Google has admitted complying with requests from US intelligence agencies for data stored in its European data centers, most likely in violation of European Union data protection laws.Gordon Frazer, Microsoft UK's managing director, made news headlines some weeks ago when he admitted that Microsoft can be compelled to share data with the US government regardless of where it is hosted in the world.
At the center of this problem is the USA PATRIOT ACT, which states that companies incorporated in the United States must hand over data administered by their foreign subsidiaries if requested.
Not only that, but they can be forced to keep quiet about it in order to avoid exposing active investigations and alert those targeted by the probes.
This situation poses a serious problem for companies like Microsoft, Google or Amazon, which offer cloud services around the world, because their subsidiaries must also respect local laws.
For example, European Union legislation requires companies to protect the personal information of EU citizens and this is clearly not something that Microsoft, Google, Amazon, or any of their EU customers can do.
This is not only a theoretical problem. According to German-language magazine WirtschaftsWoche [Google translate], a Google spokesperson confirmed that the company has complied with requests from US intelligence agencies for data stored in its European data centers.
The situation is likely to spark an official inquiry from the European Commission, with some members of the European Parliament already reacting to the stories. It's hard to foresee what kind of solution can be found at this point, but one thing's clear - US-based cloud providers operating in EU can be forced to break the law. European companies and government agencies that are using their services are also in a tough position.
Update August 13, 2011: We have been contacted by a Google spokesperson who wished to clarify that the company did not confirm receiving requests for European data from U.S. intelligence agencies. The original statement was apparently misunderstood by the German publication WirtschaftsWoche.
Of course, this does not mean that the company didn't actually receive or comply with such requests. It just doesn't confirm it. We have requested more clarifications and will post them here when and if we receive them.
Update August 16, 2011: Google has sent us a statement that reads: "As a law abiding company, we comply with valid legal process, and that - as for any US based company - means the data stored outside of the U.S. may be subject to lawful access by the U.S. government.
"That said, we are committed to protecting user privacy when faced with law enforcement requests. We have a long track record of advocating on behalf of user privacy in the face of such requests and we scrutinize requests carefully to ensure that they adhere to both the letter and the spirit of the law before complying."
"In terms of notification, whenever possible, we notify affected users about any requests for user data that may affect them," its spokesperson added.