Online data storage is on a roll. The market leaders are, of course, American. With providers such as Google Drive, iCloud and Dropbox, companies from across the Atlantic are leading the way.
However, although their services are of the highest quality, it’s not certain that their nationality is the only reason why. Storing your company’s data online with American service providers could be a serious mistake.
The United States is the world’s leading power, whether in military, economic or industrial terms. In so doing, its government arrogates to itself prerogatives that it has every power to impose on the entire international community.
In this case, American laws such as the Patriot Act and the Cloud Act are the armed wing of a governance policy applied to non-American citizens. In other words, depending on your choices, the American administration and judiciary have authority over you and your data.
You might think that the United States of America, as the world’s leading democracy, has the best political system, particularly in its theory and constitutional practice of checks and balances. In other words, the most accomplished separation of powers, so cherished by state theorists such as Montesquieu.
The reality is not quite that. The mass surveillance laws implemented by the United States since the second half of the 20th century, culminating in the Cloud Act of 2018, seem not only contrary to their constitution, but also to the classic vision of the rule of law. In other words, any other state implementing such legislation would probably immediately be branded a police state.
For, in addition to the Patriot Act and the Cloud Act, the United States’ legal arsenal is still based on a law and a presidential decree: the Foreign Intelligence Surveillance Act and the Executive Order. In the light of these legal texts, we’re going to explain why storing your data in a Cloud managed by an American company is a risky choice. To do this, we’ll look at the legislation that will apply to you once you’ve decided to take the plunge.
What is the Patriot Act and how does its extraterritoriality work?
The Patriot Act is an American homeland security law, passed just 45 days after the September 11, 2001 attacks. In other words, it was passed in great haste by a Congress still traumatized by the events in New York.
The result is a blank check given to police authorities to carry out investigations. Why should this be? Because, although a judge’s warrant is required, he or she can no longer object on the grounds of lack of “probable cause”.
As a result, all your data can be seized without you even knowing about it, or a U.S. judge being able to object. Don’t think the U.S. Constitution is much help, because according to the U.S. Department of Justice, the Patriot Act merely codifies jurisprudential practices already recognized by the Supreme Court.
In 1979, for example, it ruled that the argument that secret searches were unconstitutional was “frivolous”. Twelve years earlier, it had already ruled that police officers were not obliged to inform the respondent of the reason(s) for a search.
Nevertheless, what is new about the Patriot Act, for a French or European company, is its extraterritorial application. In other words, from the moment your business is suspected of having links with a terrorist individual or group threatening American territory or its interests, the whole administrative arsenal can be set in motion against you.
Don’t think you can get away with it, even if you have no intention of forming links with terrorist groups, or with a client whose radical ideas you may have missed. As we shall see, the practical application of the Patriot Act is far less clear-cut than it seems. Before that, let’s take a look at another security counterpart: the Cloud Act.
What is the Cloud Act?
The Cloud Act was passed in 2018, in order to strengthen the free access of US authorities to the data of users of online data storage solutions.
Officially, it is presented by the Department of Justice as allowing the authorities of third-party states to request any American company hosting data, with the aim of taking cognizance of it as part of criminal proceedings.
In more detail, it enables any US administration to obtain data on any user, as long as it is :
– stored in the United States,
– or stored by an American company in any country in the world,
– all without anyone knowing about it, apart from the requested company and the relevant government department.
This latest piece of U.S. legislation is not the only tool at the service of the U.S. government.
What is the Foreign Intelligence Surveillance Act (FISA)?
The FISA was passed in 1978 by a Congress wishing to regulate the surveillance practices of federal authorities. Like the Patriot Act, it was intended to codify existing practices.
Section 702, added in 2008, obliges US companies to facilitate the targeted surveillance of a person outside US territory.
In particular, this law targets non-American citizens suspected of possessing, receiving or communicating information of interest to counter-espionage. Like the Patriot Act, it is officially aimed at combating international terrorism.
Executive Order 12333
Executive Order 12333, signed by Ronald Reagan in 1981, is, as the Washington Post points out, a document offering even greater possibilities than those of the Patriot Act in section 215.
This time, however, Executive Order 12333 applies only to US citizens living abroad. This means that American intelligence agencies will still be able to dip into your data if they are interested in one of your American customers.
Under this decree, all data seized by American intelligence agencies is done so without any warrant, and therefore without any control by a judge, or even Congress.
As you can see, the law is not always the guarantee of the weakest against the power of the strongest. It is far from always protecting individual freedoms or, more broadly, public liberties as a whole. Especially when we come to consider its application, and therefore its interpretation.
The law only exists through its interpretation
Understanding the law can never be achieved by simply reading a law. Why not? Because literal application is always impossible. In other words, to understand the scope of a legal text, you need to understand its application. This is the problem posed by the American Patriot Act and Cloud Act.
When the Patriot Act refers to “suspicious activity”, how is such activity defined? What does this concept cover? It’s a matter of interpretation whether a particular activity qualifies as suspicious. The problem is that each administration interprets the law in its own way, and in total secrecy.
This means that once your data has been stored by an American company, all your data is accessible at the discretion of administrations such as the CIA, the NSA and the Treasury, to name but a few. Boring, isn’t it? And don’t think you’re immune from investigation just because you’re not a criminal or a terrorist.
The main purpose of this legal arsenal is not to hunt down terrorists, but to distort free competition. You thought the United States was the paragon of free trade? You were wrong.
Besides, data collection isn’t just about customer data. It’s not for nothing that the U.S. Treasury is also interested in data capture. The FCPA will show you that storing your digital data can definitely cost you.
The FCPA act, or the new tax for non-American companies
The Foreign Corrupt Practice Act (FCPA), passed in 1977, enables the American justice system to order companies to pay considerable sums in penalties. In 2014, Alstom paid $772 million, Siemens $800 million in 2008, Daimler $185 million in 2010, and Alcatel-Lucent $137 million in 2010. These are just a few of the larger amounts.
How do you think evidence is gathered? By any means, including the data you have in your Cloud. If you think you’re safe because you don’t have subsidiaries or employees in the United States, you should know that the FCPA applies as soon as American interests are at stake. Here again, the notion of “US interests” is open to interpretation, and it’s not yours that matters.
In the light of all this information on American legislation, the option of a Cloud managed by a French or European company, on European territory, seems more than interesting. However, it remains necessary to take stock of the famous RGPD.
The RGPD, in the light of French and European law
The General Data Protection Regulation (RGPD), was adopted by the European Union to guarantee the security of data that users entrust on the Internet to companies operating on European soil.
It’s important to look at the obligations placed on the company responsible for processing its users’ data, as well as the related sanctions, before understanding its articulation in data transfer, particularly to the United States.
The obligations of the data controller
In particular, the RGPD ensures that children’s rights are upheld in the context of data collection. While the collection of data relating to a child under the age of 13 is still prohibited, it is only permitted, for children aged 13 to 16, with parental authorization, and if it concerns a service directly intended for children.
The RGPD also requires the data controller to collect only data that is strictly necessary for the purpose for which it was collected, and to ensure that it can erase data at the request of the data subject.
Compliance with all the obligations imposed by the RGPD may result in the award of a certificate by the supervisory authority. This certificate is valid for a renewable period of three years.
For more information on the details of the RGPD, the CNIL (commission nationale de l’informatique et des libertés) has posted a guide aimed at very small businesses (VSEs) and small and medium-sized enterprises (SMEs). This guide will teach you how to draw up a list of your files, sort your data and secure them.
In the event of failure to comply with the obligations laid down by the RGPD, the company at fault exposes itself to very heavy financial penalties.
Penalties applicable in the event of failure to comply
As far as France is concerned, the CNIL takes up a case in three ways:
– following a user complaint directly on the CNIL website,
– following an inspection of the website or company,
– following a data breach.
The CNIL then has a full range of sanctions at its disposal, from a public announcement on Légifrance and the CNIL website, to a financial penalty of up to 20,000,000 euros or 4% of worldwide sales for the previous financial year.
For example, the CNIL fined Google 150 million euros for its Cookies policy on Google and Youtube. The CNIL criticized the American company for not allowing users to refuse cookies with the same ease as accepting them.
On the same day, December 31, 2021, the CNIL also sanctioned Facebook to the tune of 60 million euros for reasons similar to those that led to Google’s sanction.
These heavy sanctions alone highlight the importance of the issue of data protection in Europe. However, in a globalized world where, particularly on the Internet, all networks penetrate each other, the sharing of data makes the articulation of data protection somewhat complex.
From Privacy Shield to Shrem II, the judge becomes the guardian of personal data
Data collected in Europe may be transferred to third countries. This is particularly the case between Europe and the United States, when a parent company transfers personal data to a subsidiary or to another server.
From 2016 to 2020, the regulations applicable to this transfer of data from the European Union to the United States were framed by the Privacy Shield. This was a bilateral treaty that offered guarantees to European users regarding the processing of their personal data in the United States.
However, this guarantee of data protection was not as effective on the American side as the treaty would have us believe. An Austrian lawyer by the name of Schrem took Facebook Ireland to court, arguing that his personal data, which was transferred in whole or in part to the USA, was not protected in the same way as that of all users of the social network.
The Court of Justice of the European Union, in a ruling known as Schrems II, found in favor of the plaintiff and thus put an end to the Privacy Shield. The ruling’s main arguments concern the ease of access to transferred personal data for the American public authorities and their intelligence services.
Within France itself, associations have risen up against the government’s data collection. For example, the Conseil d’Etat had to rule on the partnership between the French government and the Doctolib platform for vaccination appointments against Covid 19.
The Conseil d’Etat dismissed the associations’ claim, after verifying the quality of data security, on the grounds that no medical data was collected.
In a similar vein, associations such as La Quadrature du Net brought an action before the Conseil d’Etat against the decree of February 25, 2011, requiring ISPs to retain digital data.
The administrative judges rejected their arguments on grounds relating to national security, the defense of the nation’s fundamental interests, and the fight against crime.
However, it is not possible for European law enforcement agencies to requisition an ISP or a company without the prior authorization of a magistrate. It is the latter who assesses the usefulness of such a request in the context of the investigations on which the investigators report to him.
Conclusion
In conclusion, the situation in Europe with regard to data processing and access to such data by public authorities, whether under the jurisdiction of the Ministries of the Interior or Justice of the Member States of the European Union, is highly regulated. In Europe, there are no laws comparable to those in the USA.
Consequently, if a company wishes to store data online via Cloud solutions, it is important to select a European service provider storing its data on European soil.
In this case, it is also important to check that the company does not send the data to a subsidiary based in a country outside the European Union, especially the USA. In this way, it will be very difficult for US extraterritorial laws to apply to a company that has no links with this territory.
Storing data via American companies opens the door to industrial espionage and unfair competition practices of the highest order. As we’ve seen with Siemens, Alcatel-Lucent and Alstom, the US government, backed by the courts, will stop at nothing to weaken the competition these companies face.
So let’s not beat ourselves into the ground.
