US government can access data with or without the Patriot Act says Microsoft associate general counsel
Microsoft’s Australasian legal chief says there is nothing to fear from the Patriot Act when considering a move to cloud-based services, because the U.S. government can access your data regardless.
The Patriot Act has been cited as a reason for caution when considering cloud computing using providers in the United States. Some fear that this law, passed in the wake of the September 11 2001 terrorist attacks, could permit U.S. government agencies to access their private data if it is stored at a data centre in the U.S.
Lawyer Jeff Bullwinkel — associate general counsel and director of legal and corporate affairs at Microsoft Australia and New Zealand — in a recent blog, says there is no reason to fear the Patriot Act specifically. However, his comments are scarcely a reassurance. The U.S. government can access your data with or without the Patriot Act, he says.
The Act merely gathers in one place a series of amendments to other legislation, Bulwinkel writes: “Therefore, to the extent the U.S. government can access data, it is generally not through the Patriot Act, but it may be through existing laws amended by the Patriot Act, as well as decades-old judicial decisions in the U.S. providing for extraterritorial subpoena power in limited circumstances.
“In fact,” he adds, “U.S. courts have long held that a company with a presence in the U.S. is obligated to respond to a valid demand by the U.S. government for information — regardless of the physical location of the information — so long as the company retains custody or control over the data.”
A key court decision in this area was taken as long ago as 1984 in the case of the United States v. Bank of Nova Scotia. The court required the U.S. branch of a Canadian bank to produce documents held in the Cayman Islands, for use in U.S. criminal proceedings.” Some will argue that this decision went too far, Bulwinkel acknowledges; “But what many overlook is that the legal principle on extraterritorial jurisdiction — requiring companies with contacts or presence within a territory to comply with lawful requests for information by the government in that territory — has long been followed in many other countries.”
An Australian Federal court decision in 1999, for example, required an Australian branch of a Maltese bank to produce documents held in Malta for use in Australian criminal proceedings.
The Patriot Act may make it “slightly easier” for the U.S. government to access data, he says, but it does not change any fundamental principle.
Nor are the provisions of U.S. legislation regarding access to data unique to data held by U.S. companies. “Like all U.S. laws, the Patriot Act and related laws apply equally to every company doing business in the U.S., whether or not the company is based in the U.S.”
Moreover, given that most countries cooperate closely in law enforcement matters, it is likely that even if none of the data is in the U.S., the U.S. government — or any other government in similar circumstances — could gain access to it by using bilateral mutual assistance treaties on law enforcement, he says.
New Zealand Computer Society CEO Paul Matthews, who is coordinating moves towards a cloud-computing code of practice in New Zealand, agrees with Bullwinkel’s analysis.
“The issue of data sovereignty and cross-border jurisdiction, which is really what we’re talking about here, is a very significant one and the clients that Mr Bullwinkel writes about are raising very valid concerns,” he says in an email to CDN sister publication Computerworld.
“Whether it’s the specific Patriot Act or other legislation that empowers (for example) the US Government to compel U.S. companies to hand over data is not relevant — what’s relevant is that they can and will.
“In many cases that simply doesn’t matter — most companies may well determine they have nothing of particular interest to the authorities in other jurisdictions that might have different privacy rules than our own, and that they’re happy with that situation. However the important thing is that that is a determination for the owner of the data to make, not for their vendor to assume on their behalf.
“In many respects this gets to the heart of one of the key components of the upcoming Cloud Code of Practice – disclosure.
“It’s fundamentally important that those utilizing cloud services are aware [firstly] of the risks that their data might face, such as the fact that if stored in a different jurisdiction then different rules might apply, and [secondly] what this actually means to them and their business,” he writes.