The USA Patriot Act: Myth v. Reality
(Cross posted from OpenForum.com.au)
Today, computer users – ranging from individual consumers, to small and medium-sized businesses, to the largest enterprises – are excited about the opportunities presented by cloud computing. And for good reason. Innovations in cloud technologies represent a seismic shift in the IT industry and are poised to transform our relationship with computers, just as we transitioned from mainframes to desktop PCs in the 1980s.
As consumers, we’ve been accustomed for many years already to using cloud computing on a daily basis, whether through internet banking, web-based e-mail such as Hotmail, or the use of social media networks.
As companies and other organisations think about transitioning to the cloud, people understandably are asking questions about issues like data privacy, security, and the implications of storing digital information in large datacentres overseas. It’s important to think carefully about these issues, but the debate sometimes creates confusion about the actual implications of adopting a cloud-based computing model – and perhaps nowhere is the confusion greater than in relation to the USA Patriot Act. When I’m talking to customers, they’re often concerned about the idea that the U.S. government might have the ability to gain access to data stored outside the United States when the data is held by a U.S.-headquartered provider of cloud services. For a number of reasons and for the vast majority of organisations, however, the true impact of the Patriot Act in this context is negligible.
First, the Patriot Act itself is really a compilation of amendments to other pre-existing laws designed to provide the U.S. government with tools to seek business records in certain limited circumstances (related to national security investigations and encompassing potential terrorism or foreign intelligence threats). Therefore, to the extent the U.S. government can access data, it is generally not through the Patriot Act, but it may be through existing laws amended by the Patriot Act, as well as decades-old judicial decisions in the United States providing for extraterritorial subpoena power in limited circumstances.
In fact, U.S. courts have long held that a company with a presence in the United States is obligated to respond to a valid demand by the U.S. government for information – regardless of the physical location of the information – so long as the company retains custody or control over the data. The seminal court decision in this area is United States v. Bank of Nova Scotia, 740 F.2d 817 (11th Cir. 1984) (requiring a U.S. branch of a Canadian bank to produce documents held in the Cayman Islands for use in U.S. criminal proceedings). Did the court overreach in the Bank of Nova Scotia case? Some will argue that it did. But what many overlook is that the legal principle on extraterritorial jurisdiction embraced by the Bank of Nova Scotia court – requiring companies with contacts or presence within a territory to comply with lawful requests for information by the government in that territory – has long been followed in many other countries, including Australia. In fact, the Federal Court of Australia adopted the very same approach on extraterritorial jurisdiction in Bank of Valletta PLC v. National Crime Authority  FCA 1099 (requiring an Australian branch of a Maltese bank to produce documents held in Malta for use in Australian criminal proceedings).
Following on this point, while it is the case that the Patriot Act made it easier in some cases for the U.S. government to gain access to certain end-user data, the legislation did not fundamentally alter the right of the government to that data in those circumstances. The Patriot Act, for example, enabled the U.S. government to use a single search warrant obtained from a federal judge to order disclosure of data held by communications providers in multiple states within the U.S., instead of having to seek separate search warrants (from separate judges) for providers that are located in different states. This streamlined the process for U.S. government searches in certain cases, but it did not change the underlying right of the government to access the data under applicable laws and prior court decisions.
Further, people often mistakenly think that the Patriot Act and related laws apply only to U.S. companies. Like all U.S. laws and as highlighted above, however, the Patriot Act applies equally to every company doing business in the United States, whether or not the company is based in the United States. And, again, many countries including Australia similarly have investigative powers to reach all companies conducting business within their borders. What that means in the context of cloud computing is that any provider of cloud services that has a presence in the U.S. is subject to the same jurisdictional rules – regardless of whether the cloud provider is a U.S. corporation and irrespective of where the provider’s datacentres are physically located.
Moreover, even when data is hosted by a major cloud services provider with absolutely zero presence in or contacts with the United States (an unlikely scenario, given the economies of scale involved in cloud computing) that information would generally still be accessible to the U.S. government if needed in connection with a criminal case. That’s because Australia and the United States, like most countries around the world, cooperate closely in law enforcement matters. Under a longstanding bilateral mutual legal assistance treaty providing for law enforcement cooperation between Australia and the United States, either government can gain access to data located within the territory of the other.
And finally, it bears noting that while it may have become easier for the U.S. government to obtain certain information under the Patriot Act, strong protections for user data remain in place under U.S. law.
Are there interesting and challenging policy and regulatory issues that arise in the context of cloud computing? Yes there are, and organizations transitioning to cloud-based technologies are wise to consider them. But it’s important to ensure that the discussion isn’t clouded by misunderstandings or confusion about the legal landscape.
Jeff Bullwinkel, Associate General Counsel and Director of Legal & Corporate Affairs, Microsoft Australia