United States: The USA Patriot Act and the Privacy of Data Stored in the Cloud

Last Updated: January 24 2012
Article by Alex C. Lakatos

Originally published Winter 2012

Keywords: European consumers, USA Patriot Act, online data, cloud servers, US providers,

European consumers have expressed concern that the USA Patriot Act (the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001" or "Patriot Act") will afford the US government undue and unfettered access to their data if they choose to store it on the cloud servers of US providers (e.g., Microsoft or IBM). A recent survey found that 70 percent of Europeans have concerns about their online data and how well it is secured. For many, these fears were exacerbated by an announcement by Gordon Frazer, the managing director of Microsoft UK, that he could not guarantee that data stored on Microsoft servers, wherever located, would not end up in the hands of the US government, because Microsoft, a company based in the United States, is subject to US laws, including the Patriot Act. Aware of these concerns, some EU data centers have gone so far as to advertise that they provide "a safe haven from the reaches of the Patriot Act."

To evaluate the validity of these concerns, several questions must be considered. First, exactly what information does the Patriot Act reach? Second, how likely is it, as a practical matter, that the Patriot Act will ever be used to reach a European company's data stored in the cloud? Finally, how does that risk compare with exposure that European companies already face, such as the prospect of their home-country governments accessing their cloud-stored data? As Ambassador Phillip Verveer, the US State Department's Coordinator for International Communications and Information Policy, explains, "[t]he PATRIOT Act has come to be a kind of label for [privacy] concerns.... We think, to some extent, it's taking advantage of a misperception, and we'd like to clear up that misperception."

This article seeks to dispel some of the myths shrouding the Patriot Act, and to provide an assessment of the risks the Patriot Act poses to data stored in the cloud, particularly where the data, or its owner, are based outside of the United States.

Patriot Act Discovery Tools for Law Enforcement

Contrary to a common misconception, the Patriot Act did not create entirely new procedural mechanisms for US law enforcement to use to obtain data in furtherance of its investigations. However, the Patriot Act did expand certain discovery mechanisms already available to US law enforcement. Two of these expanded mechanisms that US law enforcement could use to access data in the cloud that warrant discussion are FISA Orders and National Security Letters.

FISA Orders

Prior to enactment of the Patriot Act, the Foreign Intelligence Surveillance Act permitted the FBI to apply to a special court, the Foreign Intelligence Surveillance Court, for a FISA Order to obtain the business records of third parties for the purpose of foreign intelligence and international terrorism investigations. Originally, however, such business records were limited to car rental, hotel, storage locker, and common-carrier records.

Title II of the Patriot Act, "Enhanced Surveillance Procedures," expanded the reach of FISA Orders to allow the FBI to obtain "an order requiring the production of any tangible things (including books, records, papers, documents and other items) for an investigation to protect against international terrorism and clandestine intelligence activities." This includes data in the cloud. To obtain a FISA Order, the FBI must specify that the tangible things sought are for an authorized investigation either to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities.

FISA Orders, particularly as expanded under Section 215 of the Patriot Act, have given rise to privacy concerns for several reasons. First, such orders may be granted ex parte, meaning with only the FBI presenting evidence to the court. Second, Section 215 includes a "gag" provision that prohibits the party that receives a FISA Order from disclosing that fact. This typically would prevent a cloud service provider from informing its customers that the service provider had shared their data with the FBI in response to a FISA Order. Third, the fact that Section 215 allows the FBI to obtain a person's library records sparked significant protests that the provision was invasive of reader privacy. Finally, the American Civil Liberties Union objects that "[t]he FBI need not show probable cause, nor even reasonable grounds to believe, that the person whose records it seeks is engaged in criminal activity."

In the USA Patriot Act Improvement and Reauthorization Act of 2005, enacted March 9, 2006, Congress took several steps to address these concerns, including adding provisions to allow the recipient of a FISA Order to oppose it before the Foreign Intelligence Surveillance Court and also, after a one-year hiatus, to contest the gag provision. Congress also required the US Attorney General to promulgate regulations to "minimize the retention, and prohibit the dissemination, of non-publicly available information." Notwithstanding these efforts, privacy and civil liberties advocates remain deeply troubled by Section 215.

What is the practical effect of FISA Orders on users of US cloud services? The answer is that the FBI rarely uses FISA orders. In 2010, the US government made only 96 applications to the Foreign Intelligence Surveillance Courts for FISA Orders granting access to business records. There are several reasons why the FBI may be reluctant to use FISA Orders: public outcry; internal FBI politics necessary to obtain approval to seek FISA Orders; and the availability of other, less controversial mechanisms, with greater due process protections, to seek data that the FBI wants to access. As a result, this Patriot Act tool poses little risk for cloud users.

National Security Letters

The National Security Letter (NSL) is a form of administrative subpoena that the FBI and other US government agencies can use to obtain certain records and data pertaining to various types of government investigations.

When the Patriot Act was enacted, there were already four federal statutes authorizing enumerated government authorities (chiefly the FBI) to issue NSLs. First, under the Right to Financial Privacy Act (RFPA), the FBI and the Secret Service may obtain financial records from financial institutions such as banks, securities brokerages, car dealers, pawn brokers, casinos, and real estate agents (accountants and auditors, however, are not included).

