can use cloud computing service without
the fear of unauthorized disclosure 278, while at the same time the US can remain in the position to
get access to data stored in a cloud when there is actual reason to. 279
It should not be up to these two major players alone The complete international community
should discuss the issue at stake: the possible conflicting interests of data protection and legal
enforcement. The United Nations could function as a platform to make such discussion possible.
Maybe the installment of an international (UN) agency that reviews law enforcement in the light of
data protection and vice versa (extorting accountability), can eventually bring this problem to rest.
278
In this regard I would like to point to the Consumer Data Privacy Bill of Rights which was presented by
President Obama on 23 February 2012, which shows that the US is aware of the importance of privacy
protection of consumers. See: http://www.whitehouse.gov/sites/default/files/privacy-final.pdf. Last checked:
November 2012.
279
In this regard, MLATs already fulfill this need. But one could imagine other measures.
71
6. Conclusion
In Europe, questions are raised about cloud computing in relation to data protection and access
to data by third parties. The Dutch NLnet foundation, also having concerns on this matter and the
USA PATRIOT Act in specific, requested a research into the legal feasibility of the use of a
European cloud by European (semi-)governments. Such a European cloud would be technically
possible and should keep the US government from having easy access to the data stored within
on the base of its own Patriot Act.
Based on the information given in the second chapter, the conclusion may be drawn that privacy
and data protection take a prominent place in the European Union. Privacy is regarded as a
fundamental right and the Data Protection Directive, which is proposed to be replaced soon by a
new Regulation, offers a high level of protection inter alia against disclosure of processed
personal data without the unambiguous consent of the data subject.
In the US on the other hand, privacy is seen as one interest among others. They have not chosen
for a federal approach of data protection on the base of a single piece of law comparable to the
EU Directive. It is however not just this lack of regulation that raises concerns.
The complex anti-terrorism laws introduced after the horrors of 9/11, which are symbolized by the
USA PATRIOT Act, have expanded investigative powers, lowering the standards for issuance of
an order and minimizing the judicial review, while at the same time enlarging the scope of
materials sought for. Based on these laws, it is assumed that the US has (too) easy access to
data stored in a cloud.
Although I did not find any direct clues pointing in the direction of abusive use of the powers laid
down therein by the US government, the US anti-terrorism legislation does seem to provide too
short a distance between the people and their privacy on the one hand, and the government and
its fight against crime and terrorism on the other. Further research would however be necessary
to give a more exact answer to the question whether or not the basic principles of the EU
legislation concerning privacy and data protection are infringed by the powers attributed to US
authorities through anti-terrorism legislation like the Patriot Act.
For now, I would conclude that the lack of transparency on US side on the use of the possibility to
request disclosure of certain data in a cloud, which is foremost caused by the requirement of
secrecy of disclosure combined with the minimal judicial oversight, makes it hardly possible to
determine whether or not the actual use of the powers provided by the USA PATRIOT Act are in
line with the EU perception of the need to protect individuals against privacy infringements. The
72
obligation for both private and public parties to account for privacy infringing acts is the key
elements of the European idea of privacy and data protection. As long as the US government is
not clear (transparent) about the exact use of the possibilities offered by their anti-terrorism
legislation, there is no way they can account for any of them, nor can they be held accountable.
Due to this lack of accountability the US government shows great disrespect for the valuable
interests of (its) citizens.
Therefore, in my opinion, it is justified to (at least) suppose that the Patriot Act offers the
possibility to access data which is not in conformity with EU morals and thus – although the EU
Directive provides that data may be disclosed without the unambiguous consent of the data
subject on the base of an obligation prescribed by law – conflicting with the EU Directive.
Against this back ground, the central research question of this thesis was raised by the Dutch
NLnet foundation:
Is it legally possible to provide a purely European cloud service, meaning that only European
authorities do have jurisdiction and solely European rules apply, and subsequently is it legally
permissible that European (semi-)governments will make use of merely this European cloud (so
beforehand excluding all other (Non-purely-European) cloud providers)?
The third chapter provides the answer to the first part of this question, namely whether it is legally
possible to exclude all but the European jurisdiction over a cloud service, as a result of which
foreign governments cannot grant themselves access to data stored in the cloud on the basis of
their own legislation.
It is possible create a cloud service which is only subject to the ‘European jurisdiction’, excluding
all other jurisdictions especially the jurisdiction of the United States of America. Such an exclusive
jurisdiction can however only be realized when certain conditions are met: the absence of any
base on which other countries could claim to have jurisdiction over ‘the cloud’. These
requirements are:
-
the cloud computing service is physically entirely located within the territory of the EU
Member States;
-
the cloud service provider solely has the nationality of one of the Member States of the
EU;
-
the cloud service provider contracts only with subcontractors who solely have the
nationality of one of the Member States of the EU and who only and exclusively operate
within the territory of the Member States of the EU;
73
-
the cloud service provider operates only and exclusively within the territory of the Member
States of the EU;
-
the cloud service provider only processes data of legal persons who solely have the
nationality of one of the Member States of the EU.
When these requirements are fulfilled (which will not at all be easy), the US has no (respected)
legal ground to claim jurisdiction. Nevertheless, even without jurisdiction, states can demand
disclosure of information if needed in case of a criminal investigation. So called MLATs prescribe
when and what kind of information should be provided by the requested state. However, although
states do not always proceed accordingly, which is perfectly shown by the IndyMedia case, the
procedures in case of a request based on a MLAT provide enough safeguards against
unnecessary and unlawful disclosure of information. Besides, MLATs do not affect data stored in
a cloud differently than data that is stored otherwise (offline).
The fourth chapter then aims at getting a general insight in public procurement rules which
govern contracting authorities when purchasing public works, public supplies or public services. It
specifically tried to answer the question whether it is legally possible for European governments
to give effect to their wish to make use of cloud computing services in a truly safe manner. Taking
into account the reasons why the exclusion on the ground of nationality or origin is made and the
fact that it does not affect the primary goals of procurement law like promoting competition and
preventing corruption and fraud, it is my view that European contracting authorities are free, when
wishing to make use of cloud computing services, to require that the provider can guarantee that
the data stored in the cloud (and thus the cloud itself) are subject to the ‘European jurisdiction’
only. It is my opinion that such a treatment should endure the ‘objective justification test’ which is
designed by the Court of Justice of the EU, at least when it is made clear that otherwise (when
the data is also subject to the jurisdiction of non-EU Member States) the data is not offered the
protection required according to European rules.
The central research question of this thesis can therefore be answered positively. It is possible to
create a European cloud and the international public procurement rules do allow the necessary
discrimination on the ground of nationality when it is objectively justified, which is in my view the
case.
It is however at least questionable whether this problem, which presumes a great feeling of
mistrust, can best be solved within the existing legal framework and at what cost. Instead of
closing the gates, I support the initiatives of the EU Commission: keeping the dialogue between
the EU and the US alive, discussing the matters of data protection and access to data by foreign
law enforcement agencies.
74
7. Bibliography
List of used literature
P. Bal, ‘De USA Patriot Act I en II; Ongekende uitbreiding van bevoegdheden in de strijd tegen
het terrorisme’, Strafblad, 2004.
P. Balboni, Data Protection and Data Security Issues Related to Cloud Computing in the EU,
Tilburg University Legal Studies Working Paper Series, no. 022/2010, August 2010.
C. Bennett, Regulating privacy; Data protection and public policy in Europe and the United
States, Cornell University Press 1992.
M. Birnhack, ‘The EU Data Protection Directive: an engine of a global regime’, Computer Law &
Security Report 24 (2008).
S. Bradshaw, C. Millard and I. Walden, ‘Contracts for Clouds: Comparison and Analysis of the
Terms and Conditions of Cloud Computing Services’, Queen Mary University of London, School
of Law, September 1st 2010
L. Bygrave, ‘European Data Portection - Determining Applicable Law Pursuant to European Data
Protection Legislation’, C.L.S.R no. 16, 2002.
P. Carroll, ‘Standards of Data Protection’, Computer Fraud & Security vol. 2012 issue 2, February
2012.
C. Cuijpers in ‘Toepasselijk privacyrecht in de wolk’, Computerrecht 2011/65.
V. Dinh, ‘USA Patriot Act’, German Law Journal vol. 5, no. 5 2004.
A.dEngelfried, ‘Waarom is de Patriot Act nou eigenlijk een problem voor cloudgebruikers?’,
published 17 October 2011 on http://www.hostingrecht.nl/telecommunicatie/waarom-is-de-patriotact-nou-eigenlijk-een-probleem-voor-cloudgebruikers/.
L. Ferreira Pires, ‘ Wat is Cloud computing?’, Computerrecht 2011/63.
J. Gerards, ‘Discrimination grounds’, in D Schiek, L. Waddington, M. Bell, Cases, Materials and
Text on National Supranational and International Non-Discrimination Law, Hart Publishing, 2007.
