By David Fagan and Alex Berengaut

Enterprises must consider a range of benefits and costs as they evaluate migrating their IT functions and data to cloud-based computing services, including the impact of the cloud services on the security and privacy of their data.  In this regard, one of the principal privacy-based concerns raised in connection with US cloud-based services is that the use of such services will afford the US government greater access to the enterprise customer’s data, including in particular under the “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001” (also known as the USA PATRIOT Act or Patriot Act).  However, this concern—which has been prevalent in connection with EU enterprises’ and government’s use of cloud services—is often based on a misunderstanding of the Patriot Act and the law governing government access to data both in the United States and abroad.

Contrary to many popular descriptions of it, the Patriot Act was not itself a vehicle for the US government to access user data, but rather a compilation of amendments to pre-existing federal statutes.  The amendments, for example, authorized the US government to apply to terrorism matters certain investigative tools that it previously was authorized to use to fight organized crime; enhanced the US government’s authorities to investigate foreign intelligence surveillance activity to encompass activities of terrorist organizations and other clandestine intelligence activities directed at the US;  and expanded authorities to combat international money laundering and financing of terrorism. 

Thus, the Patriot Act did not create the underlying authorities for the US government to access online data.  Rather, those authorities already existed in various criminal statutes and procedures, and they remain subject to the protections of existing law and the US judicial system.  

The Patriot Act also did not create or extend the jurisdictional reach of the United States.  Long before the Patriot Act was enacted, US courts held that a company with a presence in the United States was obligated to respond to a valid demand for information from the US government – regardless of the location of that information – so long as the company retained “possession, custody or control” of the data.   This legal principle, which is not dissimilar to the approach followed by some EU Member States (whose rules permit law enforcement to exercise jurisdiction over data that is “accessible” in-country), has long required companies that have contacts with or a presence in the US to comply with lawful US government requests for information — including EU companies and their data held in the EU.

Another misconception is that an EU enterprise’s use of US-based cloud services will impair the enterprise’s ability to comply with the EU Data Protection Directive.  If the US-based provider certifies and complies with the EU-US Safe Harbor Agreement and makes appropriate contractual commitments as mandated by the Directive to the EU enterprise, the EU enterprise would be in essentially the same position, from a compliance perspective, as if it stored data in-house.

We have addressed these and other items related to whether and how the use of cloud services implicates the USA PATRIOT Act and compliance with the EU Data Protection Directive further in the question and answer document found here

Please click here to view the Japanese translation.