Second, under the Fair Credit Reporting Act, the FBI may use a NSL to obtain from a consumer reporting agency (e.g., the three major credit bureaus: TransUnion, Equifax, Experian) the names and addresses of all financial institutions at which a consumer maintains or has maintained an account, plus consumer-identifying information such as name, address and employment history.

Third, under the Electronic Communications Privacy Act, the FBI may request, from wire or electronic service providers (including Internet service providers), subscriber information, toll-billing records information, and electronic communication transactions records. The US Department of Justice takes the position that this includes, with regard to email accounts, the name, address, and length of service of a person, as well as email addresses associated with an account and screen names.

Fourth, under the National Security Act, an authorized government investigative agency may request any of the types of information described above, from any of the sources described above, when necessary to conduct security checks of government employees or investigate US government employees believed to be spying for foreign powers.

Title V of the Patriot Act, Removing Obstacles to Investigating Terrorism, expanded the FBI's authority to make NSL requests beyond its headquarters, to its 56 field offices; eliminated the requirement that the information sought relate to a foreign power, instead requiring that the NSL request be relevant to international terrorism or foreign spying; and allowed the FBI to obtain full consumer credit reports. The Patriot Act also added another NSL section to the Fair Credit Reporting Act, this one allowing not just the FBI, but any government agency, to obtain information from a consumer- reporting agency in connection with international terrorism or intelligence activities.

After the Patriot Act expanded the scope of NSLs as described above, their use began to rise. The Department of Justice reported to Congress that in 2010 the FBI made 24,287 NSL requests (excluding requests for subscriber information only).

NSLs give rise to privacy concerns and, according to critics, the potential for abuse, for several reasons. First, the FBI may issue NSLs on its own initiative, without the authorization of any court. (This was true even before the Patriot Act.) Nothing in the Patriot Act provides for any judicial review of the FBI's decision to issue an NSL. Second, the NSL statutes impose a gag requirement on persons receiving an NSL. In addition, the Attorney General Guidelines and various information-sharing agreements require the FBI to share NSL information with other federal agencies and the US intelligence community.

The Reauthorization Act tried to redress some of these concerns. It provided a right to judicial review of NSLs and a right to petition a court to lift the gag order. The Reauthorization Act also provided criminal penalties for violating gag obligations with the intent to obstruct an investigation.

So where does this complex statutory scheme leave cloud users? While the use of NSLs is not uncommon, the types of data that US authorities can gather from cloud service providers via an NSL is limited. In particular, the FBI cannot properly insist via a NSL that Internet service providers share the content of communications or other underlying data. Rather, as set forth above, the statutory provisions authorizing NSLs allow the FBI to obtain "envelope" information from Internet service providers. Indeed, the information that is specifically listed in the relevant statute is limited to a customer's name, address, and length of service.

The FBI often seeks more, such as who sent and received emails and what websites customers visited. But, more recently, many service providers receiving NSLs have limited the information they give to customers' names, addresses, length of service and phone billing records. "Beginning in late 2009, certain electronic communications service providers no longer honored" more expansive requests, FBI officials wrote in August 2011, in response to questions from the Senate Judiciary Committee.

Although cloud users should expect their service providers that have a US presence to comply with US law, users also can reasonably ask that their cloud service providers limit what they share in response to an NSL to the minimum required by law. If cloud service providers do so, then their customers' data should typically face only minimal exposure due to NSLs.

Other Law Enforcement Tools

As discussed above, the two law enforcement tools for discovery of third-party data that were most significantly enhanced by the Patriot Act and that have given rise to significant concerns by European critics of the Patriot Act—FISA Orders and NSLs—should not, as a practical matter, pose a significant risk to European data on the servers of US-based cloud providers. But it would be a mistake to end the analysis there.

Search Warrants and Grand Jury Subpoenas

US federal law enforcement has other, more traditional mechanisms for obtaining information it deems necessary to support its investigative efforts, such as search warrants (which must be approved by a US court upon a showing of probable cause) and grand jury subpoenas, which are issued by a US federal prosecutor in support of an ongoing grand jury investigation (and which a recipient may move to quash in court). These mechanisms also can be used to obtain data stored in the cloud. Should the risks these tools pose cause European companies to eschew US cloud services?

At the outset, consider that search warrants and grand jury subpoenas are hardly new. Search warrants trace their roots in the United States back at least to the Bill of Rights (ratified in 1791): the Fourth Amendment provides for protection against searches and seizures in the absence of a properly obtained warrant. Similarly, the grand jury has been functioning as an institution for receiving evidence of criminal activity since the Magna Carta and also has been incorporated into the US Constitution.

Moreover, Europeans (and others) have comparable discovery mechanisms in their home countries. For example, in France, the Police Nationale and the Gendarmerie Nationale both can execute search warrants. Article 13 of Germany's Basic Law similarly recognizes judicially ordered search warrants. And, of course, US search warrants have their roots in English law. Accordingly, to the extent European consumers wish to avoid any risk that any government will access their cloud data, merely avoiding US service providers is unlikely to help.

