Internet Governance

Separating Myth From Fact: Privacy in the Cloud at Home and Abroad

Who's putting cookies on your computer?

Who’s putting cookies on your computer?

Since its passage in 2001, there has been a lot of media attention given to critics of the Patriot Act at home and abroad. Privacy and government accountability concerns have been raised over some of the provisions of the Act, and in recent years, these concerns have been co-opted by some European hosts who have twisted them into marketing propaganda. Basically, they claim that hosting in Europe is more “secure” than hosting in the US, which is complete and utter nonsense.

Part of the argument these groups make—captured succinctly here—is that not only do all customers of US hosts with data housed in US data centers fall under the Patriot Act, but those who house their data in foreign data centers operated by US companies fall under US law as well.

To be sure, some of this fear has come from statements made by American companies hosting data in Europe, including Microsoft, which — during its June 2011 launch of Office 365 in London — admitted that European data, stored or processed in Europe by Microsoft, would fall under the jurisdiction of the Patriot Act.

News of the reach of the Patriot Act has led many to believe that US companies — and their servers — are somehow inherently less secure than European hosts.

But those who cite this as reason to host with European providers, miss or ignore the facts of European law.

In spite of the rhetoric coming out of Europe and other corners, there is nothing inherently more private about hosting in-country. It’s a sales ploy dressed up as a privacy statement. No more important authority than the Irish Data Protection Commissioner, Billy Hawkes, stood up at the podium at SecureCloud Europe last month and said, after being asked a question about whether the Patriot Act should keep people from hosting in the US, that “on the list of things you should worry about with Privacy, the Patriot Act should be at the bottom of your list.”

Law Firm Hogan Lovells recently published the results of a study of government access to the cloud. In it, they compared data access laws in Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, United Kingdom, and the United States.

The conclusions of the report are simple: claims that the US Patriot Act is any more onerous than regulations in any of the other countries are completely unfounded.

Here is a summary chart of the study results published in Hogan Lovells’ Chronicle of Data Protection.

May government require a Cloud provider to disclose customer data in the course of a government investigation? May a Cloud provider voluntarily disclose customer data to the government in response to an informal request? If a Cloud provider must disclose customer data to the government, must the customer be notified? May government monitor electronic communications sent through the systems of a Cloud provider? Are government orders to disclose customer data subject to review by a judge?* If a Cloud provider stores data on servers in another country, can the government require the Cloud provider to access and disclose the data?
Australia Yes Yes, except for personal data without a legal purpose No Yes Yes Yes
Canada Yes Yes, except for personal data without a legal purpose No Yes Yes Yes
Denmark Yes Yes, except for personal data without a legal purpose No Yes Yes Yes
France Yes Yes, except for personal data without a legal purpose, electronic communication No Yes Yes Yes
Germany Yes Yes, except for personal data without a legal purpose, electronic communication Yes, except may delay until disclosure no longer would compromise the investigation Yes Yes No, not without cooperation from the other country’s government, except for telco customer non-content data
Ireland Yes Yes, except for personal data without a legal purpose No Yes Yes Yes
Japan Yes No — must request data through legal process No Yes Yes No, not without cooperation from the other country’s government
Spain Yes Yes, except for personal data without a legal purpose No Yes Yes Yes
United Kingdom Yes Yes, except for personal data without a legal purpose No Yes Yes Yes
United States Yes No — must request data through legal process Yes, for content data, except when the government obtains a search warrant or unless disclosure would compromise the investigation Yes Yes Yes

According to the Hogan Lovell study — and contrary to popular belief — the Patriot Act requires legal process for all requests for information. While there are some circumstances where that process is expedited, the requests must each be made under the law, and expedited requests may only relate to certain categories of information.

In many cases, U.S. warrant requirements are actually more extensive than those in Europe. While the Patriot Act has become a rallying point internationally for those who are concerned about law enforcement overreach, its should be considered with other, similar, statutes like the UK’s RIP Act of 2000. Part III of RIPA — among other things — allows the British government to force entities to turn over encryption keys upon receipt of a “Section 49” request any number of different authorities including law enforcement, military and customs.

In the end, no European or North American country’s laws are more far-reaching than another’s. Security threats in today’s world affect the laws across all jurisdictions. Whether you’re a privacy hawk or just a concerned business owner, know that if you have concerns with the data collection laws in one country, chances are you will have equally important concerns with the laws in another.

Photo by Surian Soosay
Find out more about ServInt solutions

Starting at $25

  • Hosting Advice
  • The New York Times
  • The Hill
  • Bloomberg
  • The Seattle Times
  • Computer World
  • Ars Technica
  • MSNBC

To engage with the ServInt Sales Team use the following chat icon. Normal sales hours are Monday-Friday 9am-5pm EST but feel free to leave a message and we will follow up as soon as possible.

Sales Chat



To engage with the ServInt Support Team you must be logged into our Customer Portal for identity verification and have a ticket opened about your request or there will only be limited support offered.

Support Chat

CLOSE