Patriot Act vs Data Protection Laws – USA vs Europe

Patriot Act Cloud Data Privacy

Security and Privacy are two sides of the same coin. You don’t want to risk your information by having the wrong policies or wrong technology in place. But in the legal landscape your information or your customer’s information can be sent to a third-party, without any breach in security.

This “third-party” is governments all around the world. This is why it is critical that when you choose a cloud provider you know exactly which legislation they and you have to comply with and know your risks.

Much has been said about the US Patriot Act, under which companies based anywhere in the world, provided they have a US parent company, have to disclose information about their customers (without their knowledge or consent) to US law enforcement. You might think that if you are in Europe (or in another country) with similar Data Protection Laws you are safe. The Data Protection Laws in the 27 countries of the European Union prohibit the disclosure of personal information without the owner’s knowledge and consent. However, this conflicts with the provider’s obligation to comply with the US Patriot Act, if the provider is a subsidiary of a US company. In practice, when facing this conflict, providers will disclose customer information to US authorities. Of course, this is only applicable if you fall under suspicion for some reason and the US authorities want to know more about you.

One might think that if you choose a cloud provider not based in the US, but based in Europe (for example, if you choose Lunacloud instead of Amazon or Rackspace), the Patriot Act doesn’t apply and you’re “safe”. It’s true that the Patriot Act doesn’t apply and your information won’t be disclosed to the US government. However, you are not “safe”. Have a look at Hogan Lovells White Paper on Government Access to Data. It goes into more detail on this topic and “reveals that every jurisdiction examined vests authority in the government to require a Cloud service provider to disclose customer data”.

In conclusion, your information is subject to be disclosed to governments. When choosing your cloud provider, you are only choosing which legislation your provider will have to comply with, but in general, one is not better than another when it comes to developed countries (and if you think of putting your information elsewhere, you will have a lot more risk).

If you really, really care about the privacy of your information, then it all comes again to policies and technology (and encryption technology in particular).

Leave a Reply