Protecting Their Own: Fundamental Rights Implications for EU Data Sovereignty in the Cloud

31 Pages Posted: 22 Jun 2013 Last revised: 4 Jul 2013

See all articles by Judith Rauhofer

Judith Rauhofer

University of Edinburgh - School of Law

Caspar Bowden


Date Written: June 21, 2013


The recent PRISM scandal has illustrated the privacy risks that EU citizens take when their personal information is stored or processed in the cloud. Although EU data protection laws are designed to restrict the private actors handling that data from processing it in a way and for purposes that are unlawful, those laws have no effect on public bodies, including law enforcement and security agencies in third countries whose access to that data may be authorized by the laws of their own countries. This is the case even if such access would violate the individual’s fundamental human rights had it occurred within the EU. This article examines the means by which the existing EU data protection framework restricts the transfer of personal data from the EU to third countries particularly in a cloud context. It analyses whether the European Commission’s proposal for a new Data Protection Regulation in its current form is likely to increase or reduce the protection provided to EU citizens in this regard, and it looks at the potential threat that the laws of third countries may pose to EU citizens’ right to privacy with respect to data uploaded to the cloud. The article assesses, in particular, the laws authorising the US government’s access to personal data held or processed by US cloud providers, focusing specifically on the US Foreign Intelligence Surveillance Act of 1978 (FISA) . It also highlights the lack of equivalent protections currently granted to EU citizens by the US constitution. The article argues that in the light of the clear and present danger that provisions like §1881a of FISA represent to EU citizens’ right to privacy, the EU institutions - as part of their own obligation under the Charter of Fundamental Rights and, in the future, the European Convention on Human Rights must take the appropriate steps to protect their citizens from this kind of interference.

Keywords: PRISM, surveillance, data protection, cloud computing, privacy, ECHR, Fourth Amendment, FISA

Suggested Citation

Rauhofer, Judith and Bowden, Caspar, Protecting Their Own: Fundamental Rights Implications for EU Data Sovereignty in the Cloud (June 21, 2013). Edinburgh School of Law Research Paper No. 2013/28, Available at SSRN: or

Judith Rauhofer (Contact Author)

University of Edinburgh - School of Law ( email )

Old College
South Bridge
Edinburgh, EH8 9YL
United Kingdom

Caspar Bowden

Independent ( email )

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics