3.1 Introduction

Over the past decade, the right to privacy and the protection of personal data have been increasingly recognised as fundamental values at global level (Greenleaf 2019; Bygrave 2014; Solove 2008). Yet, their understanding still varies significantly among jurisdictions. One apparent example is offered by the different approach to data privacy in the European Union (EU) and the United States (US). In Europe, data protection is a constitutionalised fundamental right, and a comprehensive set of legislation has been put in place to make the regulation of personal data processing uniform across member states. Conversely, in the US, data privacy is not explicitly enshrined in the federal constitution, and is regulated only in selected pieces of legislation targeting specific sectors considered worthy of intervention.

Divergence in legal frameworks of data protection is certainly not a novelty of the last decade. However, the recent development of borderless digital technologies, such as cloud computing, amplifies the risk of tensions between different regulatory models. When data are stored in the cloud, it becomes more difficult to identify the applicable law easily. In response to this phenomenon, data localisation initiatives requiring data to be physically stored in servers located within national boundaries have recently emerged as a regulatory trend to avoid conflicts of law, enhance the level of data privacy protection, limit the risk of access from foreign intelligence agencies, and facilitate domestic law enforcement.

This chapter investigates this twofold dynamic by focusing on the current friction between the EU data protection approach and the US data privacy model in the context of cloud computing. The chapter is structured as follows. In Sect. 4.2, we discuss the main areas of divergence between EU and US approach to data privacy. Then, in Sect. 4.3 we explain how these differences create a series of regulatory challenges in the context of cloud computing. Section 4.4 analyses how recent legal and policy developments on both sides of the Atlantic are addressing these issues, with a particular focus on data localisation initiatives and strategies to preserve digital sovereignty. The chapter concludes with the proposition that data localisation does not represent a panacea for resolving tensions between competing jurisdictions in the field of cloud computing, and that transnational cooperation and effective international agreements are needed now, more than ever.

3.2 Data Privacy Across the Atlantic

In Europe and the US, data privacy law emerged almost simultaneously in the 1970s (Jones 2017). Both legal systems recognise the importance of protecting personal data and the potential risks deriving from a misuse of such data. Yet, on the two sides of the Atlantic, two different regulatory models have emerged in the field of data privacy (Schwartz and Solove 2014; Tourkochoriti 2014).

In Europe, the respect of privacy and the protection of personal data are recognised as fundamental rights. In 1950, as a reaction to intrusive surveillance practices of totalitarian regimes that afflicted Europe in the first half of the twentieth century, the European Convention on Human Rights enshrined the individual right of respect for private and family life, home and correspondence (Article 8). In its case law, the European Court of Human Rights, which is the competent jurisdiction for the interpretation of the Convention, has affirmed that the concept of private life must be construed broadly in order to protect all aspects of human personality, including individual personal data (Council of Europe 2019; Fabbrini 2015). In 2000, the EU Charter of Fundamental Rights explicitly enshrined the right to privacy and data protection in two distinct provisions, Articles 7 and 8, respectively. Although originally lacking binding legal value with the transposition of the Lisbon Treaty in 2009, the Charter was recognised as having a primary legal status in the hierarchy of EU legal sources, at the same level of EU founding treaties (Fabbrini 2015).

The US is often referred to as the cradle of the right to privacy. Back in 1890, Samuel Warren and Louis Brandeis authored a seminal article published on the Harvard Law Review in which they advocated for the recognition of a broad conceptualisation of the right to privacy and the protection of the individual against external intrusions (Warren and Brandeis 1890). However, in contrast to the EU, in the US, at least at federal level, there is no explicit constitutional provision protecting the right to privacy or data protection. Indeed, the US Constitution dates to 1787 and its Bill of Rights was added only three years later, so well before privacy became an issue. The case law of the US Supreme Court progressively recognised different aspects of privacy, regarded both as a negative right against State intrusion and as a positive right to self-determination in a variety of contexts, including the choice of using contraceptives or terminating pregnancy (Flaherty 1991). Lacking an explicit reference, the US Supreme Court had to find a constitutional support for the right to privacy in the “emanations” and “penumbras” of the Bill of Rights (Griswold v. Connecticut, 381 U.S. 484). In particular, they examined the Fourth Amendment, protecting citizens against unreasonable search and seizures (Solove 2001), and the Fourteenth Amendment, subjecting any deprivation of life, liberty and property to due process rules (Cate and Cate 2012).

