Since its passage in 2001, there has been a lot of media attention given to critics of the Patriot Act at home and abroad. Privacy and government accountability concerns have been raised over some of the provisions of the Act, and in recent years, these concerns have been co-opted by some European hosts who have twisted them into marketing propaganda. Basically, they claim that hosting in Europe is more “secure” than hosting in the US, which is complete and utter nonsense.
Part of the argument these groups make—captured succinctly here—is that not only do all customers of US hosts with data housed in US data centers fall under the Patriot Act, but those who house their data in foreign data centers operated by US companies fall under US law as well.
To be sure, some of this fear has come from statements made by American companies hosting data in Europe, including Microsoft, which — during its June 2011 launch of Office 365 in London — admitted that European data, stored or processed in Europe by Microsoft, would fall under the jurisdiction of the Patriot Act.
News of the reach of the Patriot Act has led many to believe that US companies — and their servers — are somehow inherently less secure than European hosts.
But those who cite this as reason to host with European providers, miss or ignore the facts of European law.
In spite of the rhetoric coming out of Europe and other corners, there is nothing inherently more private about hosting in-country. It’s a sales ploy dressed up as a privacy statement. No more important authority than the Irish Data Protection Commissioner, Billy Hawkes, stood up at the podium at SecureCloud Europe last month and said, after being asked a question about whether the Patriot Act should keep people from hosting in the US, that “on the list of things you should worry about with Privacy, the Patriot Act should be at the bottom of your list.”
Law Firm Hogan Lovells recently published the results of a study of government access to the cloud. In it, they compared data access laws in Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, United Kingdom, and the United States.
The conclusions of the report are simple: claims that the US Patriot Act is any more onerous than regulations in any of the other countries are completely unfounded.
Here is a summary chart of the study results published in Hogan Lovells’ Chronicle of Data Protection.
|May government require a Cloud provider to disclose customer data in the course of a government investigation?||May a Cloud provider voluntarily disclose customer data to the government in response to an informal request?||If a Cloud provider must disclose customer data to the government, must the customer be notified?||May government monitor electronic communications sent through the systems of a Cloud provider?||Are government orders to disclose customer data subject to review by a judge?*||If a Cloud provider stores data on servers in another country, can the government require the Cloud provider to access and disclose the data?|
|Australia||Yes||Yes, except for personal data without a legal purpose||No||Yes||Yes||Yes|
|Canada||Yes||Yes, except for personal data without a legal purpose||No||Yes||Yes||Yes|
|Denmark||Yes||Yes, except for personal data without a legal purpose||No||Yes||Yes||Yes|
|France||Yes||Yes, except for personal data without a legal purpose, electronic communication||No||Yes||Yes||Yes|
|Germany||Yes||Yes, except for personal data without a legal purpose, electronic communication||Yes, except may delay until disclosure no longer would compromise the investigation||Yes||Yes||No, not without cooperation from the other country’s government, except for telco customer non-content data|
|Ireland||Yes||Yes, except for personal data without a legal purpose||No||Yes||Yes||Yes|
|Japan||Yes||No — must request data through legal process||No||Yes||Yes||No, not without cooperation from the other country’s government|
|Spain||Yes||Yes, except for personal data without a legal purpose||No||Yes||Yes||Yes|
|United Kingdom||Yes||Yes, except for personal data without a legal purpose||No||Yes||Yes||Yes|
|United States||Yes||No — must request data through legal process||Yes, for content data, except when the government obtains a search warrant or unless disclosure would compromise the investigation||Yes||Yes||Yes|
According to the Hogan Lovell study — and contrary to popular belief — the Patriot Act requires legal process for all requests for information. While there are some circumstances where that process is expedited, the requests must each be made under the law, and expedited requests may only relate to certain categories of information.
In many cases, U.S. warrant requirements are actually more extensive than those in Europe. While the Patriot Act has become a rallying point internationally for those who are concerned about law enforcement overreach, its should be considered with other, similar, statutes like the UK’s RIP Act of 2000. Part III of RIPA — among other things — allows the British government to force entities to turn over encryption keys upon receipt of a “Section 49” request any number of different authorities including law enforcement, military and customs.
In the end, no European or North American country’s laws are more far-reaching than another’s. Security threats in today’s world affect the laws across all jurisdictions. Whether you’re a privacy hawk or just a concerned business owner, know that if you have concerns with the data collection laws in one country, chances are you will have equally important concerns with the laws in another.Photo by Surian Soosay