The Patriot Act and Your Data: Should You Ask Cloud Providers About Protection?

CIO — Worries have been steadily growing among European IT leaders that the USA Patriot Act would give the U.S. government unfettered access to their data if stored on the cloud servers of American providers—so much so that Obama administration officials this week held a press conference to quell international concern over the protection of data stored on U.S. soil.

Patriot Act Games

The unease over the reach of Patriot Act provision—which expands the discovery mechanisms law enforcement can use to access third-party data—has been amped up by the sales and marketing efforts of some European cloud providers, seeking to set apart their services as a way to keep corporate data out of the hands of the American government. The most blatant examples are two Swiss companies touting their cloud options as "a safe haven from the reaches of the U.S. Patriot Act," but it's become a popular topic at negotiating tables across the continent. "I don't see how you have a pitch meeting with one of these European cloud providers and not have subject of the Patriot Act concerns come up," says Alex Lakatos, a partner and cross-border litigation expert in the Washington, D.C. office of Mayer Brown.

Anxiety was heightened last year when a Microsoft UK managing director admitted that he could not guarantee that data stored on the company's servers, even those outside the U.S., would not be seized by the U.S. government.

"Some of it certainly is companies trying to take advantage of the Patriot Act to market against U.S. competitors," Lakatos says. "Some of it is just the general concern Europeans have about the Patriot Act." While the 9/11-inspired legislation has been misused in a variety of ways, says Lakatos, some of those perceptions don't necessarily mesh with reality.

Avoid the Patriot Act's Reach, It's Not Easy

Escaping the grasp of the Patriot Act, however, may be more difficult than the marketing suggests. "You have to fence yourself off and make sure that neither you or your cloud service provider has any operations in the United States," explains Lakatos, "otherwise you're vulnerable to U.S. jurisdiction." Few large IT customers or cloud providers fit that description in today's global business environment. And the cloud computing model is built on the argument data can and should reside anywhere around the world, freely passing between borders.

If a European company maintains an American presence, it's likely amenable to U. S. jurisdiction, says Lakatos; likewise, a European customer storing data on European cloud servers of a company with operations in the U.S. may also be subject to Patriot Act discovery tools. "If an E.U. company has no U.S. presence and neither does its E.U. cloud company—which may happen from time to time—its data may be beyond the direct reach of the Patriot Act," Lakatos says. "But even then, the same data may be accessible to the U.S. [government] via an MLAT [mutual legal assistance treaty] request." (MLATs enable gathering and sharing of data between countries for law enforcement purposes.)

Continue Reading