EU Justice Commissioner Viviane Reding said at the Dec. 6 European Data Protection and Privacy Conference in Brussels she's determined to "protect the rights of those whose personal data is transferred to third countries outside the European Union."
She made the statement as reports indicated European companies fear sensitive data transmitted through public data clouds with U.S.-made software could be seized under the U.S. Patriot Act surveillance law.
Reding said as the European Union and United States negotiate a data privacy agreement -- set to be signed next year -- she will be holding the privacy rights of Europeans near the top of her agenda.
"Clear rules are needed for the transfer of data outside the EU," she said. "This is why my proposals pay utmost attention to international transfers."
In her speech, Reding cited a media report, apparently from a Dec. 5 story by the IDG technology news service, detailing how two Swedish firms are offering European data cloud users a local alternative in order to avoid surveillance possible under U.S. anti-terrorism laws.
"I read about a Swedish company whose selling point is that they shelter users from the U.S. Patriot Act and other attempts by third countries to access personal data," she said.
"Well, I do encourage cloud computing centers in Europe, because we need more innovation, more research and more investment in the (information and communications technology) industry.
"But this cannot be the only solution. We need free flow of data between our continents. And it doesn't make much sense for us to retreat from each other."
The controversy gained traction in June when Gordon Frazer, managing director of Microsoft UK, admitted to reporters that users of the company's new online Office365 software aren't protected against the Patriot Act regardless of where they are in the world, ZDNet.com reported.
Asked if Microsoft could guarantee that EU-stored data, held in data centers in Europe, would not leave the European Economic Area under any circumstances, Frazer replied, "Microsoft cannot provide those guarantees. Neither can any other company."
Because it has headquarters in the United States, any data housed, stored or processed by Microsoft is subject to interception and inspection by U.S. authorities under the Patriot Act, ZDnet noted. Frazer said that if presented with a gag order, injunction or a U.S. National Security Letter, Microsoft couldn't inform the customer of the data interception.
The situation has prompted British defense contractor BAE Systems to ditch plans to adopt Office365 because Microsoft couldn't guarantee the company's data security, despite operating out of a data center in Dublin, ComputerWeekly reported.
"We were going to adopt Office365 and the lawyers said we could not do it," Charles Newhouse, BAE Systems' chief of strategy and design, told the Business Cloud Summit 2011 in London.
Analysts said a "safe harbor" agreement with Washington that allows U.S. organizations to self-certify their adherence to data privacy principles has failed because it can be overridden by the Patriot Act provisions.
"Safe harbor is a nice idea, but it didn't work," Dutch Member of European Parliament Sophie in't Veld told IDG. "We are increasingly aware of problem areas of jurisdiction between the EU and U.S. and a voluntary scheme like safe harbor is not a strong concept and will not solve these problems."