You won’t be surprised to learn that US laws allow its government access to business records for intelligence investigations. But did you know that the confidential data of non-US organisations is potentially open to disclosure to the US authorities via any US-based service provider (or non-US-based affiliate) handling that data?
Under Section 215 of the US Patriot Act, if an FBI application for disclosure of information meets the relevant requirements, a US judge must enter an ex parte order approving the release of items sought.
Many European firms are concerned that the law is a back-door route for disclosure of customer data to the US authorities.
Take the case of a European bank that wishes to outsource services which involve access to its European customers’ data. The bank chooses a highly reputable global but US-headquartered services provider. The bank will no doubt include in its contract robust data security arrangements, including provisions that comply with EU laws which prohibit transfers of data outside the European Economic Area. The bank may think that there is no chance of its data being disclosed to the US government (or anyone else) without its consent. It would be wrong.
If the bank is contracted directly with a US-based company, the services provider is subject to the jurisdiction of the US authorities. When faced with the combined might of the FBI and the US government, there must be a possibility that the services provider would disclose any information demanded by the authorities.
Anti-tipping-off provisions in the Act also prevent the services provider from informing its customer of the order for disclosure. The contract may require the service provider to resist or challenge any subpoena, but how far must it go to comply with such provisions?
Even if the bank ensures that the services provider doesn’t use any US-based resources to undertake services under the contract, it is not necessarily safe: the FBI and Department of Justice can seek enforcement against non-US subsidiaries of US corporations.
There are limits to the authorities’ rights, and routes to object to disclosure. But some European firms are thinking carefully how to structure their arrangements with US service providers, and non-US-based outsourcing customers should take steps to minimise the likelihood of their data being subject to orders for production under the Act.
About the author
Alistair Maughan is a partner at Morrison & Foerster, an international law firm