Why Amazon's Investment in a European Sovereign Cloud is Still Not Enough

Amazon Web Services (AWS) recently announced plans to invest €7.8 billion in a European Sovereign Cloud, a move aimed at addressing data sovereignty concerns and complying with stringent EU data protection regulations. However, despite these efforts, there are fundamental issues that remain unresolved. This blog will explore why this investment, while significant, does not fully address the underlying concerns about data sovereignty and security when American companies are involved.

The Impact of U.S. Legislation on Data Sovereignty

Several pieces of U.S. legislation give the American government broad powers to access data held by companies, regardless of where the data is physically stored. Understanding these laws is crucial to grasping the full scope of the issue.

PATRIOT Act

In the aftermath of the September 11, 2001 attacks, the U.S. Congress enacted the PATRIOT Act, which significantly expanded the government’s ability to collect data. Section 215 of the PATRIOT Act allows the government to access business records deemed relevant to terrorism investigations. This broad authority means that any data stored by an American company, including AWS, could potentially be accessed by the U.S. government.

National Security Letters (NSLs)

NSLs are administrative subpoenas issued by the FBI that do not require prior judicial approval. These subpoenas can compel companies to provide customer information, such as communication records and financial data. Moreover, NSLs often come with a gag order, preventing companies from disclosing that they have received such a request. This lack of transparency adds another layer of concern for data sovereignty.

Electronic Communications Privacy Act (ECPA) and Stored Communications Act (SCA)

The ECPA regulates government access to electronic communications. Under the ECPA, the government can access electronic communications stored by service providers with a court order. The SCA, a part of the ECPA, specifically allows for the collection of stored communications, such as emails and files, further broadening the government's reach into data stored by companies like AWS.

Executive Order 12333

This executive order grants intelligence agencies the authority to collect foreign intelligence, including communications data, even if it is stored outside the United States. While primarily aimed at foreign intelligence gathering, the broad scope of this order means that data of non-American citizens stored by American companies could also be affected.

All Writs Act

The All Writs Act allows federal courts to issue orders necessary to support their jurisdiction. This can include compelling companies to provide technical assistance to law enforcement, potentially compromising the security and confidentiality of user data.

The CLOUD Act and Its Implications

The Clarifying Lawful Overseas Use of Data (CLOUD) Act further complicates the situation. This law enables U.S. law enforcement agencies to compel American companies to provide data stored on their servers, regardless of whether the data is stored domestically or internationally. This extraterritorial reach of U.S. law means that even if AWS hosts data in a European Sovereign Cloud, it could still be subject to U.S. government access requests.

AWS's European Sovereign Cloud: A Step in the Right Direction?

AWS’s commitment to a European Sovereign Cloud aims to address these concerns by ensuring that data remains within the EU and complies with EU regulations. While this is a positive step, the overarching issue remains: AWS is a U.S.-based company and is therefore subject to U.S. laws.

Despite promises to adhere to EU rules, the potential for U.S. government intervention cannot be entirely eliminated. The mere possibility that AWS could be compelled to hand over data due to U.S. legislation creates a level of uncertainty and mistrust that cannot be easily dismissed.

The Only True Solution

The only definitive solution to this problem would be a change in U.S. law, specifically those that allow for such broad data collection powers. Without legislative changes, the sovereignty and security of data stored by American companies, even within Europe, cannot be guaranteed.

Conclusion

While the AWS European Sovereign Cloud represents a commendable effort to align with EU data protection standards, the fundamental issues arising from U.S. legislation remain unresolved. Until the U.S. government reforms its data access laws, European data stored with American companies will never be entirely secure. This reality underscores the importance of advocating for stronger data protection laws globally and exploring alternative cloud service providers that are not subject to U.S. jurisdiction.