75
U. Gorham-Ocilowski and P. Jaeger, ‘National Security Letters, the USA PATRIOT Act, and the
Constitution: The tensions between national security and civil right’, Government Information
Quarterly vol 25, issue 4, October 2008.
A. de Haes, ‘Noorse privacywaakhond verbiedt Google Apps’, 26 januari 2012, published on:
webwereld.nl/nieuws/109323/noorse-privacywaakhond-verbiedt-google-apps.html.
S. Hinde, ‘Privacy Legislation: a comparison of the US and European approaches’, Computer &
Security vol. 22 issue 5, July 2003.
J. van Hoboken and others, ‘Cloud diensten in hoger onderwijs en onderzoek en de USA patriot
act’, a research report commissioned by IViR, University of Amsterdam, September 2012.
G. Hosein, ‘International co-operation gone awry – what happened to Indymedia?’, published on:
https://www.privacyinternational.org/blog/international-co-operation-gone-awry-what-happenedto-indymedia.
C. Hublet, ‘The Scope of Article 12 of the Treaty of the European Communities vis-à-vis ThirdCountry Nationals: Evolution at Last?’, European Law Journal vol. 15, no. 6, November 2009
(Blackwell Publishing 2009).
IBM Institue for Business Values, ‘ The power of cloud; Driving business model innovation’,
February 2012, published online on:
http://public.dhe.ibm.com/common/ssi/ecm/en/gbe03470usen/GBE03470USEN.PDF
N. Ismail, ‘Cursing the Cloud (or) Controlling the Cloud?’, Computer Law & Security Review 27/3,
June 2011.
R. Jones and D. Tahri, ‘An overview of EU data protection rules on use of data collected online’,
Computer Law & Security Review, 27 (2011).
J. Kollar, ‘USA PATRIOT Act, the Fourth Amendment, and Paranoia: Can They Read this While
I’m Typing?’, Journal of High Technology Law 67 (2004).
P.H. Kooijmans, Internationaal publiekrecht in vogelvlucht, Kluwer: Deventer 2002.
76
B. Koops and S. Brenner, Cybrercrime and jurisdiction: a global survey, T.M.C. Asser Press
2006.
C. Kuner, ‘Data Protection Law and International Jurisdiction on the Internet (Part 1)’,
International Journal of Law and Information Technology Vol. 18, No. 2 (Oxford University Press
2010), published 11 March 2010.
W. Maxwell and C. Wolf, A Hogan Lovells White Paper; A Global Reality: Governmental Access
to Data in the Cloud, published 23 May 2012.
R. Leenes, ‘Who Controls the Cloud?’, IDP. Revista de Internet, Derecho y Política no. 11
(2010).
National Institute of Standards and Technology, ‘The NIST Definition of Cloud Computing’,
September 2011, NIST SP 800-145.
B. Maier, ‘How Has the Law Attempted to Tackle the Borderless Nature of the Internet?’,
International Journal of Law and Information Technology, Vol. 18 no. 2, Oxford University Press
2010, published 15 March 2010.
R. Michaels, ‘Territorial jurisdiction after territoriality’, in: P. Slot and M. Bulterman (eds.),
Globalisation and Jurisdiction, Kluwer Law International 2004.
‘Patriot Act Extension Signed By Obama’, published 27 May 2011 on
http://www.huffingtonpost.com/2011/05/27/patriot-act-extension-signed-obamaautopen_n_867851.html.
E.H Pijnacker Hordijk e.a., Aanbestedingsrecht; Handboek van het Europese en het Nederlandse
Aanbestedingsrecht, Den Haag: Sdu Uitgevers bv 2004.
‘Public procurement: Commission calls on Slovakia to respect EU rules for electronic toll
collection contracts’, Press Releases, Brussels 30 September 2010, IP/10/1244.
A. Raul, E. McNIcholas and E. Jillson, ‘Reconciling European Data Privacy Concerns with US
Discovery Rules: Conflict and Comity’, G.C.L.R. issue 3 2009, p. 119-120.
77
V. Reding, ‘Privacy in the Cloud: Data Protection and Security in Cloud Computing’
(SPEECH/11/859) can be found on http://europa.eu/rapid/press-release_SPEECH-11859_en.htm..
N. Robbinson and others, ‘Review of the European Data Protection Directive’, Cambridge: RAND
2009. This research was sponsored by the Information Commissioner’s Office.
A.M. Sachdeva, ‘International Jurisdiction In Cyberspace: A Comparative Perspective’, C.T.L.R.,
2007, p. 246.
R. Schoenmaker, ‘Minister weet niet waar Nederlandse data blijft’, 10 september 2011, published
on: http://webwereld.nl/nieuws/107879/minister-weet-niet-waar-nederlandse-data-blijft.html.
R. Schoenmaker, ‘Uitsluiting Microsoft bij aanbesteding overheid’, 14 september 2011 published
on: http://webwereld.nl/nieuws/107924/uitsluiting-microsoft-bij-aanbestedingen-overheid.html.
R.Schoenmaker, ‘Geen extra eisen tegen amerikaans datagraaien’, 17 september 2011
published on: http://webwereld.nl/nieuws/107960/-geen-extra-eisen-tegen-amerikaansdatagraaien-.html.
R. Schoenmaker, ‘Kabinet moet einde maken aan datagraaien VS’, 2 februari 2012, published
on: webwereld.nl/nieuws/109390/-kabinet-moet-einde-maken-aan-datagraaien-vs-.html.
D. Solove, ‘ “I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy’, San Diego Law
Review vol. 44 2008.
J. Strauss, K.S. Rogerson, ‘Policies for online privacy in the United States and the European
Union’, Telematics and Informatics 19 (2002).
P. Swire, ‘The System of Foreign Intelligence Surveillance Law’, George Washington Law Review
vol. 72 (2004).
P. Trepte, Public Procurement in the EU; a practioner’s guide, Oxford: Oxford University Press
2007.
S. Warren and L. Brandeis, ‘The Right to Privacy’, Harvard Law Review, volume 4, December
15th 1890.
78
Whitepaper ‘De wolk in het onderwijs; privacy aspecten bij cloud computing services’, a research
conducted by TILT (Tilburg Institute for Law, Technology, and Society) commissioned by
SURFnet/Kennisnet.
R. Westerdijk, ‘Open Standards and open source software v. public procurement’.
Z. Whittaker, ‘Case study: How the USA PATRIOT Act can be used to access EU data’ published
26 April 2011 on http://www.zdnet.com/blog/igeneration/case-study-how-the-usa-patriot-act-canbe-used-to-access-eu-data/8805.
C. Wolf and W. Maxwell ‘Dangerous assumptions about clouds’, CSO 31 July 2012,
http://www.csoonline.com/article/712565/dangerous-assumptions-about-clouds?page=1. Last
checked: November 2012.
List of used web sites
http://www.apec.org/About-Us/About-APEC/Fact-Sheets/APEC-Privacy-Framework.aspx.
http://blogs.amd.com/work/2011/05/31/mind-the-gap-%E2%80%93-the-rise-of-cloud-computing/.
http://blogs.amd.com/work/amd-2011-global-cloud-computing-adoption-attitudes-andapproaches-study-infographics/.
http://caselaw.lp.findlaw.com/data/constitution/amendment04/.
http://www.denederlandsegrondwet.nl
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm.
http://ec.europa.eu/justice/policies/privacy/thridcountries/index_en.htm.
http://europa.eu/legislation_summaries/information_society/data_protection/l14012_en.htm.
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/10/1244&format=HTML&aged=0&la
nguage=en&guiLanguage=en.
http://finance.yahoo.com/news/10-huge-companies-facebook-now-210700763.
79
http://www.forbes.com/sites/kevinjackson/2011/04/19/cloud-to-command-90-of-microsofts-rdbudget/.
http://www.google.com/about/company/facts/locations/.
http://www.justice.gov/archive/ll/subs/u_myths.htm.
http://www.lexisnexis.com/lawschool/study/outlines/html/civpro/civpro02.htm.
http://www.nlnet.nl.
http://www.rijksoverheid.nl/documenten-enpublicaties/rapporten/2012/07/10/aanbestedingsreglement-werken-2012.html.
http://www.rijksoverheid.nl/onderwerpen/aanbesteden/nieuwe-aanbestedingsregels.
http://www.rijksoverheid.nl/onderwerpen/aanbesteden/regelgeving-aanbestedingen.
http://www.whitehouse.gov/sites/default/files/privacy-final.pdf.
http://www.wto.org/english/tratop_e/gproc_e/memobs_e.htm#parties.
List of used case law
Court of Justice of the EU
Case C-170/84 of the Court of Justice of the EC 13 May 1986.
Case C-186/87 Ian William Cowan v Trésor Public, Court of Justice of the EC, 2 February 1989.
Case C-221/89 of the Court of Justice of the EC Factorame (1991) ECR 1-3905.
Case C-243/89 Commission v. Denmark (Storebaelt), Court of Justice of the EC, 22 June 1993.
