Should European businesses really fear the USA Patriot Act?
The US Patriot Act has struck fear into European users but don't forget that our authorities have powers too
The USA Patriot Act probably ranks alongside Sarbanes-Oxley in terms of recognition and fear of US legislation outside the US. It is widely known that this is the means by which FBI can get access to confidential data and the reason that some UK businesses may be holding back from cloud adoption, preferring an on-premise solution. But are they right to fear the Patriot Act?
The EU data protection regime prevents the transfer of data outside the European Economic Area to a country with inadequate data protection laws or unless the recipient will provide the adequate protection. The European Commission keeps a list of safe countries. Canada and Switzerland are on this list and so is the EU-US negotiated self-regulated Safe Harbor. Most of the large US cloud providers have signed up to the Safe Harbor principles which allow them to transfer data from the EU to the US. The EU Commission is proposing to extend data protection in its proposed new data protection regulation by stating that it applies to EU data held outside the EU.
The USA Patriot Act was passed shortly after the atrocities of 11 September and served to revise and consolidate counter-terrorism laws. This includes sweeping surveillance and search powers without the need for court order. The American Civil Liberties Union has challenged the issue of “National Security Letters” which allows the FBI to collect information and to prevent anyone receiving a letter from publicising it. While they have had some success, the Act remains in force.
Impact outside the US
Keeping data in the EU is not enough. In June 2011, the managing director of Microsoft UK admitted that it would comply with the Patriot Act as its headquarters are based in the US. While it would try to inform its customers before this happens, it would not guarantee this. This means that if you do business with a UK subsidiary of a US-based cloud operator and you specify that English law applies and you choose a UK-based data centre operating under EU data protection laws, the FBI can still get access to your data. While this had already been suspected, this was the first clear affirmation and is true for any US-based cloud provider.