Security Experts:

Patriot Act and Cloud Privacy: Notes from Europe

I love how Europeans pronounce my name. Gant sounds like Gawnt and rhymes with jaunt. In America, people say Gant, like Ant. Not so dashing.

So speaking at the European Association of Corporate Counsel conference in Barcelona last month where attorneys from major European corporations pronounced Gant the European way was quite the treat. What was not music to my ears was concern I heard from European counsel over US companies that host information in the US. These folks often cited the USA Patriot Act of 2001 as the boogieman that would leave their information free for plunder by the dark and clandestine US Government. But are their concerns well founded?

A great place to start is with the Patriot Act itself. We all have a sense of what it is; something that lets the US Government take the gloves off when it comes to terrorism. That’s a good start, but there are 132-pages to the monster and it covers a lot of territory. It begins by condemning discrimination against Arab and Muslim Americans. Then it amends a lot of other laws so more modern electronic communications are available that law enforcement can use to tap. A huge part of the Act is focused on international money laundering and terrorist financing. There are provisions to harden US borders and to provide assistance to the families and victims of terrorism. Criminal laws against terrorism are stiffened and sharing of intelligence within the government is called for. And a lot of money is allocated to make it all happen.

So what’s the part that gets non-US folks in a twist? That would be section 215 that amends the Foreign Intelligence Surveillance Act of 1978. It says the Director of the FBI can ask a special court for an order to see records to protect against terrorists and spies, provided first amendment rights aren’t violated. Next comes the part I think my European colleagues are most concerned about: Pursuant to that court order, the recipient can’t tell the owner of the info about the disclosure and it offers immunity for those who doing the disclosing.

Fair enough. Sounds like if someone really senior at the FBI needs to go to court for an order, they can present that order to a company, and the company can’t tell the data owner about it. Lack of notice is a bit troubling on its face, but let’s compare this process to how governmental searches happen in other countries.

The truth is that, generally, authorities in all countries may require a data host to disclose customer data in the course of a governmental investigation without notice to the data owner. Investigation without notice to the subject is neither novel nor unique to the Patriot Act. What is unique to the Patriot Act compared to most other countries is the need for a court order. Most other countries allow their government authorities to go directly to the data host with administrative orders to produce data. That’s a lower bar to disclosure.

European marketers have made Europeans fearful to put their data in the US. But do you really think the physical location of data matters? The US and other countries have two primary ways to get at data not stored in their country. The first is simple jurisdiction based on a legal presence. Most authorities will claim jurisdiction over data outside of the country as long as the company has an office in that country. So you can be a UK company with a US office and the US can still get to data stored in the UK or a third country. The exceptions to this are Germany and Japan, which limit discovery to in-country data except non-content data from telcos in Germany and only with cooperation from the other country in Japan.

Speaking of cooperation, the second way for authorities to get at data out of the country is via Multi National Legal Assistance Treaties or MLATs. These treaties allow authorities in each country to request and receive information located in the other’s jurisdiction (including information stored in third-party facilities). So if the US or UK authorities need information from one another regarding a criminal activity, that information will be made available.

The Patriot Act is no different than the laws of many other countries and actually offers more protections than in many of those countries. In addition, the US and other countries have other options when it comes to getting at data through simple jurisdiction and MLATs. The Patriot Act was created to prevent terrorism, not to be twisted into a fear based marketing tool.

I hope I have removed the clandestine mystique from the Patriot Act and calmed fears of those with data hosted in the US. Now if only I could get Americans to pronounce my name like those Europeans.

view counter
Gant Redmon, Esq., is General Counsel & Vice President of Business Development at Co3 Systems. Gant has practiced law for nineteen years; fifteen of those years as in-house counsel for security software companies. Prior to Co3, Gant was General Counsel of Arbor Networks. In 1997, he was appointed membership on the President Clinton’s Export Counsel Subcommittee on Encryption. He holds a Juris Doctorate degree from Wake Forest University School of Law and a BA from the University of Virginia, and is admitted to practice law in Virginia and Massachusetts. Gant also holds the CIPP/US certification.