The use of cloud computing services is growing at an unprecedented rate, and brings with it concerns over the security of personal data stored on cloud servers. A recent study by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”) argues that the main issue arising from the growing use of cloud computing is the loss of control over the security of individuals’ personal data. This is because control over personal data security is exercised solely by the cloud storage provider, with individual web users often having no knowledge or understanding of the security measures in place.
The study’s authors emphasise that cloud computing contributes to the growth of cross-border data transfers and poses major challenges to EU policy makers regarding combatting cybercrime and protecting citizens’ privacy. Alarmingly for EU citizens, the study warns that “mass surveillance” of non-U.S. citizens’ data stored in the cloud, including through services such as Apple iCloud and Google Drive, is permitted through the controversial Foreign Intelligence Surveillance Act Amendment Act (“FISAAA”), which became law in early January 2013. Any data relating to U.S. foreign policy, stored on popular U.S.-based cloud servers, can be appropriated by U.S. authorities without prior consent, warning or indeed a warrant, as FISAAA “expressly permits purely political surveillance”.
Although U.S. authorities will likely only target organisations engaging in activities that are unlawful or potentially against U.S. interests, such as those associated with activists, protestors or political groups, the law represents a significant risk to EU privacy as it still permits U.S. law enforcement agencies power to access any EU data based on U.S. cloud servers. It is vital for EU consumers to consider carefully in which jurisdiction to store their data so as to ensure the greatest level of protection.
The Committee suggests introducing a legal definition of cybercrime and clarifying the legal concepts of “jurisdiction”, “data processor” and “data controller” in relation to cloud computing within the EU. This is to allow for better understanding of its scope and permit easier measurement of the costs associated with cyber incidents. The study recommends that all EU citizens be made aware of any exposure of their sensitive data to third-country surveillance. This is because uninformed exposure could have a fundamental impact on individuals’ rights to respect for private and family life, enshrined in the European Charter for Fundamental Rights.