While most American firms relocating data to European servers are doing it to comply with the new requirements of stronger EU privacy rules, some are looking at European cloud services and providers of secure encryption products to keep their data safe -- and out of reach of US intelligence services.
For these companies, keeping their most confidential data on the cloud in the US is not an option as they can be forced via a National Security Letter or subpoena to relinquish a copy of the data to the relevant authority. Then, as recently happened in the San Bernardino iPhone case, government agencies could try to break the encryption on that data by themselves or enlist external help.
European cloud security
The largest American Internet companies, such as Amazon, Apple, Facebook, Google, IBM, and Microsoft, have been rushing to build large data centers in the EU for several years. All of them already offer local cloud services to corporate customers who want to keep their data in the continent, both for security and legal requirements.
But now, sensitive American data moving to Europe is landing mostly in places such as Switzerland, Iceland and Norway, where new cloud providers offer security, anonymity, and zero-knowledge encryption.
These companies allow customers to store encrypted data on their servers without disclosing their true identity, and shield their data traffic through complicated VPNs and proxy services. Swiss company Tresorit recently invited hackers and researchers from around the world to hack it for a $50,000 prize. After trying for 500 days, no one succeeded.
Tresorit told me that about 20% of its customers come from the US and Canada. “Because of our zero-knowledge encryption technology, it is technically impossible for any government (or anyone else) to access the files stored in Tresorit," a company spokesperson told me in an email. "Even we at Tresorit only have metadata about our users (i.e. their email, their subscription status), which we handle under Swiss law."
ProtonMail, a zero-knowledge email provider in Switzerland, is winning a significant amount of customers from abroad, ProtonMail CEO Andy Yen told me in an email. “Because of our domicile in Switzerland, which is historically neutral, we can be a trusted partner for a very wide range of businesses. It positions us uniquely to do business with both American and Russian companies at the same time. Due to the private nature of our work, we cannot specifically name any of the companies whose data we protect, but we have received inquiries from around the world, and around 50% come from outside of Western Europe," he said.
He added, “From a technological perspective, being based in Europe doesn't really matter, but the benefit of Europe is that when it comes to privacy, European companies are more trusted because most of our US-based competitors such as Google have already tarnished their reputations through past collaboration with the NSA.”
“The risk that alternative mechanisms may not be valid either is leading companies to explore data localization in Europe,” Christian Borggreen, international policy director for the Computer & Communications Industry Association, which represents companies including Amazon, Facebook, and Alphabet’s Google, told the Wall Street Journal.
While it is not common for American companies to move their internal data overseas, some firms, especially ones with sensitive industrial secrets, or law firms with confidential customer data, or others involved in big data analytics, are already using foreign data services, and many more are considering it.
Encryption itself is not enough
American companies are looking overseas for data protection as the FBI and other law enforcement agencies continue to call for legislation that weakens encryption. Recently, FBI Director James Comey reportedly said, "There is a collision going on between values of all shades between privacy and security."
One of the lessons from the recent FBI vs. Apple encryption battle over iPhone security is that encryption is not enough. While encrypted files with strong AES-256 algorithms are considered safe, the fact is that many organizations can be forced to relinquish the encryption keys, or some disgruntled employee could provide it to people outside the organization.
Why Europe is safer?
The privacy protection Europeans enjoy is much better than what people have in the United States, which is something even Americans concede. Some people argue that Europe is obsessed with privacy and that it is hurting business, but many organizations such as the Electronic Frontier Foundation and the American Civil Liberties Union have expressed envy over the EU’s privacy laws.
What’s more, those laws not only apply to individuals but also to corporations. Even though companies operating in the European Union have more restrictions on handling data from customers and other businesses, they also enjoy the same protections they are required to give others.
Some countries, such as Switzerland, which are part of the European Economic Area but not part of the EU, have even more restrictive privacy and secrecy laws, allowing businesses to offer services such as zero-knowledge encryption and anonymous communication services. Last year, the European Parliament in Strasbourg approved the newly revised EU Privacy Directive, which incorporates many provisions related to cloud computing and the ways data can be shared. The regulatory framework is moving to a single regulation for the EU and trying to keep up with a shift in which more data is kept in the cloud and therefore managed by a third party other than the original business that collected it, usually known as the data controller.
Also last year, the European Court of Justice struck down Safe Harbor, the data transfer agreement between the United States and Europe, which had been in effect since 1990 and regulated the transfer of data to the US. After the court decision, the European Commission and the US government on Jan. 31 signed a new agreement, called Privacy Shield. The agreement incorporates most of the requirements the European regulators had asked for.
However, the Article 29 Working Party, the umbrella group of EU national data protection authorities, along with privacy organizations, recently denounced Privacy Shield as not providing the same protection that European citizens enjoy within the EU.