Post by Dave Michels

Many Europeans are having second thoughts about the use of US cloud providers. However, they often focus on the US CLOUD Act, while overlooking the risks under FISA Section 702. In this blogpost, I explain the importance of distinguishing between US government access for law enforcement purposes and for foreign intelligence purposes. I argue that the latter poses a higher risk, as the likelihood is more uncertain and the potential impact on European interests is greater – both for individuals and for European Member States. Unfortunately, the fear of law enforcement access under the US CLOUD Act can lead Europeans to overlook US intelligence agency powers under FISA. This applies even to otherwise excellent analyses, such as the Dutch Algemene Rekenkamer’s report on the “Dutch central government in the cloud”. This surprised me, since public sector use of US clouds is such a hot topic in the Netherlands – and there are so many good local experts who can advise in this area, including Bert Hubert, Arnold Roosendaal of Privacy Company, Joris van Hoboken, Douwe Korff, Paul Timmers, and Gavin Robinson. I hope my blogpost can help draw attention to this issue – let me know what you think!