Besides the different constitutional frameworks, the EU and the US also developed alternative regulatory models in the field of data privacy. Over the past few decades, the EU has introduced a fully comprehensive set of legislation governing the processing of personal data, both in the private and in the public sector (Fabbrini 2015). In 2016, the EU replaced the 1995 Data Protection Directive, which represented the core piece of legislation adopted to harmonise national statutes in the field, with a General Data Protection Regulation (GDPR), whose provisions are directly binding in all member states (Albrecht 2016). Conversely, the US have rejected a similar all-encompassing approach, in favour of exclusively regulating specific sectors which were felt to be more in need of intervention (Schwartz and Solove 2014). Although being a pioneer in the data privacy field, having adopted the Privacy Act 1974, which regulates data processing by federal agencies, the US never introduced a unitary and comprehensive piece of legislation in the field of data privacy, and only few US states have. At the federal level, US data privacy law is a mosaic of normative instruments covering a variety of issues, spanning from children’s privacy to the use of data in financial services (Schwartz and Solove 2014).

In Europe, the basic presumption is that processing personal data represents an interference with the right to data privacy that can be tolerated only if it satisfies certain legal conditions. In the US, instead, data processing is considered fully legitimate in so far as it is not prohibited by law, and a strong emphasis is placed on the role of individual consent as a basis to process personal data (Tourkochoriti 2014). European data protection law, in order to reduce the risk of circumvention and ensure an even level of protection across member states, has introduced provisions extending its application to data controllers that are not established in the EU, but nevertheless process data related to EU residents (Article 3 GDPR; Christopher Kuner 2015; Svantesson 2015; de Hert and Czerniawski 2016). In the US, data privacy statutes do not have a similar extraterritorial effect.

Lastly, in contrast to US legislation, EU data protection law also regulates international data transfers. Article 44 GDPR establishes that personal data can freely circulate among member states, but cannot be transferred to third countries unless they provide an adequate level of protection. Article 48 of the GDPR even explicitly prohibits any data disclosure requested by a foreign authority, unless based on an international treaty. The European Commission can adopt a decision certifying the adequacy of the level of data protection of a third country (Article 45 GDPR). Countries like Israel, Argentina, Uruguay, and recently Japan, have been certified as providing an adequate level of protection (European Commission 2019). Conversely, the Commission has only issued a partial adequacy decision in relation to the United States.

In 2000, the European Commission adopted Decision 2000/520/EC (so called “Safe Harbor”) which established the adequacy of US data protection rules: in particular, US corporations that are subject to the supervision of the Federal Trade Commission could self-certify their respect of the Safe Harbor Principles (Greer 2011). However, in the aftermath of the Snowden revelations about the existence of US mass surveillance programmes, this decision was invalidated by the European Court of Justice (ECJ). In the Schrems case (C-362/14), decided in 2015, the ECJ held that the Commission, by certifying the adequacy of the Safe Harbor scheme, failed to take into account the power of US law enforcement authorities to access on a generalised basis EU data transferred under the Safe Harbor scheme (Cole and Fabbrini 2016; Padova 2016). According to the ECJ, such a model of bulk surveillance cannot be tolerated as it compromises the essence of the right to privacy protected by the EU Charter of Fundamental Rights (para 94 of the judgment; see Ojanen 2017).

The Safe Harbor scheme was promptly replaced by the so-called “Privacy Shield”, which was negotiated between the European Commission and the US authorities in 2016 and entered into force with Decision 2016/1250. The new system is very similar to the Safe Harbor in terms of functioning, but has been accompanied by a series of further guarantees, especially in relation to the individual right of redress (Tracol 2016; cf. Bender 2016). Moreover, after the Snowden revelations, the US started a progressive revision of its law enforcement legislation (Cole and Fabbrini 2016). Nevertheless, recently, a new legal challenge was made against the EU-US Privacy Shield and in July 2020 the ECJ declared also this instrument invalid for breach of EU data privacy law. (Case C-311/18, Data Protection Commissioner v Facebook Ireland Limited, Maximilian Schrems). In its ruling, the ECJ emphasized the same problem as in Schrems I: the level of protection of EU data in the US is still contested.

