It seems somewhat fitting to blog about the USA Patriot Act on this Fourth of July. On the second day of the annual Privacy Laws & Business conference in Cambridge, Peter McLaughlin, senior counsel at Foley & Lardner, took to the floor with the aim of “distinguishing fact and fiction about the scope of the law and its impact on companies outside the United States” for a predominantly European audience.
In the last slot of the day, the audience at the well-attended session looked for reassurance from McLaughlin that using U.S. parented IT services or cloud providers would not put their organisation’s data within the reach of the U.S. government. The issue has received considerable press coverage in Europe–a Dutch regulator stated at one point that Dutch government entities should not use the cloud given Patriot Act risks.
The audience’s hopes were dashed as McLaughlin confirmed that where a service provider has a U.S. presence (e.g. headquarters, affiliates or sales teams) sufficient to satisfy the “minimum contacts with U.S.” test, then the Patriot Act applies; and if that part of the organisation has “control” via contract, corporate structure or technology over data located outside of the United States, it will be obliged to provide it.
Whilst the law appears far reaching, it must be considered in the proper perspective. First, look at your organisation, does it have U.S. presence of any kind? If such presence is sufficient to constitute minimum contact, you are likely to be subject to Patriot Act requests directly. Your risk profile does not change dramatically if you use a US services provider.
Then consider what type of information your organisation holds. Outside of banking data, communications data, travel data and an individual’s research (via Google or library records), most data processed by organisations, such as employee records, is unlikely to be of interest in U.S. counter-terrorism investigations. Other European data, such as employment records and email messages, may be subject to foreign law enforcement agency requests outside of the Patriot Act (for example by the Securities and Exchange Commission or the Internal Revenue Service). These requests raise similar issues for organisations and highlight the need for data minimization, as both Vivienne Artz of Citigroup and Dr. Alexander Dix, Berlin Commissioner for Data Protection and Freedom of Information, expressed during an earlier conference session. If you don’t collect or retain the data in the first place, you do not need to worry about anyone else getting access to it.
Even if your organisation has no links with the United States and you retain all your data inhouse, the United States can still make a request for disclosure via the network of Mutual Legal Assistance Treaties (MLATs), which cover many European countries, to access data in Europe. In addition, we should not forget that nearly every government in the world has enacted laws giving those governments rights to access data, some of which are at least as extensive as the Patriot Act. (This fact is highlighted by a recent Hogan Lovells white paper on government access to data in the cloud.) Whilst requests for data via the MLATs or from other European governments may not give rise to the same privacy issues (e.g. export and disclosure being justified by an EU-based legal obligation) and offer a degree of protection given the request has to be approved by EU based institutions that have privacy ingrained into their psyche, such disclosures can still lead to reputational issues and breach of customer contracts for service providers.
What’s the answer? Clearly, it is hard to eliminate the disclosure risk completely unless both you and your services providers have no U.S. presence; and you are not subject to any MLAT. However, the risk should be put into context and compared to the existing risks of disclosure given your organisation’s own structure. You should diligence your potential provider’s U.S. presence and ensure you understand physically where your data will be. Contractual restrictions and encryption also can help to reduce the risk of disclosure but they cannot eliminate it. McLaughlin summed it up well by using the now infamous words of his former colleague, Scott McNealy of Sun Microsystems : “You have no privacy anyway; so get over it.”
The Patriot Act may attempt to exert extra-terriorial jurisdiction, but Europe can hardly complain given the new EU data protection regulation which applies to any entity supplying goods or services to EU consumers or which monitors their behaviour. On Thursday, we will summarise the key areas of concern highlighted by regulators and business at the PL&B conference.