Cloud computing in the context of the USA PATRIOT ACT
February 2012 – The rapid spread of cloud services is one of the most characteristic trends and a driving force in the IT market these days. However, data privacy concerns pose significant barriers to the acceptance of cloud services by several companies. Some of the most important privacy-related concerns arise in connection with cloud services offered by corporations that are based in the United States. These concerns stem from the general opinion in Europe that US government agencies could gain easy access to customer data stored “in the cloud” under the terms of the USA PATRIOT Act (an acronym for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001”).
However, contrary to common belief, the USA PATRIOT Act is not in itself a vehicle used by the US government to access customer data. Rather, it is intended to unify in a single piece of legislation the various pre-existing (and, it has to be said, rather patchy) federal statutes authorising the US government to monitor electronic communications and to access electronic data for investigative purposes.
The USA PATRIOT Act allows the US security services general access to various records and registers and types of electronic communications., and permits them to seize electronic data. These powers relate not only to data stored in the US – the US security agencies can also demand that companies operating in the US provide access to data that is stored by them anywhere else in the world.
Even so, the powers granted to the government by the USA PATRIOT Act are limited to national security purposes (i.e. to tackle terrorism and the financing of terrorism). Moreover, there is nothing new when it comes to the territorial reach of the USA PATRIOT Act. Long before it was enacted, companies with a corporate presence in the US were obliged to disclose information upon a valid demand made by the US authorities regardless of the actual location of the data recording such information.
In point of fact, the national security or criminal procedure acts of several European countries provide their own respective national authorities with the same investigative tools as those included in the USA PATRIOT Act. And actually, quite a few examples of surveillance procedures under Hungarian law are similar to those set out in the USA PATRIOT Act (such as those included in Act CXXV of 1995 on National Security Services, or Act XIX of 1998 on Criminal Procedure – these laws also provide for covert means of surveillance).
Where justified, any communications data may be accessed by government authorities, whether in the US or in an EU Member State. Nevertheless, EU-based companies may still be reluctant to use cloud service providers that have a presence in the US simply because access to their customers’ data falls within the jurisdictional reach of the US authorities – notwithstanding the fact that the terms and conditions regulating such access are substantially similar to those of the country in which they actually operate.
For more information please contact Ákos Nagy, Counsel, at .