The Schrems I and Schrems II cases both represent examples of circumstances in which the EU and US data protection frameworks enter in conflict. This situation arises when transnational processing of data is involved, and is highly problematic both from a EU and US perspective. On the one hand, EU data protection law imposes limits to the free transfer of personal data to third countries that are not deemed to offer an adequate level of protection of personal data. On the other hand, US authorities are loath of bending their sovereign decisions to EU requests in the field of data privacy as a result of the so-called Brussels effect (Bradford 2012). As the next section will explain, cloud computing, by ordinarily involving transborder data processing, represents a particularly challenging area.

3.3 Regulating Borderless Cloud Computing

Cloud computing denotes “flexible, location-independent access to computing resources that are quickly and seamlessly allocated or released in response to demand” (Hon et al. 2011a, p. 6). This broad definition encompasses three models of cloud computing: Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). These models, as is apparent from their denomination, differ on the basis of the service offered, spanning from the mere provision of infrastructure to the supply of software (Hon et al. 2011a). These paradigms, however, are not mutually exclusive. It is conversely possible that a cloud computing service is composed of infrastructure, platform or service layers at the same time (Hon et al. 2011a). Just to mention some familiar examples in the academic context, Dropbox, the Google apps and Microsoft 365 represent commonly used Software as a Service cloud computing services.

A further classification of cloud computing models takes into account their users: one can distinguish between public, private or hybrid cloud computing models (Esayas 2012; see also Varadi et al. 2012). In the first case, cloud computing services are available to the general public, an example being the social network Facebook; in the second case, their use is restricted to a limited number of users, such as in tailored cloud services for corporations or institutions; lastly, the third case represents an intermediary solution.

Using computing resources which are available in “the cloud” is advantageous for a series of reasons (Hon et al. 2011a; Esayas 2012). First of all, cloud computing can provide services which are tailored to the end user. Secondly, cloud computing can flexibly respond to changes in users’ demand. And lastly, but certainly not least, cloud computing is significantly cheaper than developing and maintaining individually owned infrastructure, platforms or software. Those resources are centralised, and thanks to their virtual character, they are shared according to the specific needs of potential users.

From a technical perspective, this is possible thanks to the so-called “sharding” (Hon et al. 2011a). Data are not concentrated in a single virtual cloud, but are fragmented into a series of “shards”, replicated, and stored in different locations. This procedure, which is entirely automated, allows the cloud computing service to maximise its performance. On the one hand, smaller pieces of information can be accessed more quickly. On the other hand, their replication enhances the security of the system by reducing the risks of node failures or data loss.

The technical architecture of cloud computing creates a series of challenges from a data protection perspective. First of all, cloud computing providers may be unaware of the fact that they are processing personal data. Hon et al. talk of the “cloud of unknowing” (2011a, p. 1). Secondly, the multi-layered structure of cloud computing services may create issues in relation to the correct identification of the data controller and processor, and the consequent allocation of responsibilities. For example, it has been contended that cloud service providers merely offering infrastructure as a service can even hardly be considered as data processors (Hon et al. 2011b). Thirdly, cloud computing models may involve a continuous transfer of data on a global scale, and therefore potentially interesting a multiplicity of states. The “sharding” procedure, on which cloud computing relies, partitions and transfers data automatically.

The introduction of the GDPR has removed a series of jurisdictional problems existing under the Data Protection Directive. The GDPR is immediately legally binding in all EU member states. As a consequence, at least if the transfer occurs within the EU, the data controller will have one single legislative reference point instead of multiple different domestic pieces of legislation. Moreover, the GDPR has eliminated the reference to the use of equipment situated in an EU member state as a criterion to define its scope of application. The idea of linking the applicability of EU data protection law to the physical use of an equipment no longer corresponded to the technological reality (Hon et al. 2012; Esayas 2012; Christopher Kuner 2010). The GDPR now regulates data controllers who are not established in the EU, but offer goods or services in the EU or monitor the behaviour of European data subjects (Article 3 GDPR). However, the GDPR has not substantially modified the data transfer regime involving third countries. Therefore, data controllers should still ensure that, when using cloud computing services, European data are not transferred to third countries which do not guarantee an adequate level of protection, or without appropriate safeguards (Hon and Millard 2012).

The existence of these regulatory obstacles to the free flow of personal data from the EU to third countries has led cloud computing providers to offer services storing personal data on servers exclusively located in the EU (Hon and Millard 2012). EU data protection law has been one of the main drivers behind the creation of “regional” clouds besides cross-border ones (Svantesson and Clarke 2010). A tension therefore emerges between, on the one hand, the economic and technological dimensions that push towards the offer of cloud computing services on a global scale in order to maximise efficiency and minimise costs, and, on the other hand, regulatory and policy initiatives that conversely impose boundaries and de facto limit the free flow of data for privacy rights reasons. Since the main cloud computing providers are based in the US and, as pointed out above, the EU and US are adopting different approaches in relation to data privacy, this situation raises several challenges. The next section will examine a series of initiatives that are emerging on both sides of the Atlantic to address these problems.

3.4 Data Localisation and Digital Sovereignty

Over the past few years, data localisation—which is the requirement to store data in servers located within a given jurisdiction—has also emerged as a regulatory trend at global level (Mishra 2015; Selby 2017). To mention a successful example, in 2014 Russia introduced a statute requiring citizens’ personal data to be stored in the national territory (Hon et al. 2016; Selby 2017). The objectives of these kinds of legislation are disparate. Safeguarding data privacy and ensuring effective law enforcement at domestic level are the two most recurrent explicit justifications of these initiatives (Mishra 2015; Hon et al. 2016). The timing of this phenomenon, which has thrived after the Snowden revelations about the US mass surveillance programmes, also suggests that data localisation is emerging as a response to the risk of data access from foreign intelligence agencies (Hon et al. 2016).

In Europe too, a series of data localisation initiatives has recently emerged. Since 2011, ideas of a Europe-only cloud, if not even a “virtual Schengen area”, have been circulating (Kuner et al. 2015; Hon et al. 2016). In 2013, the German telecommunications operator, Deutsche Telekom announced a plan to create a German “Internetz”, by ensuring that traffic data are only routed nationally (Hon et al. 2016). Similarly, after Russia’s annexation of Crimea in 2014, Estonia explored the possibility of creating a “data embassy” via a combination of a physical diplomatic seat in a friend country to locate data centres, and a “virtual embassy” in a private cloud to store critical data (Millard 2015).

More recently, the European Commission has launched a European Cloud Initiative in the context of its Digital Single Market Strategy (European Commission 2016). This policy includes the creation of a European Open Science Cloud, which aims to offer European researchers a safe environment to store and share data, and a European Data Infrastructure, which would provide the necessary super-computing solutions. Moreover, in 2019, the German Ministry for Economic Affairs and Energy has officially presented ‘Gaia-X’, the project for a European federated cloud-based data infrastructure (Federal Ministry for Economic Affairs and Energy (BMWi) 2019).

These initiatives show that the concept of “digital sovereignty” has recently emerged as a common thread in the European debate on data localisation. Originally, proposals such as the virtual Schengen area were politically justified by the need to ensure a sufficient level of security in the digital environment (Hon et al. 2016). The protection of human rights, and in particular the rights to privacy and data protection, has been the second main driver of discussions about data localisation in Europe. In the Digital Rights Ireland case, for example, the ECJ invalidated Directive 2006/24/EC, compelling telecommunications operators to retain all users’ metadata for a fixed period of time, on the basis, inter alia, that it failed to require the storage of personal data in Europe (Digital Rights Ireland 2014, para. 68; Celeste 2019). According to the ECJ, the Data Retention Directive, by allowing telecommunications operators to store retained meta-data outside Europe, undermined the power of member states’ national data protection authorities to control data processing, as expressly prescribed by Article 8(3) of the EU Charter of Fundamental of Rights (Digital Rights Ireland 2014, para. 68; cf. Tele2 Sverige 2016, para. 122).

More recently, in the summer 2019, the data protection authority of the German Land of Hessen temporarily ordered Hessian schools not to use Microsoft Office 365 (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit 2019a; cf. Walden 2011). The decision followed Microsoft’s announcement that the company would not ensure data storage on the German cloud only. The supervisory authority found that the risk of allowing US authorities to access European children’s data without appropriate guarantees made the use of Microsoft’s software unacceptable from a fundamental rights perspective (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit 2019a, para. 2). The Hessian ban, which was originally extended to Google and Apple cloud applications (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit 2019a, para. 5), was subsequently lifted a month later following an intense phase of dialogue with Microsoft. The supervisory authority, however, stated that the investigation would have continued in light of several legal and technical issues still to be solved (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit 2019b).

