US authorities could use the renewed Foreign Intelligence and Surveillance Amendments Act (FISAA) to access data that European users have stored on US-based social media sites, an EU study cautions.
Internet users love their freedom, and being able to access data from anywhere is part of that. Cloud computing services have helped make this possible. Under some cloud computing systems, users are able to store and later access data on a hard drive in cyberspace. But most users don't know where the data is stored, and the country in which the server is located seems to matter even less to them. That could change.
A study commissioned by the Europan Union found that the data EU citizens have stored on US servers is not protected from access by a third party. US authorities are legally allowed to access the data, in the name of the Patriot Act, according to experts from the Center for the Study of Conflicts and the Center for European Policy Studies, who were commissioned to do the study.
"This study is absolutely not about generating panic," ensured the Green party Member of the European Parliament (MEP) Jan Philipp Albrecht, commenting on the report. "It's a simple fact that the US data protection law only applies to US citizens," he said.
But, there are special laws that target the surveillance of non-US citizens, he added. "This happens when sensitive data from big companies, like Microsoft, Amazon, Twitter and Facebook, are made available to US authorities for investigations," Albrecht explained.
In the name of the Patriot Act and FISAA
Part of the basis for the USA's extensive security laws is terrorism prevention. In the aftermath of the September 11 attacks, US lawmakers granted security authorities sweeping powers with the new Patriot Act and with a revision of the existing Foreign Intelligence Surveillance Amendment Act (FISAA). The EU-commissioned report, titled "Fighting cyber crime and protecting privacy in the cloud," suggests that FISAA could have troubling implications for international users' privacy.
"The long arm of US law stretches as far as Europe," said Thilo Weichert, data protection commissioner for the northern German state of Schleswig-Holstein.
He has been following the effects of this development closely for more than two years, while pushing Facebook to allow its users to remain anonymous.
Weichert believes US companies, like Microsoft, could be forced by their own security authorities to disclose data stored on servers in Europe. And this data could, for example, play a role in economic espionage.
But it's not just the secrets of large corporations that could be revealed. Individual users are also targeted by investigators, according to Weichert. "The data could play a role on the outcome of a visa application," he said.
Suspicious individuals could also be reported by US law enforcement to EU authorities. "You can't even begin to figure out what happens to this data," Weichert concluded.
Impact on data protection rules
The fears that Weichert brings up are taken very seriously in the European Parliament. MEPs are working on a revision of EU data protection regulations.
Green MEP Albrecht proposes that businesses only pass on the data of EU citizens when it is covered by a so-called mutual legal assistance agreement. But he is skeptical about the implementation because there are many in Europe who benefit from the surveillance activities of the US.
"European intelligence services and the police are of course happy to be provided data on European citizens by the US. They could not obtain this data under European law," he explained.
The adoption of the data protection act is planned for 2014, at the earliest. For now, Jan Philipp Albrecht advises users to store their data on Europe-based cloud computing services.