Case C-323/95 of the Court of Justice of the EC Hayes [1996] ECR I-4661.
Case C-87/94 Commission v. Belgium (Waalse bussen), Court of Justice of the EC, 25 April
1996.
80
Case C-85/96 of the Court of Justice of the EC Maria Martinez [1998] ECR I-2691.
Case C-324/98 Telaustria, Court of Justice of the EC, 7 December 2000.
Case C-148/02 of the Court of Justice of the EU Garcia Avello [2003] ECR I-11613.
Case C-164/07 of the Court of Justice of the EU Wood [2008] ECR I-4143.
European Court of Human Rights
ECtHRM 26 April 1979 (Sunday Times v. UK).
ECtHRM 1 July 2008 (Liberty v. UK).
France
UEJF et LICRA v. Yahoo! Inc. et Yahoo France, Tribunal de Grande Instance de Paris, NO RG:
00/05308, November 20, 2000.
US
Pennoyer v. Neff, 95 U.S. 714 (1877).
International Shoe v. Washington, 326 U.S. 310 (1945).
Griswold v. Connecticut, 381 U.S. 479 (1965).
United States v. Bank of Nova Scotia, 740 F.2d 817 (11th Cir. 1984).
United States v. Verdugo-Urquidez, 494 U.S. 259, 265 (1990).
Doe v. Ashcroft, Southern District of New York, 29 September 2004, 04CV2614.
81
List of used legal and policy instruments
Netherlands
Dutch Act of 31 March 1993, Stb. 1992, 212, to execute the EEG-measures in regard to the
public procurement procedures for the award of public works contracts, public supply contracts
and public service contracts.
Dutch Act of 6 July 2000, Stb. 2000, 302, concerning rules with regard to the protection of
personal data (Wet Bescherming Persoonsgegevens).
Dutch Decree of 1 December 2005, Stb. 2005, 408, concerning the rules of general public
procurement (Boa).
Dutch Decree of 1 December 2005, Stb. 2005, 409, concerning the rules of public procurement
for the special sectors (Bass).
Policy rules concerning public procurement for the award of a pulbic works contracts of 2005,
Stcrt. 2005, 207.
Treaty between the Kingdom of the Netherlands and the United States of America concerning the
mutual legal assistance in criminal matters (Verdrag tussen het Koninkrijk der Nederlanden en de
Verenigde Staten van Amerika aangaande wederzijdse rechtshulp in strafzaken), the Hague ,
June 12 1981.
EU
Agreement on mutual legal assistance between the European Union and the United States of
America, to be found on: http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:181:0034:0042:EN:PDF.
Article 29 Working Party, ‘Working document on determining the international application of EU
data protection law to personal data processing on the Internet by non-EU based websites’(WP
56, 30 May 2002).
Article 29 Data Protection Working Party, ‘Opinion 4/2007 on the concept of personal data’.
01248/07/EN, WP 136.
82
Article 29 Data Protection Working Party, ‘Opinion 1/2008 on data protection issues related to
search engines’, WP 148, 00737/EN.
Article 29 Data Protection Working Party, ‘Opinion 1/2010 on the concepts of “controller” and
“processor”’ 00264/10/EN WP 169.
Article 29 Data Protection Working Party, ‘Opinion 8/2010 on applicable law’ 0836-02/10/EN WP
179.
Article 29 Data Protection Working Party, ‘Opinion 05/2012 on cloud computing’. 01037/12/EN,
WP 196.
Charter of fundamental rights of the European Union of 18 December 2000, 2000/C 364/01.
Commission Interpretative Communication on the Community law applicable to contract awards
not or not fully subject to the provisions of the Public Procurement Directives (2006/C 179/02),
Offical Journal C 179/2 of 1 August 2006.
Commission Regulation (EC) No 1251/2011 of 20 November 2011 amending Directives
2004/17/EC, 2004/18/EC and 2009/81/EC of the European Parliament and of the Council in
respect of their application thresholds for the procedures for the award of contracts, Official
Journal L 319/43 of 2 December 2011.
Communication from the Commission to the European Parliament, the Council, the European
Economic and Social Committee and the Committee of the Regions, Unleashing the potential of
cloud computing in Europe, Brussels, 27 September 2012, COM(2012), 529 final.
Council Decision 94/800/EC of 22 December 1994 concerning the conclusion on behalf of the
European Community, as regards matters within its competence, of the agreements reached in
the Uruguay Round multilateral negotiations (1986-1994).
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on the free movement
of such data.
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning
the processing of personal data and the protection of privacy in the electronic communications
sector (Directive on privacy and electronic communications).
83
Directive 2004/17/EC of the European Parliament and of the Council of 31 March 2004 on the
coordination of procedures of entities operating in the water, energy, transport and postal service
sectors.
Directive 2004/18/EC of the European Parliament and of the Council of 31 March 2004 on
the coordination of procedures for the award of public works contracts, public supply contracts
and public service contracts.
Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the
retention of data generated or processed in connection with the provision of publicly available
electronic communications services or of public communications networks and amending
Directive 2002/58/EC.
Directive 2007/66/EC of the European Parliament and of the Council of 11 December 2007,
amending Council Directives 89/665/EEC and 92/13/EEC with regard to improving the
effectiveness of review procedures concerning the award of public contracts.
European Commission, Proposal for a Regulation of the European Parliament and of the Council
on the protection of individuals with regard to the processing of personal data and on the free
movement of such data (General Data Protection Regulation), version 56, 29 November 2011
(leaked draft).
European Commission, Proposal for a Regulation of the European Parliament and of the Council
on the protection of individuals with regard to the processing of personal data and on the free
movement of such data (General Data Protection Regulation), Brussels, 25 January 2012, COM
(2012) 11 final, 2012/0011 (COD).
Treaty on establishing the European Community, known as the Treaty of Rome 1957, as
amended by the Single European Act 1986, the Treaty of Maastricht 1992, officially known as the
Treaty on European Union (TEU), the Treaty of Amsterdam 1997, the Treaty of Nice 2001 and
the Treaty of Lisbon 2007.
Council of Europe
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
of the Council of Europe of 28 January 1981.
84
European convention on human rights of the Council of Europe of 4 November 1950,
US
Foreign Intelligence Surveillance Act of 1978, Public Law 95-511 October 25, 1978, 92 Stat.
1783.
Foreign Intelligence Surveillance Act of 1978 Amendments Act of 2008 (H.R. 6304), Public Law
110-261 July 10 2008, 122 Stat. 2436.
FAA Reauthorization Act of 2012 (H.R. 5949), Public Law September 11 2012.
Senate Executive Report 110-13.
The PATRIOT Sunsets Extensions Act of 2011 (H.R. 514) Public Law. 112-14 (May 26th 2011).
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and
Obstruct Terrorism (USA PATRIOT ACT) Act of October 2001, Pub. L. No. 107-56, 115 Stat. 272.
USA PATRIOT Improvement and Reauthorization Act of 2005, Public Law No. 109-177, 120 Stat.
192.
Other international organizations
OECD Coucil, Guidelines on the Protection of Privacy and Trans-border flows of Personal Data,
23 September 1980.
Resolution of the General Assembly of the United Nations 2625 (XXV) of October 24th 1970,
concerning the prohibition of a state to use its territory to organize activities which aim to disturb
the order or bring down the government of another state.
UN General Assembly, Guidelines for the Regulation of Computerized Personal Data Files, 14
December 1990.
WTO Government Procurement Agreement of 1994 (Uruguay Round), PB 1994, L 336/273.
85
Appendix I: selection of relevant sections of the United States Code
18 USC § 2709 - Counterintelligence access to telephone toll and transactional records
(a) Duty to Provide.— A wire or electronic communication service provider shall comply with a
request for subscriber information and toll billing records information, or electronic communication
transactional records in its custody or possession made by the Director of the Federal Bureau of
Investigation under subsection (b) of this section.
(b) Required Certification.— The Director of the Federal Bureau of Investigation, or his designee
in a position not lower than Deputy Assistant Director at Bureau headquarters or a Special Agent
in Charge in a Bureau field office designated by the Director, may—
(1) request the name, address, length of service, and local and long distance toll billing records of
a person or entity if the Director (or his designee) certifies in writing to the wire or electronic
communication service provider to which the request is made that the name, address, length of
service, and toll billing records sought are relevant to an authorized investigation to protect
against international terrorism or clandestine intelligence activities, provided that such an
investigation of a United States person is not conducted solely on the basis of activities protected
by the first amendment to the Constitution of the United States; and
(2) request the name, address, and length of service of a person or entity if the Director (or his
designee) certifies in writing to the wire or electronic communication service provider to which the
request is made that the information sought is relevant to an authorized investigation to protect
against international terrorism or clandestine intelligence activities, provided that such an
investigation of a United States person is not conducted solely upon the basis of activities
protected by the first amendment to the Constitution of the United States.
