Blog Post

UpCloud reckons Finnish privacy laws can protect data hosted in US

Post-Snowden, European cloud providers find themselves with a couple strong selling points: they host in Europe, so U.S. authorities can’t simply walk in and demand customer data, and they’re not headquartered in the U.S., so they don’t have to hand over data under the Patriot Act.

But what about those that want to expand to the U.S.? Finland’s UpCloud is in precisely that position, planning as it is to open a U.S. data center, probably in Chicago. And while it’s not the first European cloud outfit to head west, this infrastructure-as-a-service (IaaS) provider reckons it’s come up with a model that can protect even customers using that facility under Finnish and European data protection laws.

Part of this involves carefully-constructed contracts, and part involves keeping all customers’ personal information in Finland – in other words, the authorities in the U.S. won’t have what they need to match any seized data to its owner.

As UpCloud general manager Antti Vilpponen explained it to me via email:

“Currently the situation with U.S. IaaS providers is that local law enforcement agencies have access to customers’ data (and personal information for that matter) globally as the companies are registered in the U.S.

“Some of our European competitors have solved the situation by building separate services into each data centre. This basically protects customers from cross-border inquiries, but the customer experience in using these services is poor. They have different accounts to different data centres without the possibility to migrate servers easily. With UpCloud, you are able to manage all your servers with a single account — improving usability (in addition to the privacy of your personal data) immensely.”

Vilpponen was loath to go into any detail regarding the mechanism UpCloud is using here, to ensure everything runs smoothly while personal data is kept out of U.S. servers, other than to say the firm’s non-European operations (it’s planning a similar move into Asia) are run by fully-owned subsidiaries.

“We’re looking to build a model whereby we give our customers the best possible privacy protection possible in a global setting… while also handing down some of the responsibility to the customers themselves; they are aware and take the risk that the local law enforcement officials might require us to hand over the data stored on servers in that country, but only in that country,” he said.

Without those missing details about contractual and technical mechanisms, it’s hard to judge precisely how effective UpCloud’s model is. That said, if it works as promised and if UpCloud is proficient at locking down the personal data it stores in Finland – one must bear in mind that U.S. intelligence laws give less protection to data stored outside the U.S. — it could be a smart way for a European provider to make inroads into the lucrative homeland of the NSA.

Here’s a video from last year’s Structure:Europe, where I interviewed Vilpponen and other European cloud upstarts about taking on Amazon(s amzn):
[protected-iframe id=”1bbe1fd1c4da4bca77e8f0ab2940a6d2-14960843-25766478″ info=”″ width=”640″ height=”360″ frameborder=”0″ scrolling=”no”]

2 Responses to “UpCloud reckons Finnish privacy laws can protect data hosted in US”

  1. Robert Jenkins

    @David This is a very interesting article and good luck to Upcloud in their work around this as they are a great cloud operator.

    Ourselves we’d see the following issues around this kind of approach:
    1. There are very well established legal precedents for using foreign legal systems to request information out of those jurisdictions if it has been proven that the infrastructure being operated in the foreign country (being the US in this case) is connected to an operation in said country or ownership/control is being proxied via that jurisdiction. We don’t have to look at the hosting industry for such precedents, you have everything from gambling to illegal content hosting.

    2. Even if you could successfully prevent disclosure of the client personal data to US authorities, the authorities themselves would shut down the US operational company if they felt it wasn’t complying with US law. So it’s a one-off win for one customer at the expense of all others and with no future solution beyond that.

    3. If you hedged this and said we will protect client anonymity but only if they don’t do anything illegal then how do you judge that? Which laws do you consider valid or not?

    From my own personal perspective and that of CloudSigma we take the attitude that if we are operating in someone’s country, we should respect their laws. The people of each country have the right to self determination and it is therefore up to them to set the laws that govern them and it is up to us to follow them based on the principle that our customers are innocent until proven guilty. Likewise that means that we don’t enforce other people’s laws in other countries. Turning it on it’s head, we wouldn’t impose Swiss law on our US cloud or US law on our Swiss cloud. Customers can choose transparently what jurisdictions they want to operate in and our job is to make sure we provide clear legal distinctions so they are able to manage that appropriately.

    A blog post by me on customer privacy: