By David Fagan and Alex Berengaut

Enterprises must consider a range of benefits and costs as they evaluate migrating their IT functions and data to cloud-based computing services, including the impact of the cloud services on the security and privacy of their data.  In this regard, one of the principal privacy-based concerns raised in connection with US cloud-based services is that the use of such services will afford the US government greater access to the enterprise customer’s data, including in particular under the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001” (also known as the USA PATRIOT Act or Patriot Act).  However, this concern—which has been prevalent in connection with EU enterprises’ and government’s use of cloud services—is often based on a misunderstanding of the Patriot Act and the law governing government access to data both in the United States and abroad.

Contrary to many popular descriptions of it, the Patriot Act was not itself a vehicle for the US government to access user data, but rather a compilation of amendments to pre-existing federal statutes.  The amendments, for example, authorized the US government to apply to terrorism matters certain investigative tools that it previously was authorized to use to fight organized crime; enhanced the US government’s authorities to investigate foreign intelligence surveillance activity to encompass activities of terrorist organizations and other clandestine intelligence activities directed at the US;  and expanded authorities to combat international money laundering and financing of terrorism. 

Thus, the Patriot Act did not create the underlying authorities for the US government to access online data.  Rather, those authorities already existed in various criminal statutes and procedures, and they remain subject to the protections of existing law and the US judicial system.  

The Patriot Act also did not create or extend the jurisdictional reach of the United States.  Long before the Patriot Act was enacted, US courts held that a company with a presence in the United States was obligated to respond to a valid demand for information from the US government – regardless of the location of that information – so long as the company retained “possession, custody or control” of the data.   This legal principle, which is not dissimilar to the approach followed by some EU Member States (whose rules permit law enforcement to exercise jurisdiction over data that is “accessible” in-country), has long required companies that have contacts with or a presence in the US to comply with lawful US government requests for information — including EU companies and their data held in the EU.

Another misconception is that an EU enterprise’s use of US-based cloud services will impair the enterprise’s ability to comply with the EU Data Protection Directive.  If the US-based provider certifies and complies with the EU-US Safe Harbor Agreement and makes appropriate contractual commitments as mandated by the Directive to the EU enterprise, the EU enterprise would be in essentially the same position, from a compliance perspective, as if it stored data in-house.

We have addressed these and other items related to whether and how the use of cloud services implicates the USA PATRIOT Act and compliance with the EU Data Protection Directive further in the question and answer document found here

Please click here to view the Japanese translation.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David Fagan David Fagan

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers

David Fagan co-chairs the firm’s top ranked practices on cross-border investment and national security matters, including reviews conducted by the Committee on Foreign Investment in the United States (CFIUS), and data privacy and cybersecurity.

David has been recognized by Chambers USA and Chambers Global for his leading expertise on bet-the-company CFIUS matters and has received multiple accolades for his work in this area, including twice being named Dealmaker of the Year by The American Lawyer. Clients laud him for “[seeing] far more matters than many other lawyers,” his “incredible insight,” and “know[ing] how to structure deals to facilitate regulatory reviews” (Chambers USA).

David’s practice covers representations of both foreign and domestic companies before CFIUS and related national security regulators. The representations encompass matters in which the principal assets are in the United States, as well as those in which there is a smaller U.S. nexus but where solving for the CFIUS issues—including through proactive mitigation and carve-outs—is a critical path for the transaction. David has handled transactions for clients across every sector subject to CFIUS review, including some of the most sensitive and complex matters that have set the template for CFIUS compliance and security agreements in their respective industries. He is also routinely called upon to rescue transactions that have run into challenges in CFIUS, and to negotiate solutions with the U.S. government that protect national security interests, while preserving shareholder and U.S. business interests.

Reflecting his work on U.S.-China investment issues and his experience on complex U.S. national security matters intersecting with China, David is regularly engaged by the world’s leading multi-national companies across a range of industries to advise on strategic legal projects, including supply chain matters, related to their positioning in the emerging competition between the U.S. and China, as well as on emerging legal issues such as outbound investment restrictions and regulations governing information and communications technologies and services (ICTS). David also has testified before a congressional commission regarding U.S. national security, trade, and investment matters with China.

In addition, in the foreign investment and national security area, David is known for his work on matters requiring the mitigation of foreign ownership, control or influence (FOCI) under applicable national industrial security regulations, including for many of the world’s leading aerospace and defense companies and private equity firms, as well as telecommunications transactions that undergo a public safety, law enforcement, and national security review by the group of agencies known as “Team Telecom.”

In his cybersecurity practice, David has counseled companies on responding to some of the most sophisticated documented cyber-based attacks on their networks and information, including the largest documented infrastructure attacks, as well as data security incidents involving millions of affected consumers. He has been engaged by boards of directors of Fortune 500 companies to counsel them on cyber risk and to lead investigations into cyber attacks, and he has responded to investigations and enforcement actions from the Federal Trade Commission (FTC) and state attorneys general. David has also helped clients respond to ransomware attacks, insider theft, vendor breaches, hacktivists, state-sponsored attacks affecting personal data and trade secrets, and criminal organization attacks directed at stealing personal data, among other matters.