United States: The USA Patriot Act and the Privacy of Data Stored in the Cloud

Last Updated: January 24 2012
Article by Alex C. Lakatos

Originally published Winter 2012

Keywords: European consumers, USA Patriot Act, online data, cloud servers, US providers,

European consumers have expressed concern that the USA Patriot Act (the "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001" or "Patriot Act") will afford the US government undue and unfettered access to their data if they choose to store it on the cloud servers of US providers (e.g., Microsoft or IBM). A recent survey found that 70 percent of Europeans have concerns about their online data and how well it is secured. For many, these fears were exacerbated by an announcement by Gordon Frazer, the managing director of Microsoft UK, that he could not guarantee that data stored on Microsoft servers, wherever located, would not end up in the hands of the US government, because Microsoft, a company based in the United States, is subject to US laws, including the Patriot Act. Aware of these concerns, some EU data centers have gone so far as to advertise that they provide "a safe haven from the reaches of the Patriot Act."

To evaluate the validity of these concerns, several questions must be considered. First, exactly what information does the Patriot Act reach? Second, how likely is it, as a practical matter, that the Patriot Act will ever be used to reach a European company's data stored in the cloud? Finally, how does that risk compare with exposure that European companies already face, such as the prospect of their home-country governments accessing their cloud-stored data? As Ambassador Phillip Verveer, the US State Department's Coordinator for International Communications and Information Policy, explains, "[t]he PATRIOT Act has come to be a kind of label for [privacy] concerns.... We think, to some extent, it's taking advantage of a misperception, and we'd like to clear up that misperception."

This article seeks to dispel some of the myths shrouding the Patriot Act, and to provide an assessment of the risks the Patriot Act poses to data stored in the cloud, particularly where the data, or its owner, are based outside of the United States.

Patriot Act Discovery Tools for Law Enforcement

Contrary to a common misconception, the Patriot Act did not create entirely new procedural mechanisms for US law enforcement to use to obtain data in furtherance of its investigations. However, the Patriot Act did expand certain discovery mechanisms already available to US law enforcement. Two of these expanded mechanisms that US law enforcement could use to access data in the cloud that warrant discussion are FISA Orders and National Security Letters.

FISA Orders

Prior to enactment of the Patriot Act, the Foreign Intelligence Surveillance Act permitted the FBI to apply to a special court, the Foreign Intelligence Surveillance Court, for a FISA Order to obtain the business records of third parties for the purpose of foreign intelligence and international terrorism investigations. Originally, however, such business records were limited to car rental, hotel, storage locker, and common-carrier records.

Title II of the Patriot Act, "Enhanced Surveillance Procedures," expanded the reach of FISA Orders to allow the FBI to obtain "an order requiring the production of any tangible things (including books, records, papers, documents and other items) for an investigation to protect against international terrorism and clandestine intelligence activities." This includes data in the cloud. To obtain a FISA Order, the FBI must specify that the tangible things sought are for an authorized investigation either to obtain foreign intelligence information not concerning a United States person or to protect against international terrorism or clandestine intelligence activities.

FISA Orders, particularly as expanded under Section 215 of the Patriot Act, have given rise to privacy concerns for several reasons. First, such orders may be granted ex parte, meaning with only the FBI presenting evidence to the court. Second, Section 215 includes a "gag" provision that prohibits the party that receives a FISA Order from disclosing that fact. This typically would prevent a cloud service provider from informing its customers that the service provider had shared their data with the FBI in response to a FISA Order. Third, the fact that Section 215 allows the FBI to obtain a person's library records sparked significant protests that the provision was invasive of reader privacy. Finally, the American Civil Liberties Union objects that "[t]he FBI need not show probable cause, nor even reasonable grounds to believe, that the person whose records it seeks is engaged in criminal activity."

In the USA Patriot Act Improvement and Reauthorization Act of 2005, enacted March 9, 2006, Congress took several steps to address these concerns, including adding provisions to allow the recipient of a FISA Order to oppose it before the Foreign Intelligence Surveillance Court and also, after a one-year hiatus, to contest the gag provision. Congress also required the US Attorney General to promulgate regulations to "minimize the retention, and prohibit the dissemination, of non-publicly available information." Notwithstanding these efforts, privacy and civil liberties advocates remain deeply troubled by Section 215.

