Under the provisions of the US Patriot Act companies based in the EU must disclose customer data to US law enforcers without the customer’s knowledge or consent, even though this conflicts with EU data protection laws.
The Patriot Act
The Patriot Act gives US law enforcement authorities the right to access personal data held in the cloud, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent cloud suppliers from informing their customers that they have had to hand over personal data.
Which Companies does the Act Apply to
The Patriot Act applies to customer data held by any company located in
- the EU which has a US parent company;
- the USA;
- the EU and using the services of a US subsidiary for data processing;
- the EU which uses any third party to store or process data in the USA i.e. a hosting company
Google in the UK, Amazon in the Netherlands and Microsoft in Germany to name a few examples are all bound by the Patriot Act. Additionally the BBC a UK corporation with a presence in the USA is also be bound by the terms of the Act, along with any EU company that uses a Blackberry or McAfee virus checking software.
Conflict with EU Data Protection Laws
The provisions of the Patriot Act conflict directly with English and EU data protection laws. Data protection laws in the 27 countries of the EU all prohibit the disclosure of personal data without a data subject’s consent or knowledge. However, such provisions conflict with the company’s obligations to comply with the Patriot Act and secretly disclose customer data to the US authorities.
If a EU company is faced with a Patriot Act disclosure request it is impossible to comply with both the US law and the local data protection laws applicable to an EU company. In practice the US law will prevail. Well known global software and search engine companies have admitted that EU customer data has been disclosed by them as a consequence of requests under the Patriot Act.
Recent Issues of Concern to Customers
A number of global companies have recently ceased using cloud services supplied by US owned software companies to avoid the risk of customer data being subject to a Patriot Act disclosure. Additionally, Microsoft publically admitted that it cannot guarantee that it will not disclose EU customer data to the US authorities if requested to do so under the Patriot Act.
Dealing with Customer Concerns
You also need to have considered the actual risk of a request being made, bearing in mind who your customers are and what data you will be processing or storing for them. In most cases it is very unlikely that the US authorities will ever be interested in your customer data and even if data is revealed, will this actually be detrimental to the business interests of your customers, as the types of data that can be requested are very limited.