The first decision of the Hessian data protection authority justified the ban of Microsoft Office 365 to preserve the state’s “digital sovereignty” (Der Hessische Beauftragte für Datenschutz und Informationsfreiheit 2019a, para. 2). Digital sovereignty is a concept that permeates the recent debate on data localisation in Europe widely and particularly in Germany. For example, it is the primary goal of the Gaia-X Project launched in 2019 by the German Ministry for Economic Affairs and Energy (Federal Ministry for Economic Affairs and Energy (BMWi) 2019, p. 6). In the Ministry’s document, digital sovereignty is defined both as “independence” and as “self-determination” (Federal Ministry for Economic Affairs and Energy (BMWi) 2019, p. 7). Remarkably, this concept is not uniquely linked to the state dimension, encompassing also the power of companies to freely determine the use and structure of their digital systems, data and processes (Federal Ministry for Economic Affairs and Energy (BMWi) 2019, p. 7). In this way, digital sovereignty is presented as a solution to the European dependence from foreign companies and infrastructures, as well as to offer an opportunity to abide by and affirm European values.

Yet, the project of achieving European digital sovereignty is not immune from the typical criticism characterising data localisation legislation (Mishra 2015). First, implementing a similar policy means increasing costs due to the relocation of data centres and services in Europe, and subverting global economic trends. Moreover, digital sovereignty could not be a panacea vis-à-vis the issue of security. As the Estonian project of creating a virtual data embassy shows, centralising data may enhance the level of vulnerability, while delocalisation, as the sharding procedure in the context of cloud computing services demonstrates, can actually strengthen system resilience. Lastly, initiatives aiming to preserve digital sovereignty are often criticised as ways to conceal a form of protectionism (Mishra 2015; Millard 2015; C. Kuner et al. 2015). Digital sovereignty would not merely lead to a balkanisation of the digital realm for the sake of preserving European fundamental rights, but also to allow European companies to fill the economic gap distancing them from American and Asiatic technology giants.

While Europe is seeking to strengthen its digital sovereignty, however, analogous trends are emerging also elsewhere. In 2018, for example, the US introduced the CLOUD Act, a new legislation enabling US law enforcement authorities to require US corporations to disclose data, independently of their physical location (Abraha 2019). The statute was purposefully adopted as a response to a case in which Microsoft contested a search warrant aiming to gather data stored on its Irish servers (Svantesson and Gerry 2015). Microsoft lamented that, under the Electronic Communications Privacy Act 1986, the US government was not explicitly authorised to serve extraterritorial warrants. The introduction of the CLOUD act in 2018 mooted the dispute against Microsoft, which had meanwhile reached the US Supreme Court (Abraha 2019). The new statute empowers US law enforcement authorities to require data in the ‘possession, custody and control’ of a US corporation, notwithstanding such information may be physically located outside the US (Abraha 2019).

Data localisation is not just a US and European phenomenon. In 2017, in the context of the increasing trade war with the US, China passed a new National Intelligence Law obliging companies to collaborate with Chinese intelligence agencies (Yang 2019). This legislation produced strong criticism in the US (Lian 2019; The White House 2019; cf. Doffman 2019). Yet it reveals a drift towards growing fragmentation of the digital space to impose national sovereignty, which raises significant challenges for cloud computing.

3.5 Conclusion

Borderless cloud computing technologies are exacerbating existing tensions between EU and US approaches to data privacy. On the one hand, a series of European initiatives are progressively exercising a centripetal force on data held by companies operating in the EU. Their main objective would be to preserve Europe’s digital sovereignty by guaranteeing the respect of European fundamental rights and preventing foreign law enforcement and intelligence agencies from accessing personal data of EU citizens and residents. On the other hand, foreign countries are unilaterally adopting legislation requiring national corporations to disclose data stored in Europe, in this way bypassing jurisdictional boundaries grounded in physical data location. Both the US and Chinese recently adopted statutes represent two paradigmatic examples of this trend, and clearly highlight how a conflict between European rules and foreign laws is emerging.

From a European standpoint, it is therefore evident that data localisation alone cannot represent the universal remedy for all the existing risks. In a globalised digital environment, even investigating about a domestic crime may likely entail accessing data held in different jurisdictions. Erecting permanent barriers to the free flow of data could eventually amount to a Sisyphean labour, difficult and ultimately futile. For this reason, enhancing cooperation and establishing more functional agreements with third states, making sure that the protection of digital rights becomes a shared concern transnationally and globally, still seems to be the best choice for the EU.