What is the practical effect of FISA Orders on users of US cloud services? The answer is that the FBI rarely uses FISA orders. In 2010, the US government made only 96 applications to the Foreign Intelligence Surveillance Courts for FISA Orders granting access to business records. There are several reasons why the FBI may be reluctant to use FISA Orders: public outcry; internal FBI politics necessary to obtain approval to seek FISA Orders; and the availability of other, less controversial mechanisms, with greater due process protections, to seek data that the FBI wants to access. As a result, this Patriot Act tool poses little risk for cloud users.

National Security Letters

The National Security Letter (NSL) is a form of administrative subpoena that the FBI and other US government agencies can use to obtain certain records and data pertaining to various types of government investigations.

When the Patriot Act was enacted, there were already four federal statutes authorizing enumerated government authorities (chiefly the FBI) to issue NSLs. First, under the Right to Financial Privacy Act (RFPA), the FBI and the Secret Service may obtain financial records from financial institutions such as banks, securities brokerages, car dealers, pawn brokers, casinos, and real estate agents (accountants and auditors, however, are not included).

Second, under the Fair Credit Reporting Act, the FBI may use a NSL to obtain from a consumer reporting agency (e.g., the three major credit bureaus: TransUnion, Equifax, Experian) the names and addresses of all financial institutions at which a consumer maintains or has maintained an account, plus consumer-identifying information such as name, address and employment history.

Third, under the Electronic Communications Privacy Act, the FBI may request, from wire or electronic service providers (including Internet service providers), subscriber information, toll-billing records information, and electronic communication transactions records. The US Department of Justice takes the position that this includes, with regard to email accounts, the name, address, and length of service of a person, as well as email addresses associated with an account and screen names.

Fourth, under the National Security Act, an authorized government investigative agency may request any of the types of information described above, from any of the sources described above, when necessary to conduct security checks of government employees or investigate US government employees believed to be spying for foreign powers.

Title V of the Patriot Act, Removing Obstacles to Investigating Terrorism, expanded the FBI's authority to make NSL requests beyond its headquarters, to its 56 field offices; eliminated the requirement that the information sought relate to a foreign power, instead requiring that the NSL request be relevant to international terrorism or foreign spying; and allowed the FBI to obtain full consumer credit reports. The Patriot Act also added another NSL section to the Fair Credit Reporting Act, this one allowing not just the FBI, but any government agency, to obtain information from a consumer- reporting agency in connection with international terrorism or intelligence activities.

After the Patriot Act expanded the scope of NSLs as described above, their use began to rise. The Department of Justice reported to Congress that in 2010 the FBI made 24,287 NSL requests (excluding requests for subscriber information only).

NSLs give rise to privacy concerns and, according to critics, the potential for abuse, for several reasons. First, the FBI may issue NSLs on its own initiative, without the authorization of any court. (This was true even before the Patriot Act.) Nothing in the Patriot Act provides for any judicial review of the FBI's decision to issue an NSL. Second, the NSL statutes impose a gag requirement on persons receiving an NSL. In addition, the Attorney General Guidelines and various information-sharing agreements require the FBI to share NSL information with other federal agencies and the US intelligence community.

The Reauthorization Act tried to redress some of these concerns. It provided a right to judicial review of NSLs and a right to petition a court to lift the gag order. The Reauthorization Act also provided criminal penalties for violating gag obligations with the intent to obstruct an investigation.

So where does this complex statutory scheme leave cloud users? While the use of NSLs is not uncommon, the types of data that US authorities can gather from cloud service providers via an NSL is limited. In particular, the FBI cannot properly insist via a NSL that Internet service providers share the content of communications or other underlying data. Rather, as set forth above, the statutory provisions authorizing NSLs allow the FBI to obtain "envelope" information from Internet service providers. Indeed, the information that is specifically listed in the relevant statute is limited to a customer's name, address, and length of service.