(c) Prohibition of Certain Disclosure.—
(1) If the Director of the Federal Bureau of Investigation, or his designee in a position not lower
than Deputy Assistant Director at Bureau headquarters or a Special Agent in Charge in a Bureau
field office designated by the Director, certifies that otherwise there may result a danger to the
national security of the United States, interference with a criminal, counterterrorism, or
counterintelligence investigation, interference with diplomatic relations, or danger to the life or
physical safety of any person, no wire or electronic communications service provider, or officer,
employee, or agent thereof, shall disclose to any person (other than those to whom such
disclosure is necessary to comply with the request or an attorney to obtain legal advice or legal
assistance with respect to the request) that the Federal Bureau of Investigation has sought or
obtained access to information or records under this section.
(2) The request shall notify the person or entity to whom the request is directed of the
nondisclosure requirement under paragraph (1).
(3) Any recipient disclosing to those persons necessary to comply with the request or to an
attorney to obtain legal advice or legal assistance with respect to the request shall inform such
person of any applicable nondisclosure requirement. Any person who receives a disclosure under
this subsection shall be subject to the same prohibitions on disclosure under paragraph (1).
(4) At the request of the Director of the Federal Bureau of Investigation or the designee of the
Director, any person making or intending to make a disclosure under this section shall identify to
the Director or such designee the person to whom such disclosure will be made or to whom such
disclosure was made prior to the request, except that nothing in this section shall require a
person to inform the Director or such designee of the identity of an attorney to whom disclosure
was made or will be made to obtain legal advice or legal assistance with respect to the request
under subsection (a).
(d) Dissemination by Bureau.— The Federal Bureau of Investigation may disseminate information
and records obtained under this section only as provided in guidelines approved by the Attorney
General for foreign intelligence collection and foreign counterintelligence investigations conducted
by the Federal Bureau of Investigation, and, with respect to dissemination to an agency of the
United States, only if such information is clearly relevant to the authorized responsibilities of such
agency.
(e) Requirement That Certain Congressional Bodies Be Informed.— On a semiannual basis the
Director of the Federal Bureau of Investigation shall fully inform the Permanent Select Committee
on Intelligence of the House of Representatives and the Select Committee on Intelligence of the
86
Senate, and the Committee on the Judiciary of the House of Representatives and the Committee
on the Judiciary of the Senate, concerning all requests made under subsection (b) of this section.
(f) Libraries.— A library (as that term is defined in section 213(1) of the Library Services and
Technology Act (20 U.S.C. 9122 (1)), the services of which include access to the Internet, books,
journals, magazines, newspapers, or other similar forms of communication in print or digitally by
patrons for their use, review, examination, or circulation, is not a wire or electronic communication
service provider for purposes of this section, unless the library is providing the services defined in
section 2510 (15) (“electronic communication service”) of this title.
50 USC § 1801 – Definitions
As used in this subchapter:
(a) “Foreign power” means—
(1) a foreign government or any component thereof, whether or not recognized by the United
States;
(2) a faction of a foreign nation or nations, not substantially composed of United States persons;
(3) an entity that is openly acknowledged by a foreign government or governments to be directed
and controlled by such foreign government or governments;
(4) a group engaged in international terrorism or activities in preparation therefor;
(5) a foreign-based political organization, not substantially composed of United States persons;
(6) an entity that is directed and controlled by a foreign government or governments; or
(7) an entity not substantially composed of United States persons that is engaged in the
international proliferation of weapons of mass destruction.
(b) “Agent of a foreign power” means—
(1) any person other than a United States person, who—
(A) acts in the United States as an officer or employee of a foreign power, or as a member of a
foreign power as defined in subsection (a)(4) of this section;
(B) acts for or on behalf of a foreign power which engages in clandestine intelligence activities in
the United States contrary to the interests of the United States, when the circumstances of such
person’s presence in the United States indicate that such person may engage in such activities in
the United States, or when such person knowingly aids or abets any person in the conduct of
such activities or knowingly conspires with any person to engage in such activities;
(C) engages in international terrorism or activities in preparation therefore;
(D) engages in the international proliferation of weapons of mass destruction, or activities in
preparation therefor; or
(E) engages in the international proliferation of weapons of mass destruction, or activities in
preparation therefor for or on behalf of a foreign power; or
(2) any person who—
(A) knowingly engages in clandestine intelligence gathering activities for or on behalf of a foreign
power, which activities involve or may involve a violation of the criminal statutes of the United
States;
(B) pursuant to the direction of an intelligence service or network of a foreign power, knowingly
engages in any other clandestine intelligence activities for or on behalf of such foreign power,
which activities involve or are about to involve a violation of the criminal statutes of the United
States;
(C) knowingly engages in sabotage or international terrorism, or activities that are in preparation
therefor, for or on behalf of a foreign power;
(D) knowingly enters the United States under a false or fraudulent identity for or on behalf of a
foreign power or, while in the United States, knowingly assumes a false or fraudulent identity for
or on behalf of a foreign power; or
(E) knowingly aids or abets any person in the conduct of activities described in subparagraph (A),
(B), or (C) or knowingly conspires with any person to engage in activities described in
subparagraph (A), (B), or (C).
(c) “International terrorism” means activities that—
(1) involve violent acts or acts dangerous to human life that are a violation of the criminal laws of
the United States or of any State, or that would be a criminal violation if committed within the
jurisdiction of the United States or any State;
(2) appear to be intended—
87
(A) to intimidate or coerce a civilian population;
(B) to influence the policy of a government by intimidation or coercion; or
(C) to affect the conduct of a government by assassination or kidnapping; and
(3) occur totally outside the United States, or transcend national boundaries in terms of the
means by which they are accomplished, the persons they appear intended to coerce or
intimidate, or the locale in which their perpetrators operate or seek asylum.
(d) “Sabotage” means activities that involve a violation of chapter 105 of title 18, or that would
involve such a violation if committed against the United States.
(e) “Foreign intelligence information” means—
(1) information that relates to, and if concerning a United States person is necessary to, the ability
of the United States to protect against—
(A) actual or potential attack or other grave hostile acts of a foreign power or an agent of a foreign
power;
(B) sabotage, international terrorism, or the international proliferation of weapons of mass
destruction by a foreign power or an agent of a foreign power; or
(C) clandestine intelligence activities by an intelligence service or network of a foreign power or
by an agent of a foreign power; or
(2) information with respect to a foreign power or foreign territory that relates to, and if concerning
a United States person is necessary to—
(A) the national defense or the security of the United States; or
(B) the conduct of the foreign affairs of the United States.
(f) “Electronic surveillance” means—
(1) the acquisition by an electronic, mechanical, or other surveillance device of the contents of
any wire or radio communication sent by or intended to be received by a particular, known United
States person who is in the United States, if the contents are acquired by intentionally targeting
that United States person, under circumstances in which a person has a reasonable expectation
of privacy and a warrant would be required for law enforcement purposes;
(2) the acquisition by an electronic, mechanical, or other surveillance device of the contents of
any wire communication to or from a person in the United States, without the consent of any party
thereto, if such acquisition occurs in the United States, but does not include the acquisition of
those communications of computer trespassers that would be permissible under section 2511
(2)(i) of title 18;
(3) the intentional acquisition by an electronic, mechanical, or other surveillance device of the
contents of any radio communication, under circumstances in which a person has a reasonable
expectation of privacy and a warrant would be required for law enforcement purposes, and if both
the sender and all intended recipients are located within the United States; or
(4) the installation or use of an electronic, mechanical, or other surveillance device in the United
States for monitoring to acquire information, other than from a wire or radio communication, under
circumstances in which a person has a reasonable expectation of privacy and a warrant would be
required for law enforcement purposes.
(g) “Attorney General” means the Attorney General of the United States (or Acting Attorney
General), the Deputy Attorney General, or, upon the designation of the Attorney General, the
Assistant Attorney General designated as the Assistant Attorney General for National Security
under section 507A of title 28.
(h) “Minimization procedures”, with respect to electronic surveillance, means—
(1) specific procedures, which shall be adopted by the Attorney General, that are reasonably
designed in light of the purpose and technique of the particular surveillance, to minimize the
acquisition and retention, and prohibit the dissemination, of nonpublicly available information
concerning unconsenting United States persons consistent with the need of the United States to
obtain, produce, and disseminate foreign intelligence information;
(2) procedures that require that nonpublicly available information, which is not foreign intelligence
information, as defined in subsection (e)(1) of this section, shall not be disseminated in a manner
that identifies any United States person, without such person’s consent, unless such person’s
identity is necessary to understand foreign intelligence information or assess its importance;
(3) notwithstanding paragraphs (1) and (2), procedures that allow for the retention and
dissemination of information that is evidence of a crime which has been, is being, or is about to
be committed and that is to be retained or disseminated for law enforcement purposes; and
88
(4) notwithstanding paragraphs (1), (2), and (3), with respect to any electronic surveillance
approved pursuant to section 1802 (a) of this title, procedures that require that no contents of any
communication to which a United States person is a party shall be disclosed, disseminated, or
used for any purpose or retained for longer than 72 hours unless a court order under section
1805 of this title is obtained or unless the Attorney General determines that the information
indicates a threat of death or serious bodily harm to any person.
(i) “United States person” means a citizen of the United States, an alien lawfully admitted for
permanent residence (as defined in section 1101 (a)(20) of title 8), an unincorporated association
a substantial number of members of which are citizens of the United States or aliens lawfully
admitted for permanent residence, or a corporation which is incorporated in the United States, but
does not include a corporation or an association which is a foreign power, as defined in
subsection (a)(1), (2), or (3) of this section.
(j) “United States”, when used in a geographic sense, means all areas under the territorial
sovereignty of the United States and the Trust Territory of the Pacific Islands.
(k) “Aggrieved person” means a person who is the target of an electronic surveillance or any
other person whose communications or activities were subject to electronic surveillance.
(l) “Wire communication” means any communication while it is being carried by a wire, cable, or
other like connection furnished or operated by any person engaged as a common carrier in
providing or operating such facilities for the transmission of interstate or foreign communications.
(m) “Person” means any individual, including any officer or employee of the Federal Government,
or any group, entity, association, corporation, or foreign power.
(n) “Contents”, when used with respect to a communication, includes any information concerning
the identity of the parties to such communication or the existence, substance, purport, or meaning
of that communication.
(o) “State” means any State of the United States, the District of Columbia, the Commonwealth of
Puerto Rico, the Trust Territory of the Pacific Islands, and any territory or possession of the
United States.
(p) “Weapon of mass destruction” means—
(1) any explosive, incendiary, or poison gas device that is designed, intended, or has the
capability to cause a mass casualty incident;
(2) any weapon that is designed, intended, or has the capability to cause death or serious bodily
injury to a significant number of persons through the release, dissemination, or impact of toxic or
poisonous chemicals or their precursors;
(3) any weapon involving a biological agent, toxin, or vector (as such terms are defined in section
178 of title 18) that is designed, intended, or has the capability to cause death, illness, or serious
bodily injury to a significant number of persons; or
(4) any weapon that is designed, intended, or has the capability to release radiation or
radioactivity causing death, illness, or serious bodily injury to a significant number of persons.
50 USC § 1861 - Access to certain business records for foreign intelligence and
international terrorism investigations
(a) Application for order; conduct of investigation generally
(1) Subject to paragraph (3), the Director of the Federal Bureau of Investigation or a designee of
the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an
application for an order requiring the production of any tangible things (including books, records,
papers, documents, and other items) for an investigation to obtain foreign intelligence information
not concerning a United States person or to protect against international terrorism or clandestine
intelligence activities, provided that such investigation of a United States person is not conducted
solely upon the basis of activities protected by the first amendment to the Constitution.
(2) An investigation conducted under this section shall—
(A) be conducted under guidelines approved by the Attorney General under Executive Order
12333 (or a successor order); and
(B) not be conducted of a United States person solely upon the basis of activities protected by the
first amendment to the Constitution of the United States.
(3) In the case of an application for an order requiring the production of library circulation records,
library patron lists, book sales records, book customer lists, firearms sales records, tax return
records, educational records, or medical records containing information that would identify a
89
person, the Director of the Federal Bureau of Investigation may delegate the authority to make
such application to either the Deputy Director of the Federal Bureau of Investigation or the
Executive Assistant Director for National Security (or any successor position). The Deputy
Director or the Executive Assistant Director may not further delegate such authority.
(b) Recipient and contents of application
Each application under this section—
(1) shall be made to—
(A) a judge of the court established by section 1803 (a) of this title; or
(B) a United States Magistrate Judge under chapter 43 of title 28, who is publicly designated by
the Chief Justice of the United States to have the power to hear applications and grant orders for
the production of tangible things under this section on behalf of a judge of that court; and
(2) shall include—
(A) a statement of facts showing that there are reasonable grounds to believe that the tangible
things sought are relevant to an authorized investigation (other than a threat assessment)
conducted in accordance with subsection (a)(2) to obtain foreign intelligence information not
concerning a United States person or to protect against international terrorism or clandestine
intelligence activities, such things being presumptively relevant to an authorized investigation if
the applicant shows in the statement of the facts that they pertain to—
(i) a foreign power or an agent of a foreign power;
(ii) the activities of a suspected agent of a foreign power who is the subject of such authorized
investigation; or
(iii) an individual in contact with, or known to, a suspected agent of a foreign power who is the
subject of such authorized investigation; and
(B) an enumeration of the minimization procedures adopted by the Attorney General under
subsection (g) that are applicable to the retention and dissemination by the Federal Bureau of
Investigation of any tangible things to be made available to the Federal Bureau of Investigation
based on the order requested in such application.
(c) Ex parte judicial order of approval
(1) Upon an application made pursuant to this section, if the judge finds that the application meets
the requirements of subsections (a) and (b), the judge shall enter an ex parte order as requested,
or as modified, approving the release of tangible things. Such order shall direct that minimization
procedures adopted pursuant to subsection (g) be followed.
(2) An order under this subsection—
(A) shall describe the tangible things that are ordered to be produced with sufficient particularity
to permit them to be fairly identified;
(B) shall include the date on which the tangible things must be provided, which shall allow a
reasonable period of time within which the tangible things can be assembled and made available;
(C) shall provide clear and conspicuous notice of the principles and procedures described in
subsection (d);
(D) may only require the production of a tangible thing if such thing can be obtained with a
subpoena duces tecum issued by a court of the United States in aid of a grand jury investigation
or with any other order issued by a court of the United States directing the production of records
or tangible things; and
(E) shall not disclose that such order is issued for purposes of an investigation described in
subsection (a).
(d) Nondisclosure
(1) No person shall disclose to any other person that the Federal Bureau of Investigation has
sought or obtained tangible things pursuant to an order under this section, other than to—
(A) those persons to whom disclosure is necessary to comply with such order;
(B) an attorney to obtain legal advice or assistance with respect to the production of things in
response to the order; or
(C) other persons as permitted by the Director of the Federal Bureau of Investigation or the
designee of the Director.
(2)
(A) A person to whom disclosure is made pursuant to paragraph (1) shall be subject to the
nondisclosure requirements applicable to a person to whom an order is directed under this
section in the same manner as such person.
90
(B) Any person who discloses to a person described in subparagraph (A), (B), or (C) of paragraph
(1) that the Federal Bureau of Investigation has sought or obtained tangible things pursuant to an
order under this section shall notify such person of the nondisclosure requirements of this
subsection.
(C) At the request of the Director of the Federal Bureau of Investigation or the designee of the
Director, any person making or intending to make a disclosure under subparagraph (A) or (C) of
paragraph (1) shall identify to the Director or such designee the person to whom such disclosure
will be made or to whom such disclosure was made prior to the request.
(e) Liability for good faith disclosure; waiver
A person who, in good faith, produces tangible things under an order pursuant to this section
shall not be liable to any other person for such production. Such production shall not be deemed
to constitute a waiver of any privilege in any other proceeding or context.
(f) Judicial review of FISA orders
(1) In this subsection—
(A) the term “production order” means an order to produce any tangible thing under this section;
and
(B) the term “nondisclosure order” means an order imposed under subsection (d).
(2)
(A)
(i) A person receiving a production order may challenge the legality of that order by filing a
petition with the pool established by section 1803 (e)(1) of this title. Not less than 1 year after the
date of the issuance of the production order, the recipient of a production order may challenge the
nondisclosure order imposed in connection with such production order by filing a petition to
modify or set aside such nondisclosure order, consistent with the requirements of subparagraph
(C), with the pool established by section 1803 (e)(1) of this title.
(ii) The presiding judge shall immediately assign a petition under clause (i) to 1 of the judges
serving in the pool established by section 1803 (e)(1) of this title. Not later than 72 hours after the
assignment of such petition, the assigned judge shall conduct an initial review of the petition. If
the assigned judge determines that the petition is frivolous, the assigned judge shall immediately
deny the petition and affirm the production order or nondisclosure order. If the assigned judge
determines the petition is not frivolous, the assigned judge shall promptly consider the petition in
accordance with the procedures established under section 1803 (e)(2) of this title.
(iii) The assigned judge shall promptly provide a written statement for the record of the reasons
for any determination under this subsection. Upon the request of the Government, any order
setting aside a nondisclosure order shall be stayed pending review pursuant to paragraph (3).
(B) A judge considering a petition to modify or set aside a production order may grant such
petition only if the judge finds that such order does not meet the requirements of this section or is
otherwise unlawful. If the judge does not modify or set aside the production order, the judge shall
immediately affirm such order, and order the recipient to comply therewith.
