In July 2020, the Court of Justice of the European Union (CJEU) struck down the 2016 EU-U.S. Privacy Shield. The Privacy Shield was designed to protect European data transfers to the U.S. With this ruling, one thing becomes clear. The U.S. must respect the rights of foreign citizens to preserve and grow its leadership in the cloud sector. U.S. surveillance regulations like FISA 702 and the CLOUD Act undermine its own economic interests and breed mistrust between the U.S. and its allies. Leading U.S. cloud providers will lose ground because of these regulations. America needs to take a hard look at how it can maintain global trust in its cloud services.
Amazon Web Services, Google Cloud and Microsoft Azure, three leading U.S. cloud providers, all fall under the definition of ‘electronic communications service providers.’ This means that they must comply with the Foreign Intelligence Surveillance Act (FISA), enacted to regulate U.S. surveillance of communications for foreign surveillance purposes. Specifically, Section 702 of FISA authorizes the acquisition of foreign intelligence about non-U.S. persons located outside of the U.S. FISA 702 also has no territorial limitations, meaning servers operated by U.S. cloud providers in the EU fall under its purview. In other words, personal data of non-U.S. citizens may be subject to surveillance by U.S. intelligence agencies, understandably causing concern for EU regulators. In its ruling to shutter data transfers between EU entities and U.S. cloud providers, the CJEU declared that there is a clash between EU privacy law and U.S. surveillance law, citing FISA Section 702 as evidence. It mandated that EU entities using U.S. cloud services must switch “service providers” to those in the EU or in a country with “adequate protections.” This mandate effectively put an end to the transfer of EU data to U.S. cloud providers. Currently, the top 4 cloud providers in the EU are all American (AWS, Microsoft, Google, and IBM), and shuttering their services in the EU would be catastrophic for their business, especially considering their major infrastructure investments into the EU.
To remedy their privacy concerns, the EU has embarked on an ambitious cloud project called Gaia-X. The project is a collaboration between the European Commission, Germany, France, and various other organizations. While not designed as a direct competitor to U.S. clouds, Gaia-X hopes to create a unified ecosystem of cloud services protected by European data laws. This initiative is especially promising for EU homegrown cloud services and companies wishing to lower their GDPR and the CJEU ruling compliance costs. Prior to the July ruling, Gaia-X was not considered a serious contender against well-established U.S. cloud providers. However, the recent mandate has spurred much momentum to its development, showing just how noxious U.S. surveillance regulations are to its interests.
In data privacy negotiations between the U.S. and the EU, debate over U.S. federal privacy laws and surveillance oversight has been a hot topic. Several op-eds have already commented on how the U.S. should respond to the CJEU’s ruling, ranging from aggressive U.S. government pushback to the “immediate negotiations on a successor agreement.” It is a delicate balance between allowing EU citizens to have redress against U.S. surveillance versus tipping off terrorists. But whatever future transatlantic agreement may hold, it must respect the rights of citizens of another sovereign nation–the absolute basis of cooperation and collaboration. National security concerns over intelligence collection may be paramount, but they are empty without trust between allied nations. Pragmatically, a future model where U.S. technological prowess in cloud computing is not lorded over the rights of foreign citizens may not only help U.S. cloud providers find better success in expansion, but also foster more bilateral cooperation in counterterrorism. It is the perfect opportunity for the U.S. to solidify its leadership in cloud, embodied with the good faith necessary to handle personal data.
The economic benefits bestowed by leading the cloud revolution are vast – its potential benefit to U.S. foreign policy are enormous as well. The July ruling to strike down the EU-U.S. Privacy Shield serves as a wake-up call to re-examine how the cloud fits into U.S. diplomatic designs and furthers important national missions like counterterrorism. The U.S. is well positioned to regain the trust lost after the Snowden revelations. It is also capable of doing much more.
Tianjiu Zuo is from Hong Kong and is studying Public Policy and Economics.