The FBI often seeks more, such as who sent and received emails and what websites customers visited. But, more recently, many service providers receiving NSLs have limited the information they give to customers' names, addresses, length of service and phone billing records. "Beginning in late 2009, certain electronic communications service providers no longer honored" more expansive requests, FBI officials wrote in August 2011, in response to questions from the Senate Judiciary Committee.

Although cloud users should expect their service providers that have a US presence to comply with US law, users also can reasonably ask that their cloud service providers limit what they share in response to an NSL to the minimum required by law. If cloud service providers do so, then their customers' data should typically face only minimal exposure due to NSLs.

Other Law Enforcement Tools

As discussed above, the two law enforcement tools for discovery of third-party data that were most significantly enhanced by the Patriot Act and that have given rise to significant concerns by European critics of the Patriot Act—FISA Orders and NSLs—should not, as a practical matter, pose a significant risk to European data on the servers of US-based cloud providers. But it would be a mistake to end the analysis there.

Search Warrants and Grand Jury Subpoenas

US federal law enforcement has other, more traditional mechanisms for obtaining information it deems necessary to support its investigative efforts, such as search warrants (which must be approved by a US court upon a showing of probable cause) and grand jury subpoenas, which are issued by a US federal prosecutor in support of an ongoing grand jury investigation (and which a recipient may move to quash in court). These mechanisms also can be used to obtain data stored in the cloud. Should the risks these tools pose cause European companies to eschew US cloud services?

At the outset, consider that search warrants and grand jury subpoenas are hardly new. Search warrants trace their roots in the United States back at least to the Bill of Rights (ratified in 1791): the Fourth Amendment provides for protection against searches and seizures in the absence of a properly obtained warrant. Similarly, the grand jury has been functioning as an institution for receiving evidence of criminal activity since the Magna Carta and also has been incorporated into the US Constitution.

Moreover, Europeans (and others) have comparable discovery mechanisms in their home countries. For example, in France, the Police Nationale and the Gendarmerie Nationale both can execute search warrants. Article 13 of Germany's Basic Law similarly recognizes judicially ordered search warrants. And, of course, US search warrants have their roots in English law. Accordingly, to the extent European consumers wish to avoid any risk that any government will access their cloud data, merely avoiding US service providers is unlikely to help.

MLATs

Sequestering data on European cloud servers may be an ineffective prophylactic against US government access for another reason. The United States and most European governments have entered into bilateral Mutual Legal Assistance Treaties (MLATs). In a typical MLAT, the two countries commit to provide one another with "the widest measure of mutual assistance in investigations or proceedings in respect of criminal offenses...."

In 2003, the United States and the European Union entered into an MLAT with a provision addressing data protection. That provision governs MLAT requests made pursuant to prior bilateral MLATs between EU Member States and the United States. The comments to the EUUS MLAT explain that this provision was "meant to ensure that refusal of assistance on data protection grounds may be invoked only in exceptional cases." Accordingly, US MLAT requests, particularly those concerning terrorism investigations, are seldom denied for data protection reasons.

US Jurisdictional Limitations

In the United States, only a party amenable to what is known as "personal jurisdiction" can be subject to a search warrant, grand jury subpoena, NSL, FISA Order or other enforceable request for documents or data. The fundamental requirements for exercising personal jurisdiction over an individual or corporation are grounded in the Constitution, and the Patriot Act did not alter those principles (nor did it purport to do so).

In the context of personal jurisdiction, due process considerations prohibit courts from exercising jurisdiction over a witness who lacks minimum contacts with the forum. In the case of a corporation, this means that any corporation based in the United States will be subject to US jurisdiction and, thus, can be subject to FISA Orders, NSLs, search warrants, or grand jury subpoenas. The same is generally true for a non-US corporation that has a location in the United States or that conducts continuous and systematic business in the United States.

