How are European governments reacting and what might that mean for cloud customers in that region?
Lakatos: European governments are strongly objecting to the NSA's activities. The European Parliament is considering revisions to its data privacy laws to include a provision — previously considered and rejected — that would put many cloud service providers between a rock and hard place, not just U.S.-based cloud service providers, but also EU cloud service providers that have offices in the United States.
The provision, if enacted, would impose a Hobson's choice on such providers: Either violate U.S. law compelling production of data to the NSA or violate the EU law prohibiting such transfers. Either violate a U.S. gag order or violate the EU requirement to inform the data subject when its data is shared with the U.S. government. All of this is unfair to the business caught in the middle. It's like denying your waiter a tip to send a message to the kitchen about the food.
Given the U.S. Congressional hearings to date on the NSA programs, what legislative action, if any, is likely to be taken?
Lakatos: We do not expect Congressional action in the near term because of the lack of cooperation between the parties.
Rep. Justin Amash (R-Mich.) proposed legislation that would have defunded the NSA's phone records program. In other words, had the bill been enacted, the NSA would not have been permitted to use government funds to conduct its phone records program, which would sounded the program's death knell.
But the Amash bill would not have affected Section 215 of the Patriot Act, the underlying law authorizing the phone records program, itself. Thus, even if the bill were enacted, the NSA would still have been able to use Section 215 for other types of investigations. In any event, the Amash bill was not long ago defeated in the House by a narrow 205-217 majority. In the past, similar bills have been defeated by a much wider margin. This shows some momentum for reform, but also how difficult it is to get even modest reforms enacted.
How will U.S. cloud providers deal with these issues?
Lakatos: Some U.S. companies may respond to consumer concerns by opening EU subsidiaries and data centers. To the extent that those same resources might better be spent on innovations that would be benefit consumers, that would be a shame. Providers should also expect to see more questions from their customers, and greater demands for contractual and other assurances about the safekeeping and confidentiality of customer data.
What steps should cloud services customers take to protect themselves?
Lakatos: At the outset, customers looking to use cloud services should give careful thought to the question of what risks they are concerned with when it comes to putting their data on the cloud. For example, is the customer concerned that it will suffer business interruptions and loss of use of data? Or that its own reputation in the marketplace will suffer based on the cloud service provider's treatment of its data? Or that it may find itself in violation of EU or other data protection laws? There are myriad other possible concerns.
Sign up for CIO Asia eNewsletters.