Can EU Startups Use US-based Cloud Platforms?

Cloud storage providers are becoming increasingly in demand, with companies like Dropbox growing at a fast pace. There are providers available around the world, with some in more reputable countries than others.

The EU, however, has some relatively strict rules around what countries data is able to be stored in and those countries must have data protection laws in place that are similar to what the EU has.

US-based cloud storage platforms generally don't meet these requirements, but there are safe harbor laws that currently make allowances for inadequate protections. However, EU law is in the process of being amended, and these safe harbor laws may not be around for much longer.

Let's take a look at what the laws are in the EU and in the US, and what changes may be coming in the near future.

Data protection law in the EU

The law in the EU is currently the Data Protection Directive 1995. The Data Protection Directive (the Directive) set out a number of data protection principles that are required to be followed by EU countries.

These data collection principles are:

• Customers must be notified when you are collecting their data;
• Personal data should only be collected for specific (and lawful) purposes;
• The data collected should be adequate and relevant for the purpose;
• Personal data should be accurate and kept up to date;
• Personal data should not be kept for longer than necessary;
• Appropriate security measures should be put in place;
• Personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory also ensures an adequate level of protection for that data.

The EU countries implement the Directive by putting in place local laws.

For example, in the UK this is covered by the Data Protection Act 1998, and in France this is covered by Act No. 78-17 of 6 January 1978 Concerning Information Technology, Files and Civil Liberties.

Let's take a look at Article 25 of the Directive.

This is the section that sets out that Member States (i.e. EU countries) shall only transfer the personal data of EU citizens to another country if that country ensures an "adequate level of protection" for the data, "assessed in the light of all the circumstances".

One of the factors is the rules of law in force in that country.

However, new EU new law is coming into place, the EU Data Protection Regulation (the Regulation).

This Regulation is intended to cover the whole EU region, rather than a patchwork of rules in each individual country. This is intended to make easier for SMBs to operate within the region without having to understand and comply with numerous different sets of rules.

The Regulation will bring in large changes, such as requiring businesses to have a Data Protection Officer (to ensure that the business complies with the Regulation); applying to all companies and organizations that deal with the data of EU citizens (which means that the Regulation will apply to a much broader area than just the EU); and increasing fines and sanctions for those in breach of the Regulation.

Here's an excerpt from a Privacy Policy from Timberland UK:

Let's take a look at the US in comparison.

Data protection law in the US

The first major difference between the US and the EU is that the US currently has no overarching law on data protection or online privacy at all.

The US has three main pieces of legislation that cover data protection: HIPAA, COPPA, and CalOPPA.

• HIPAA is the Health Insurance Portability and Accountability Act.
• COPPA is the Children's Online Privacy Protection Act.
• And CalOPPA is the California Online Privacy Protection Act.

This means that effectively if you're not dealing with a user's health information, they're not a child, and they're not in California, they have no legislative protection for their data privacy online whatsoever. While this makes things easier for many US businesses, with the EU Regulation's broader reach it may mean that these businesses are now captured and need to comply with more laws than they are used to.

CalOPPA is the most useful privacy protection law for users online in the US, as even if a business is not in California, they need to comply if they have Californian users.

For websites and e-commerce stores, many of their customers will be US-wide or even international, which means the owners of these websites need to comply.

CalOPPA requires the operator of a website (such as a cloud storage SaaS platform site) to post a distinctive and easily found link to its Privacy Policy. This Privacy Policy agreement must outline:

• The kinds of information gathered by the website;
• How the information may be disclosed to other parties;
• The process the user can use to review and make changes to their stored information; and
• The effective date of the policy and any changes since then.

This is what an CalOPPA-compliant Privacy Policy looks like, from Disney:

As you can see, the US privacy protections in place are piecemeal at best and are extremely light when compared to the protections currently available in the EU.

This causes some issues for EU businesses wanting to use US-based cloud storage, particularly given that the EU requires that personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory also ensures an adequate level of protection for that data.

Based on the comparison between EU and US law, it's clear that the US does not meet this standard. So are there any solutions?

The main solution in place currently is called the Safe Harbor. Let's take a look.

Safe Harbor

The US-EU Safe Harbor Program is important for bridging the gap between EU and US data protection standards. Participation in the program in the US is limited to businesses and organizations that fall under Federal Trade Commission (FTC) jurisdiction.

The Safe Harbor means that those organizations and businesses who are members are all deemed to provide adequate privacy protection to meet both US and EU standards, even if they don't actually meet those standards.

It also means that all claims brought by EU citizens against US organizations or businesses will be heard in the US. This makes things easier for US businesses, but harder for EU citizens.

In 2013, in preparation for the new EU data protection Regulation, EU parliamentarian Jan-Phillip Albrecht (who is in charge of steering the reforms) recommended that the Safe Harbor framework be discontinued.

There is also growing discontent with the Safe Harbor among EU countries, such as Germany.

The German data protection commissioner blogged in 2013 that the United States data protection framework is lacking and that Safe Harbor "cannot compensate for these deficits," and amidst NSA spying concerns many cloud storage companies are being set up outside the USA.

Basically, the overall picture is that US data protection law is not up to scratch, but the current safe harbor law allows this to be overlooked.

This means that currently EU startups can use US-based cloud storage platforms, but they may not be able to do so for long.

With the new EU law coming into force, there's potential that the safe harbor provisions will be removed, and EU startups may no longer be able to store their data with US-based cloud storage companies unless there are major new US privacy laws brought into force.

At the moment, we'll just need to wait and see what changes the new regulation brings and whether the Safe Harbor setup is maintained.

Title image is: "If you have a brain, you are a startup" by Campus Party Europe