Furthermore, an entity that is subject to US jurisdiction and is served with a valid subpoena must produce any documents within its "possession, custody, or control." That means that an entity that is subject to US jurisdiction must produce not only materials located within the United States, but any data or materials it maintains in its branches or offices anywhere in the world. The entity even may be required to produce data stored at a non-US subsidiary.

What does this mean for non-US consumers of cloud services? First, US law enforcement authorities may serve FISA Orders, NSLs, warrants or subpoenas on any cloud service provider that is US-based, has a US office, or conducts systematic or continuous US business—even if the data is stored outside the United States. Thus, merely choosing a European cloud service provider is not enough to ensure that data is beyond the reach of US jurisdiction and the Patriot Act.

Second, US law enforcement authorities may serve FISA Orders, NSLs, warrants or subpoenas on any cloud service customer that is US-based, has a US branch, or conducts systematic or continuous US business—even if the data is stored outside the United States. Many European entities have a US presence, and their US presence will allow them to be subject directly to the authority of US law enforcement, regardless of what company they use for cloud storage.

The Patriot Act and European Data Protection

The European Commission's Directive on Data Protection generally prohibits the transfer of personal data to non-European Union countries that do not meet the EU "adequacy" standard for privacy protection. While the United States and the European Union share the goal of enhancing privacy protection for their citizens, the United States takes a different approach to privacy. To bridge these different privacy approaches, the Department of Commerce, in consultation with the European Commission, developed a "Safe Harbor" framework. By joining and adhering to the EU-US Safe Harbor Agreement, US companies can demonstrate that their data protection practices meet EU data protection requirements. European companies then can share data with US participants in the Safe Harbor agreement without violating their home country data protection laws.

The Safe Harbor Agreement contains a provision that allows US companies to comply with applicable US laws compelling the production of data, including the Patriot Act. It is anticipated, however, that at the World Economic Forum in January 2012, the European Commission will announce legislation to repeal the existing EU data protection directive and replace it with more a robust framework. The new legislation might, among other things, replace EU/US Safe Harbor regulations with a new approach that would make it illegal for the US government to invoke the Patriot Act on a cloud-based or data processing company in efforts to acquire data held in the European Union. The Member States' data protection agency with authority over the company's European headquarters would have to agree to the data transfer.

The foregoing developments may significantly affect the legal landscape for protection of data on the cloud servers in the cross-border context and, thus, should be monitored closely. However, it may be years before the new legislation is enacted (the current EU Data Protection Directive took three years to be enacted). By that time, changes in technology may present entirely new challenges and considerations.

Conclusion

Consumers of cloud services are wise to consider all types of risk to their data, whether from their home country's government or another country's government. Merely avoiding US cloud service providers based on concerns about the Patriot Act does not solve the problem. That choice alone provides no assurance that cloud data is beyond the reach of the Patriot Act, nor does it provide protection against the risk that non-US governments will access the cloud-stored data, either on their own initiative or in response to a MLAT request from the United States.

Rather than making a selection based solely on the home country of competing cloud providers, informed consumers of cloud services should (i) consult legal counsel in their home country, in any jurisdiction where their data may be stored, and in any jurisdiction where their cloud service provider does business; (ii) closely review their cloud services contracts and ask their providers questions; and (iii) carefully consider all the relevant risks before making a decision.

Learn more about our Business & Technology Sourcing practice.

Visit us at www.mayerbrown.com.

Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2012. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Alex C. Lakatos
 
In association with
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert
Email Address
Company Name
Password
Confirm Password
Mondaq Topics -- Select your Interests
Accounting and Audit
Anti-trust/Competition Law
Consumer Protection
Corporate/Commercial Law
Criminal Law
Employment and HR
Energy and Natural Resources
Environment
Family and Matrimonial
Finance and Banking
Food, Drugs, Healthcare, Life Sciences
Government, Public Sector
Immigration
Insolvency/Bankruptcy, Re-structuring
Insurance
Intellectual Property
International Law
Law Practice Management
Litigation, Mediation & Arbitration
Media, Telecoms, IT, Entertainment
Privacy
Real Estate and Construction
Strategy
Tax
Transport
Wealth Management
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.