An often-repeated concern that the U.S. Patriot Act gives the U.S. government unequaled access to personal data stored on cloud services is incorrect, with several other nations enjoying similar access to cloud data, according to a study released Wednesday.
The governments of several other countries, including the U.K., Germany, France, Japan and Canada, have laws in place allowing them to obtain personal data stored on cloud computing services, said the study, by Hogan Lovells, an international law firm that focuses on government regulations and other topics.
The Patriot Act, passed as an anti-terrorism measure in 2001, is “invoked as a kind shorthand to express the belief that the United States government has greater powers of access to personal data in the cloud than governments elsewhere,” wrote study co-authors Christopher Wolf, based in Washington, D.C., and Winston Maxwell, based in Paris. “However, our survey finds that even European countries with strict privacy laws also have anti-terrorism laws that allow expedited government access to cloud data.”
Since late 2011, some European cloud providers have promoted their services as so-called safe havens from the U.S. Patriot Act. In September 2011, Ivo Opstelten, the Dutch minister of safety and justice, said that U.S. cloud providers could be excluded from Dutch government because of the Patriot Act. Opstelten later softened his stance.
But the Hogan Lovells study, released by think tank the Openforum Academy Wednesday, said there are “misconceptions” about the Patriot Act and other countries’ laws allowing access to cloud data. Some people believe, and some cloud providers have advertised, “that choosing a cloud service provider based on its location will make some data stored in the cloud more secure and less subject to governmental access,” Wolf and Maxwell wrote.
However, the Patriot Act generally didn’t create “broad new investigatory powers” in the U.S., but instead, expanded existing investigative methods, the study said.
There are “meaningful limitations” on the cloud data U.S. authorities can access, with law enforcement authorities needing court-ordered search warrants in some cases, and investigators able to issue subpoenas in other cases, the study said. Many other countries studied by Hogan Lovells also require cloud providers to turn over personal data when compelled by a court, the authors wrote.
Other countries have their own privacy challenges, the report said. ISPs in the European Union must retain telecom customer data for between six and 24 months, when U.S. ISPs have no such requirement, Wolf and Maxwell wrote. The E.U. data-retention directive gives European investigators access to information that may be deleted in other countries, they said.
Under the data-retention directive, “police and security agencies are able to access, with judicial permission, details such as IP address and time of use of every email, phone call, and text message sent or received,” the study’s authors wrote.
Despite the results of the study, firms in other countries should be “reluctant” to turn over data to U.S. cloud providers, said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a privacy group.
Since the Sept. 11, 2001, terrorist attacks on the U.S., “the U.S. government has simply been far more aggressive in its demands for data from other jurisdictions than have other governments,” Rotenberg said in an email. “The U.S. is also widely believed to have more powerful data processing tools than any other government. There is simply no other spy agency that competes with the NSA [U.S. National Security Agency].”
The study surveyed the laws in 10 countries, and all 10 allow the government to require a cloud provider to turn over consumer data in the course of an investigation. In eight of the 10 countries, cloud providers may voluntarily turn over some data to the government in response to an informal request, the exceptions being the U.S. and Japan.
Eight countries do not require the cloud provider to notify its customer when it turns over data to government investigators. German and U.S. law allows cloud providers to notify customers, with some exceptions.
All 10 countries allow government agencies to monitor electronic communications sent through the systems of cloud providers, the study said. Eight of the 10 countries allow government investigators to require cloud providers to turn over information stored on a server in another country. Germany and Japan do not allow such access, with some exceptions.
Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant’s e-mail address is grant_gross@idg.com.