(C)
(i) A judge considering a petition to modify or set aside a nondisclosure order may grant such
petition only if the judge finds that there is no reason to believe that disclosure may endanger the
national security of the United States, interfere with a criminal, counterterrorism, or
counterintelligence investigation, interfere with diplomatic relations, or endanger the life or
physical safety of any person.
(ii) If, upon filing of such a petition, the Attorney General, Deputy Attorney General, an Assistant
Attorney General, or the Director of the Federal Bureau of Investigation certifies that disclosure
may endanger the national security of the United States or interfere with diplomatic relations,
such certification shall be treated as conclusive, unless the judge finds that the certification was
made in bad faith.
(iii) If the judge denies a petition to modify or set aside a nondisclosure order, the recipient of
such order shall be precluded for a period of 1 year from filing another such petition with respect
to such nondisclosure order.
(D) Any production or nondisclosure order not explicitly modified or set aside consistent with this
subsection shall remain in full effect.
(3) A petition for review of a decision under paragraph (2) to affirm, modify, or set aside an order
by the Government or any person receiving such order shall be made to the court of review
91
established under section 1803 (b) of this title, which shall have jurisdiction to consider such
petitions. The court of review shall provide for the record a written statement of the reasons for its
decision and, on petition by the Government or any person receiving such order for writ of
certiorari, the record shall be transmitted under seal to the Supreme Court of the United States,
which shall have jurisdiction to review such decision.
(4) Judicial proceedings under this subsection shall be concluded as expeditiously as possible.
The record of proceedings, including petitions filed, orders granted, and statements of reasons for
decision, shall be maintained under security measures established by the Chief Justice of the
United States, in consultation with the Attorney General and the Director of National Intelligence.
(5) All petitions under this subsection shall be filed under seal. In any proceedings under this
subsection, the court shall, upon request of the Government, review ex parte and in camera any
Government submission, or portions thereof, which may include classified information.
(g) Minimization procedures
(1) In general
Not later than 180 days after March 9, 2006, the Attorney General shall adopt specific
minimization procedures governing the retention and dissemination by the Federal Bureau of
Investigation of any tangible things, or information therein, received by the Federal Bureau of
Investigation in response to an order under this subchapter.
(2) Defined
In this section, the term “minimization procedures” means—
(A) specific procedures that are reasonably designed in light of the purpose and technique of an
order for the production of tangible things, to minimize the retention, and prohibit the
dissemination, of nonpublicly available information concerning unconsenting United States
persons consistent with the need of the United States to obtain, produce, and disseminate foreign
intelligence information;
(B) procedures that require that nonpublicly available information, which is not foreign intelligence
information, as defined in section 1801 (e)(1) of this title, shall not be disseminated in a manner
that identifies any United States person, without such person’s consent, unless such person’s
identity is necessary to understand foreign intelligence information or assess its importance; and
(C) notwithstanding subparagraphs (A) and (B), procedures that allow for the retention and
dissemination of information that is evidence of a crime which has been, is being, or is about to
be committed and that is to be retained or disseminated for law enforcement purposes.
(h) Use of information
Information acquired from tangible things received by the Federal Bureau of Investigation in
response to an order under this subchapter concerning any United States person may be used
and disclosed by Federal officers and employees without the consent of the United States person
only in accordance with the minimization procedures adopted pursuant to subsection (g). No
otherwise privileged information acquired from tangible things received by the Federal Bureau of
Investigation in accordance with the provisions of this subchapter shall lose its privileged
character. No information acquired from tangible things received by the Federal Bureau of
Investigation in response to an order under this subchapter may be used or disclosed by Federal
officers or employees except for lawful purposes.
50 USC § 1881 - Definitions
(a) In general
The terms “agent of a foreign power”, “Attorney General”, “contents”, “electronic surveillance”,
“foreign intelligence information”, “foreign power”, “person”, “United States”, and “United States
person” have the meanings given such terms in section 1801 of this title, except as specifically
provided in this subchapter.
(b) Additional definitions
(1) Congressional intelligence committees
The term “congressional intelligence committees” means—
(A) the Select Committee on Intelligence of the Senate; and
(B) the Permanent Select Committee on Intelligence of the House of Representatives.
(2) Foreign Intelligence Surveillance Court; Court
The terms “Foreign Intelligence Surveillance Court” and “Court” mean the court established under
section 1803 (a) of this title.
92
(3) Foreign Intelligence Surveillance Court of Review; Court of Review
The terms “Foreign Intelligence Surveillance Court of Review” and “Court of Review” mean the
court established under section 1803 (b) of this title.
(4) Electronic communication service provider
The term “electronic communication service provider” means—
(A) a telecommunications carrier, as that term is defined in section 153 of title 47;
(B) a provider of electronic communication service, as that term is defined in section 2510 of title
18;
(C) a provider of a remote computing service, as that term is defined in section 2711 of title 18;
(D) any other communication service provider who has access to wire or electronic
communications either as such communications are transmitted or as such communications are
stored; or
(E) an officer, employee, or agent of an entity described in subparagraph (A), (B), (C), or (D).
(5) Intelligence community
The term “intelligence community” has the meaning given the term in section 401a (4) of this title.
50 USC § 1881a - Procedures for targeting certain persons outside the United States other
than United States persons
(a) Authorization
Notwithstanding any other provision of law, upon the issuance of an order in accordance with
subsection (i)(3) or a determination under subsection (c)(2), the Attorney General and the
Director of National Intelligence may authorize jointly, for a period of up to 1 year from the
effective date of the authorization, the targeting of persons reasonably believed to be located
outside the United States to acquire foreign intelligence information.
(b) Limitations
An acquisition authorized under subsection (a)—
(1) may not intentionally target any person known at the time of acquisition to be located in the
United States;
(2) may not intentionally target a person reasonably believed to be located outside the United
States if the purpose of such acquisition is to target a particular, known person reasonably
believed to be in the United States;
(3) may not intentionally target a United States person reasonably believed to be located outside
the United States;
(4) may not intentionally acquire any communication as to which the sender and all intended
recipients are known at the time of the acquisition to be located in the United States; and
(5) shall be conducted in a manner consistent with the fourth amendment to the Constitution of
the United States.
(c) Conduct of acquisition
(1) In general
An acquisition authorized under subsection (a) shall be conducted only in accordance with—
(A) the targeting and minimization procedures adopted in accordance with subsections (d) and
(e); and
(B) upon submission of a certification in accordance with subsection (g), such certification.
(2) Determination
A determination under this paragraph and for purposes of subsection (a) is a determination by the
Attorney General and the Director of National Intelligence that exigent circumstances exist
because, without immediate implementation of an authorization under subsection (a), intelligence
important to the national security of the United States may be lost or not timely acquired and time
does not permit the issuance of an order pursuant to subsection (i)(3) prior to the implementation
of such authorization.
(3) Timing of determination
The Attorney General and the Director of National Intelligence may make the determination under
paragraph (2)—
(A) before the submission of a certification in accordance with subsection (g); or
(B) by amending a certification pursuant to subsection (i)(1)(C) at any time during which judicial
review under subsection (i) of such certification is pending.
(4) Construction
93
Nothing in subchapter I shall be construed to require an application for a court order under such
subchapter for an acquisition that is targeted in accordance with this section at a person
reasonably believed to be located outside the United States.
(d) Targeting procedures
(1) Requirement to adopt
The Attorney General, in consultation with the Director of National Intelligence, shall adopt
targeting procedures that are reasonably designed to—
(A) ensure that any acquisition authorized under subsection (a) is limited to targeting persons
reasonably believed to be located outside the United States; and
(B) prevent the intentional acquisition of any communication as to which the sender and all
intended recipients are known at the time of the acquisition to be located in the United States.
(2) Judicial review
The procedures adopted in accordance with paragraph (1) shall be subject to judicial review
pursuant to subsection (i).
(e) Minimization procedures
(1) Requirement to adopt
The Attorney General, in consultation with the Director of National Intelligence, shall adopt
minimization procedures that meet the definition of minimization procedures under section 1801
(h) of this title or section 1821 (4) of this title, as appropriate, for acquisitions authorized under
subsection (a).
(2) Judicial review
The minimization procedures adopted in accordance with paragraph (1) shall be subject to
judicial review pursuant to subsection (i).
(f) Guidelines for compliance with limitations
(1) Requirement to adopt
The Attorney General, in consultation with the Director of National Intelligence, shall adopt
guidelines to ensure—
(A) compliance with the limitations in subsection (b); and
(B) that an application for a court order is filed as required by this chapter.
(2) Submission of guidelines
The Attorney General shall provide the guidelines adopted in accordance with paragraph (1) to—
(A) the congressional intelligence committees;
(B) the Committees on the Judiciary of the Senate and the House of Representatives; and
(C) the Foreign Intelligence Surveillance Court.
(g) Certification
(1) In general
(A) Requirement
Subject to subparagraph (B), prior to the implementation of an authorization under subsection (a),
the Attorney General and the Director of National Intelligence shall provide to the Foreign
Intelligence Surveillance Court a written certification and any supporting affidavit, under oath and
under seal, in accordance with this subsection.
(B) Exception
If the Attorney General and the Director of National Intelligence make a determination under
subsection (c)(2) and time does not permit the submission of a certification under this subsection
prior to the implementation of an authorization under subsection (a), the Attorney General and the
Director of National Intelligence shall submit to the Court a certification for such authorization as
soon as practicable but in no event later than 7 days after such determination is made.
(2) Requirements
A certification made under this subsection shall—
(A) attest that—
(i) there are procedures in place that have been approved, have been submitted for approval, or
will be submitted with the certification for approval by the Foreign Intelligence Surveillance Court
that are reasonably designed to—
(I) ensure that an acquisition authorized under subsection (a) is limited to targeting persons
reasonably believed to be located outside the United States; and
(II) prevent the intentional acquisition of any communication as to which the sender and all
intended recipients are known at the time of the acquisition to be located in the United States;
94
(ii) the minimization procedures to be used with respect to such acquisition—
(I) meet the definition of minimization procedures under section 1801 (h) or 1821 (4) of this title,
as appropriate; and
(II) have been approved, have been submitted for approval, or will be submitted with the
certification for approval by the Foreign Intelligence Surveillance Court;
(iii) guidelines have been adopted in accordance with subsection (f) to ensure compliance with
the limitations in subsection (b) and to ensure that an application for a court order is filed as
required by this chapter;
(iv) the procedures and guidelines referred to in clauses (i), (ii), and (iii) are consistent with the
requirements of the fourth amendment to the Constitution of the United States;
(v) a significant purpose of the acquisition is to obtain foreign intelligence information;
(vi) the acquisition involves obtaining foreign intelligence information from or with the assistance
of an electronic communication service provider; and
(vii) the acquisition complies with the limitations in subsection (b);
(B) include the procedures adopted in accordance with subsections (d) and (e);
(C) be supported, as appropriate, by the affidavit of any appropriate official in the area of national
security who is—
(i) appointed by the President, by and with the advice and consent of the Senate; or
(ii) the head of an element of the intelligence community;
(D) include—
(i) an effective date for the authorization that is at least 30 days after the submission of the written
certification to the court; or
(ii) if the acquisition has begun or the effective date is less than 30 days after the submission of
the written certification to the court, the date the acquisition began or the effective date for the
acquisition; and
(E) if the Attorney General and the Director of National Intelligence make a determination under
subsection (c)(2), include a statement that such determination has been made.
(3) Change in effective date
The Attorney General and the Director of National Intelligence may advance or delay the effective
date referred to in paragraph (2)(D) by submitting an amended certification in accordance with
subsection (i)(1)(C) to the Foreign Intelligence Surveillance Court for review pursuant to
subsection (i).
(4) Limitation
A certification made under this subsection is not required to identify the specific facilities, places,
premises, or property at which an acquisition authorized under subsection (a) will be directed or
conducted.
(5) Maintenance of certification
The Attorney General or a designee of the Attorney General shall maintain a copy of a
certification made under this subsection.
(6) Review
A certification submitted in accordance with this subsection shall be subject to judicial review
pursuant to subsection (i).
(h) Directives and judicial review of directives
(1) Authority
With respect to an acquisition authorized under subsection (a), the Attorney General and the
Director of National Intelligence may direct, in writing, an electronic communication service
provider to—
(A) immediately provide the Government with all information, facilities, or assistance necessary to
accomplish the acquisition in a manner that will protect the secrecy of the acquisition and produce
a minimum of interference with the services that such electronic communication service provider
is providing to the target of the acquisition; and
(B) maintain under security procedures approved by the Attorney General and the Director of
National Intelligence any records concerning the acquisition or the aid furnished that such
electronic communication service provider wishes to maintain.
(2) Compensation
95
The Government shall compensate, at the prevailing rate, an electronic communication service
provider for providing information, facilities, or assistance in accordance with a directive issued
pursuant to paragraph (1).
(3) Release from liability
No cause of action shall lie in any court against any electronic communication service provider for
providing any information, facilities, or assistance in accordance with a directive issued pursuant
to paragraph (1).
(4) Challenging of directives
(A) Authority to challenge
An electronic communication service provider receiving a directive issued pursuant to paragraph
(1) may file a petition to modify or set aside such directive with the Foreign Intelligence
Surveillance Court, which shall have jurisdiction to review such petition.
(B) Assignment
The presiding judge of the Court shall assign a petition filed under subparagraph (A) to 1 of the
judges serving in the pool established under section 1803 (e)(1) of this title not later than 24
hours after the filing of such petition.
(C) Standards for review
A judge considering a petition filed under subparagraph (A) may grant such petition only if the
judge finds that the directive does not meet the requirements of this section, or is otherwise
unlawful.
(D) Procedures for initial review
A judge shall conduct an initial review of a petition filed under subparagraph (A) not later than 5
days after being assigned such petition. If the judge determines that such petition does not
consist of claims, defenses, or other legal contentions that are warranted by existing law or by a
nonfrivolous argument for extending, modifying, or reversing existing law or for establishing new
law, the judge shall immediately deny such petition and affirm the directive or any part of the
directive that is the subject of such petition and order the recipient to comply with the directive or
any part of it. Upon making a determination under this subparagraph or promptly thereafter, the
judge shall provide a written statement for the record of the reasons for such determination.
(E) Procedures for plenary review
If a judge determines that a petition filed under subparagraph (A) requires plenary review, the
judge shall affirm, modify, or set aside the directive that is the subject of such petition not later
than 30 days after being assigned such petition. If the judge does not set aside the directive, the
judge shall immediately affirm or affirm with modifications the directive, and order the recipient to
comply with the directive in its entirety or as modified. The judge shall provide a written statement
for the record of the reasons for a determination under this subparagraph.
(F) Continued effect
Any directive not explicitly modified or set aside under this paragraph shall remain in full effect.
(G) Contempt of Court
Failure to obey an order issued under this paragraph may be punished by the Court as contempt
of court.
(5) Enforcement of directives
(A) Order to compel
If an electronic communication service provider fails to comply with a directive issued pursuant to
paragraph (1), the Attorney General may file a petition for an order to compel the electronic
communication service provider to comply with the directive with the Foreign Intelligence
Surveillance Court, which shall have jurisdiction to review such petition.
(B) Assignment
The presiding judge of the Court shall assign a petition filed under subparagraph (A) to 1 of the
judges serving in the pool established under section 1803 (e)(1) of this title not later than 24
hours after the filing of such petition.
(C) Procedures for review
A judge considering a petition filed under subparagraph (A) shall, not later than 30 days after
being assigned such petition, issue an order requiring the electronic communication service
provider to comply with the directive or any part of it, as issued or as modified, if the judge finds
that the directive meets the requirements of this section and is otherwise lawful. The judge shall
96
provide a written statement for the record of the reasons for a determination under this
paragraph.
(D) Contempt of Court
Failure to obey an order issued under this paragraph may be punished by the Court as contempt
of court.
(E) Process
Any process under this paragraph may be served in any judicial district in which the electronic
communication service provider may be found.
(6) Appeal
(A) Appeal to the Court of Review
The Government or an electronic communication service provider receiving a directive issued
pursuant to paragraph (1) may file a petition with the Foreign Intelligence Surveillance Court of
Review for review of a decision issued pursuant to paragraph (4) or (5). The Court of Review
shall have jurisdiction to consider such petition and shall provide a written statement for the
record of the reasons for a decision under this subparagraph.
(B) Certiorari to the Supreme Court
The Government or an electronic communication service provider receiving a directive issued
pursuant to paragraph (1) may file a petition for a writ of certiorari for review of a decision of the
Court of Review issued under subparagraph (A). The record for such review shall be transmitted
under seal to the Supreme Court of the United States, which shall have jurisdiction to review such
decision.
(i) Judicial review of certifications and procedures
(1) In general
(A) Review by the Foreign Intelligence Surveillance Court
The Foreign Intelligence Surveillance Court shall have jurisdiction to review a certification
submitted in accordance with subsection (g) and the targeting and minimization procedures
adopted in accordance with subsections (d) and (e), and amendments to such certification or
such procedures.
(B) Time period for review
The Court shall review a certification submitted in accordance with subsection (g) and the
targeting and minimization procedures adopted in accordance with subsections (d) and (e) and
shall complete such review and issue an order under paragraph (3) not later than 30 days after
the date on which such certification and such procedures are submitted.
(C) Amendments
The Attorney General and the Director of National Intelligence may amend a certification
submitted in accordance with subsection (g) or the targeting and minimization procedures
adopted in accordance with subsections (d) and (e) as necessary at any time, including if the
Court is conducting or has completed review of such certification or such procedures, and shall
submit the amended certification or amended procedures to the Court not later than 7 days after
amending such certification or such procedures. The Court shall review any amendment under
this subparagraph under the procedures set forth in this subsection. The Attorney General and
the Director of National Intelligence may authorize the use of an amended certification or
amended procedures pending the Court’s review of such amended certification or amended
procedures.
(2) Review
The Court shall review the following:
(A) Certification
A certification submitted in accordance with subsection (g) to determine whether the certification
contains all the required elements.
(B) Targeting procedures
The targeting procedures adopted in accordance with subsection (d) to assess whether the
procedures are reasonably designed to—
(i) ensure that an acquisition authorized under subsection (a) is limited to targeting persons
reasonably believed to be located outside the United States; and
(ii) prevent the intentional acquisition of any communication as to which the sender and all
intended recipients are known at the time of the acquisition to be located in the United States.
(C) Minimization procedures
97
The minimization procedures adopted in accordance with subsection (e) to assess whether such
procedures meet the definition of minimization procedures under section 1801 (h) of this title or
section 1821 (4) of this title, as appropriate.
(3) Orders
(A) Approval
If the Court finds that a certification submitted in accordance with subsection (g) contains all the
required elements and that the targeting and minimization procedures adopted in accordance
with subsections (d) and (e) are consistent with the requirements of those subsections and with
the fourth amendment to the Constitution of the United States, the Court shall enter an order
approving the certification and the use, or continued use in the case of an acquisition authorized
pursuant to a determination under subsection (c)(2), of the procedures for the acquisition.
(B) Correction of deficiencies
If the Court finds that a certification submitted in accordance with subsection (g) does not contain
all the required elements, or that the procedures adopted in accordance with subsections (d) and
(e) are not consistent with the requirements of those subsections or the fourth amendment to the
Constitution of the United States, the Court shall issue an order directing the Government to, at
the Government’s election and to the extent required by the Court’s order—
(i) correct any deficiency identified by the Court’s order not later than 30 days after the date on
which the Court issues the order; or
(ii) cease, or not begin, the implementation of the authorization for which such certification was
submitted.
(C) Requirement for written statement
In support of an order under this subsection, the Court shall provide, simultaneously with the
order, for the record a written statement of the reasons for the order.
(4) Appeal
(A) Appeal to the Court of Review
The Government may file a petition with the Foreign Intelligence Surveillance Court of Review for
review of an order under this subsection. The Court of Review shall have jurisdiction to consider
such petition. For any decision under this subparagraph affirming, reversing, or modifying an
order of the Foreign Intelligence Surveillance Court, the Court of Review shall provide for the
record a written statement of the reasons for the decision.
(B) Continuation of acquisition pending rehearing or appeal
Any acquisition affected by an order under paragraph (3)(B) may continue—
(i) during the pendency of any rehearing of the order by the Court en banc; and
(ii) if the Government files a petition for review of an order under this section, until the Court of
Review enters an order under subparagraph (C).
(C) Implementation pending appeal
Not later than 60 days after the filing of a petition for review of an order under paragraph (3)(B)
directing the correction of a deficiency, the Court of Review shall determine, and enter a
corresponding order regarding, whether all or any part of the correction order, as issued or
modified, shall be implemented during the pendency of the review.
(D) Certiorari to the Supreme Court
The Government may file a petition for a writ of certiorari for review of a decision of the Court of
Review issued under subparagraph (A). The record for such review shall be transmitted under
seal to the Supreme Court of the United States, which shall have jurisdiction to review such
decision.
(5) Schedule
(A) Reauthorization of authorizations in effect
If the Attorney General and the Director of National Intelligence seek to reauthorize or replace an
authorization issued under subsection (a), the Attorney General and the Director of National
Intelligence shall, to the extent practicable, submit to the Court the certification prepared in
accordance with subsection (g) and the procedures adopted in accordance with subsections (d)
and (e) at least 30 days prior to the expiration of such authorization.
(B) Reauthorization of orders, authorizations, and directives
If the Attorney General and the Director of National Intelligence seek to reauthorize or replace an
authorization issued under subsection (a) by filing a certification pursuant to subparagraph (A),
that authorization, and any directives issued thereunder and any order related thereto, shall
98
remain in effect, notwithstanding the expiration provided for in subsection (a), until the Court
issues an order with respect to such certification under paragraph (3) at which time the provisions
of that paragraph and paragraph (4) shall apply with respect to such certification.
(j) Judicial proceedings
(1) Expedited judicial proceedings
Judicial proceedings under this section shall be conducted as expeditiously as possible.
(2) Time limits
A time limit for a judicial decision in this section shall apply unless the Court, the Court of Review,
or any judge of either the Court or the Court of Review, by order for reasons stated, extends that
time as necessary for good cause in a manner consistent with national security.
(k) Maintenance and security of records and proceedings
(1) Standards
The Foreign Intelligence Surveillance Court shall maintain a record of a proceeding under this
section, including petitions, appeals, orders, and statements of reasons for a decision, under
security measures adopted by the Chief Justice of the United States, in consultation with the
Attorney General and the Director of National Intelligence.
(2) Filing and review
All petitions under this section shall be filed under seal. In any proceedings under this section, the
Court shall, upon request of the Government, review ex parte and in camera any Government
submission, or portions of a submission, which may include classified information.
(3) Retention of records
The Attorney General and the Director of National Intelligence shall retain a directive or an order
issued under this section for a period of not less than 10 years from the date on which such
directive or such order is issued.
(l) Assessments and reviews
(1) Semiannual assessment
Not less frequently than once every 6 months, the Attorney General and Director of National
Intelligence shall assess compliance with the targeting and minimization procedures adopted in
accordance with subsections (d) and (e) and the guidelines adopted in accordance with
subsection (f) and shall submit each assessment to—
(A) the Foreign Intelligence Surveillance Court; and
(B) consistent with the Rules of the House of Representatives, the Standing Rules of the Senate,
and Senate Resolution 400 of the 94th Congress or any successor Senate resolution—
(i) the congressional intelligence committees; and
(ii) the Committees on the Judiciary of the House of Representatives and the Senate.
(2) Agency assessment
The Inspector General of the Department of Justice and the Inspector General of each element of
the intelligence community authorized to acquire foreign intelligence information under subsection
(a), with respect to the department or element of such Inspector General—
(A) are authorized to review compliance with the targeting and minimization procedures adopted
in accordance with subsections (d) and (e) and the guidelines adopted in accordance with
subsection (f);
(B) with respect to acquisitions authorized under subsection (a), shall review the number of
disseminated intelligence reports containing a reference to a United States-person identity and
the number of United States-person identities subsequently disseminated by the element
concerned in response to requests for identities that were not referred to by name or title in the
original reporting;
(C) with respect to acquisitions authorized under subsection (a), shall review the number of
targets that were later determined to be located in the United States and, to the extent possible,
whether communications of such targets were reviewed; and
(D) shall provide each such review to—
(i) the Attorney General;
(ii) the Director of National Intelligence; and
(iii) consistent with the Rules of the House of Representatives, the Standing Rules of the Senate,
and Senate Resolution 400 of the 94th Congress or any successor Senate resolution—
(I) the congressional intelligence committees; and
(II) the Committees on the Judiciary of the House of Representatives and the Senate.
99
(3) Annual review
(A) Requirement to conduct
The head of each element of the intelligence community conducting an acquisition authorized
under subsection (a) shall conduct an annual review to determine whether there is reason to
believe that foreign intelligence information has been or will be obtained from the acquisition. The
annual review shall provide, with respect to acquisitions authorized under subsection (a)—
(i) an accounting of the number of disseminated intelligence reports containing a reference to a
United States-person identity;
(ii) an accounting of the number of United States-person identities subsequently disseminated by
that element in response to requests for identities that were not referred to by name or title in the
original reporting;
(iii) the number of targets that were later determined to be located in the United States and, to the
extent possible, whether communications of such targets were reviewed; and
(iv) a description of any procedures developed by the head of such element of the intelligence
community and approved by the Director of National Intelligence to assess, in a manner
consistent with national security, operational requirements and the privacy interests of United
States persons, the extent to which the acquisitions authorized under subsection (a) acquire the
communications of United States persons, and the results of any such assessment.
(B) Use of review
The head of each element of the intelligence community that conducts an annual review under
subparagraph (A) shall use each such review to evaluate the adequacy of the minimization
procedures utilized by such element and, as appropriate, the application of the minimization
procedures to a particular acquisition authorized under subsection (a).
(C) Provision of review
The head of each element of the intelligence community that conducts an annual review under
subparagraph (A) shall provide such review to—
(i) the Foreign Intelligence Surveillance Court;
(ii) the Attorney General;
(iii) the Director of National Intelligence; and
(iv) consistent with the Rules of the House of Representatives, the Standing Rules of the Senate,
and Senate Resolution 400 of the 94th Congress or any successor Senate resolution—
(I) the congressional intelligence committees; and
(II) the Committees on the Judiciary of the House of Representatives and the Senate.
100
Appendix II: text on procurement law by R. Westerdijk
101