However, if U.S. federal authorities requested foreign citizen data, those citizens would not receive protection under the Fourth Amendment, nor would they receive any protection from the ECPA or the SCA. "The position remains that if a person whose records have been requested is not a U.S. person and is not located in the United States, he cannot invoke the protection of the Fourth Amendment," the research states.
The academics warn that, while in some cases contracts can be offered to cloud customers, these do not override judicial requests by third countries. "The possibility that foreign governments request information is a risk that cannot be eliminated by contractual guarantees."
Did EU laws ever protect against third country snooping?
The EU's Data Protection Directive of 1995 states that EU personal data may be transferred outside the 27 member state bloc only if the transferring country provides guarantees that the data will be given an adequate level of protection.
Data stored in the European Union freely flows to the U.S. so long as the company or government department receiving the data adheres to the EU's Safe Harbor Principles, which were set up between the U.S. government and the European Union after the EU data and privacy laws were first ratified in 1995. The Safe Harbor Principles help U.S. recipients of EU data observe basic EU data protection rules in order to prevent data loss or accidental data disclosure by U.S. companies receiving such data.
The Patriot Act, signed into law in 2001, granted some new powers to U.S. authorities, but it was mainly a "framework law" that amended and strengthened a variety of older laws, such as FISA and ECPA. The 2001 act has since been amended numerous times to extend its powers. FISA, which enables authorities to acquire cloud-stored data in foreign countries and jurisdictions, was first signed into law in 1978, and has also been amended numerous times to keep up to date with current technological trends.
While suggesting that the Patriot Act has bypassed the protection of European data by the EU Data Protection Directive, allowing data to be potentially transferred outside the EU via a U.S.-based company, one former U.S. government lawyer noted that the Patriot Act did not substantially change how the U.S. government acquires data for intelligence purposes.
ZDNet's report suggests that the Patriot Act has "negated" the protection of European data by the EU Data Protection Directive, allowing data to be potentially transferred outside the EU via a U.S.-based company. Politicians in the European Union raised questions over laws that may affect their own nation's legal system.
Cunningham told CBS News that with appropriate judicial or other government procedures, "U.S. law enforcement and security authorities remain, as they were before the Patriot Act, able to lawfully collect both the substance of electronic communications and telephone toll, e-mail, and other business records, both of U.S. persons and those of other countries, without resort to mutual legal assistance or other international agreements and procedures."
"This is particularly true when such data is held by companies physically located in, or with substantial business connections to, the United States," he continues.
U.K., Netherlands raise concerns over cloud legal issues
The issues related to FISA and the Patriot Act notwithstanding, there are already existing agreements and data-sharing arrangements between EU member states and nonmember states such as the U.S. Without them, most Europeans would not be allowed to even step on an airplane bound for the U.S.
Mutual legal assistance (MLA) agreements that conform to EU data protection and privacy laws exist between various nations, in order to assist countries both within and outside the 27 member state bloc with criminal investigations. For instance, the U.S., Australia, or any other country with an MLA agreement with the Netherlands can request data on a Dutch citizen, just as the Netherlands can in return request data on that country's citizens.
"If U.S. government agencies have no jurisdiction over an entity operating in the Netherlands, they may submit a request for mutual assistance under such agreements," the researchers state.
"But in the borderless cloud, in which activities are in the U.S., there is "no clear obligation under U.S. law for the U.S. government to rely on such agreements when seeking access to data on non-U.S. persons."
Also, passenger name record (PNR) data-sharing agreements between the EU and Australia, Canada, and the U.S. not only allow citizens to travel between those countries but also help those authorities fight transnational crime.
PNR data includes personal and sensitive citizen data, such as name, gender, date of birth, and nationality. It can also include "racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or [information] concerning the health or sex life" of the person in question, according to the European Commission, but the report notes that PNR data "rarely contain sensitive data of this kind."
When the EU-U.S. PNR agreement came up for renewal, in 't Veld was appointed the "rapporteur," or the person chosen by the European Parliament to investigate the agreement. After many months of negotiations, with the previously debated EU-Australia PNR agreement set as, in her words, an "acceptable" agreement, in 't Veld ultimately recommended that the European Parliament reject the EU-U.S. PNR deal, citing privacy fears relating to the disclosure of EU citizen data to U.S. authorities.
"The U.S. may also use the data for other, less-explicitly defined purposes such as immigration and border controls," in 't Veld warned in her findings.