MLATs

Sequestering data on European cloud servers may be an ineffective prophylactic against US government access for another reason. The United States and most European governments have entered into bilateral Mutual Legal Assistance Treaties (MLATs). In a typical MLAT, the two countries commit to provide one another with "the widest measure of mutual assistance in investigations or proceedings in respect of criminal offenses...."

In 2003, the United States and the European Union entered into an MLAT with a provision addressing data protection. That provision governs MLAT requests made pursuant to prior bilateral MLATs between EU Member States and the United States. The comments to the EUUS MLAT explain that this provision was "meant to ensure that refusal of assistance on data protection grounds may be invoked only in exceptional cases." Accordingly, US MLAT requests, particularly those concerning terrorism investigations, are seldom denied for data protection reasons.

US Jurisdictional Limitations

In the United States, only a party amenable to what is known as "personal jurisdiction" can be subject to a search warrant, grand jury subpoena, NSL, FISA Order or other enforceable request for documents or data. The fundamental requirements for exercising personal jurisdiction over an individual or corporation are grounded in the Constitution, and the Patriot Act did not alter those principles (nor did it purport to do so).

In the context of personal jurisdiction, due process considerations prohibit courts from exercising jurisdiction over a witness who lacks minimum contacts with the forum. In the case of a corporation, this means that any corporation based in the United States will be subject to US jurisdiction and, thus, can be subject to FISA Orders, NSLs, search warrants, or grand jury subpoenas. The same is generally true for a non-US corporation that has a location in the United States or that conducts continuous and systematic business in the United States.

Furthermore, an entity that is subject to US jurisdiction and is served with a valid subpoena must produce any documents within its "possession, custody, or control." That means that an entity that is subject to US jurisdiction must produce not only materials located within the United States, but any data or materials it maintains in its branches or offices anywhere in the world. The entity even may be required to produce data stored at a non-US subsidiary.

What does this mean for non-US consumers of cloud services? First, US law enforcement authorities may serve FISA Orders, NSLs, warrants or subpoenas on any cloud service provider that is US-based, has a US office, or conducts systematic or continuous US business—even if the data is stored outside the United States. Thus, merely choosing a European cloud service provider is not enough to ensure that data is beyond the reach of US jurisdiction and the Patriot Act.

Second, US law enforcement authorities may serve FISA Orders, NSLs, warrants or subpoenas on any cloud service customer that is US-based, has a US branch, or conducts systematic or continuous US business—even if the data is stored outside the United States. Many European entities have a US presence, and their US presence will allow them to be subject directly to the authority of US law enforcement, regardless of what company they use for cloud storage.

The Patriot Act and European Data Protection

The European Commission's Directive on Data Protection generally prohibits the transfer of personal data to non-European Union countries that do not meet the EU "adequacy" standard for privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy. To bridge these different privacy approaches, the Department of Commerce, in consultation with the European Commission, developed a "Safe Harbor" framework. By joining and adhering to the EU-US Safe Harbor Agreement, US companies can demonstrate that their data protection practices meet EU data protection requirements. European companies then can share data with US participants in the Safe Harbor agreement without violating their home country data protection laws.

The Safe Harbor Agreement contains a provision that allows US companies to comply with applicable US laws compelling the production of data, including the Patriot Act. It is anticipated, however, that at the World Economic Forum in January 2012, the European Commission will announce legislation to repeal the existing EU data protection directive and replace it with more a robust framework. The new legislation might, among other things, replace EU/US Safe Harbor regulations with a new approach that would make it illegal for the US government to invoke the Patriot Act on a cloud-based or data processing company in efforts to acquire data held in the European Union. The Member States' data protection agency with authority over the company's European headquarters would have to agree to the data transfer.

The foregoing developments may significantly affect the legal landscape for protection of data on the cloud servers in the cross-border context and, thus, should be monitored closely. However, it may be years before the new legislation is enacted (the current EU Data Protection Directive took three years to be enacted). By that time, changes in technology may present entirely new challenges and considerations.

Conclusion

Consumers of cloud services are wise to consider all types of risk to their data, whether from their home country's government or another country's government. Merely avoiding US cloud service providers based on concerns about the Patriot Act does not solve the problem. That choice alone provides no assurance that cloud data is beyond the reach of the Patriot Act, nor does it provide protection against the risk that non-US governments will access the cloud-stored data, either on their own initiative or in response to a MLAT request from the United States.

Rather than making a selection based solely on the home country of competing cloud providers, informed consumers of cloud services should (i) consult legal counsel in their home country, in any jurisdiction where their data may be stored, and in any jurisdiction where their cloud service provider does business; (ii) closely review their cloud services contracts and ask their providers questions; and (iii) carefully consider all the relevant risks before making a decision.

Learn more about our Business & Technology Sourcing practice.

Visit us at www.mayerbrown.com.

Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2012. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Cleary Gottlieb Steen & Hamilton LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Cleary Gottlieb Steen & Hamilton LLP
Related Articles
 
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions