Government Access to Cloud Data

Think the Patriot Act gives the US government a unique level of access to your data in the cloud? A new study says it's not so.

Everybody knows that storing cloud data in US-based servers gives the US government unprecedented access under the Patriot Act. But a new study says that's just not so.

It's becoming common for cloud-selection checklists to ask about whether data is stored on US soil -- on the assumption that it will be harder to keep it from the prying eyes of government functionaries. Some EU-based cloud providers are building marketing messages around this supposed fact.

Turns out the Patriot Act, enacted after the terrorist attacks of 2001, did not make the US an outlier among developed nations as to how easy it is for the government to get at data and communications stored in or traversing the cloud.

A new study of the laws in ten developed countries ought to put this widespread notion to rest. (Here is a PDF of the full study.) The international legal firm Hogan Lovells asked their experts on the ground in Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, the UK, and the US to help fill out a grid of what the government can access and what kinds of data require the oversight of a court.

The bottom line, according to Hogan Lovells:

...especially in Europe the [Patriot Act] has been invoked as a kind of shorthand to express the belief that the United States government has greater powers of access to personal data in the Cloud than governments elsewhere. However, our survey finds that even European countries with strict privacy laws also have anti-terrorism laws that allow expedited government access to Cloud data.

In this study the US doesn't come off looking so Draconian.

May government require a Cloud provider to disclose customer data in the course of a government investigation? In all ten nations, the answer is "yes."
May government monitor electronic communications sent through the systems of a Cloud provider? In all ten nations, the answer is "yes."
If a Cloud provider must disclose customer data to the government, must the Cloud provider notify the customer? The US is one of two countries (the other is Germany) in which the answer is other than "no."
May a Cloud provider voluntarily disclose customer data to the government in response to an informal request? In only two countries, the US and Japan, is the answer "no."

However, the US is on the privacy-unfriendly side of the question If a Cloud provider stores data on servers in another country, can the government require the Cloud provider to access and disclose the data? In the US, as in seven other countries, the answer to that is "yes"; only Germany and Japan require cooperation from the foreign government.

The moral? If you think your corporate data will be any more protected from governmental snooping if it is stored on a cloud hosted in Germany, the UK, or Japan, give it up. The summary of the situation according to Hogan Lovells: "Governmental access to data stored in the Cloud -- including cross-border access -- exists in every jurisdiction."