EU Data Protection Law and the Patriot Act in the Cloud

Under the provisions of the US Patriot Act companies based in the EU must disclose customer data to US law enforcers without the customer’s knowledge or consent, even though this conflicts with EU data protection laws.

The Patriot Act

The Patriot Act gives US law enforcement authorities the right to access personal data held in the cloud, regardless of where in the world the data is stored. The Act also gives US law enforcers the right to prevent cloud suppliers from informing their customers that they have had to hand over personal data.

Which Companies does the Act Apply to

The Patriot Act applies to customer data held by any company located in

  • the EU which has a US parent company;
  • the USA;
  • the EU and using the services of a US subsidiary for data processing;
  • the EU which uses any third party to store or process data in the USA i.e. a hosting company

Google in the UK, Amazon in the Netherlands and Microsoft in Germany to name a few examples are all bound by the Patriot Act. Additionally the BBC a UK corporation with a presence in the USA is also be bound by the terms of the Act, along with any EU company that uses a Blackberry or McAfee virus checking software.

Conflict with EU Data Protection Laws

The provisions of the Patriot Act conflict directly with English and EU data protection laws. Data protection laws in the 27 countries of the EU all prohibit the disclosure of personal data without a data subject’s consent or knowledge. However, such provisions conflict with the company’s obligations to comply with the Patriot Act and secretly disclose customer data to the US authorities.

If a EU company is faced with a Patriot Act disclosure request it is impossible to comply with both the US law and the local data protection laws applicable to an EU company. In practice the US law will prevail. Well known global software and search engine companies have admitted that EU customer data has been disclosed by them as a consequence of requests under the Patriot Act.

Recent Issues of Concern to Customers

A number of global companies have recently ceased using cloud services supplied by US owned software companies to avoid the risk of customer data being subject to a Patriot Act disclosure. Additionally, Microsoft publically admitted that it cannot guarantee that it will not disclose EU customer data to the US authorities if requested to do so under the Patriot Act.

Dealing with Customer Concerns

If the Patriot Act applies to your company, you should have procedures and measures in place to deal with any requests for information under the Patriot Act. These procedures need to be set out clearly in your terms and conditions and privacy policy, bearing in mind your obligation to comply with this particular US law.

You also need to have considered the actual risk of a request being made, bearing in mind who your customers are and what data you will be processing or storing for them. In most cases it is very unlikely that the US authorities will ever be interested in your customer data and even if data is revealed, will this actually be detrimental to the business interests of your customers, as the types of data that can be requested are very limited.

Comments

  1. Julien says

    Hi Irene and thank you for this article.

    I have one question: on which basis would an EU company using a McAfee software be bound by the US Patriot Act?
    McAfee would of course be bound by it and may be requested to provide personal data of EU citizens (e.g. data gathered from an EU company using its software), but I am not sure that saying that the EU company itself would be bound is right. A difference should be made between “which company is bound” and “which data may be requested by the US authorities”. Please advise me if I’m wrong.
    I would also emit doubts over Blackberry, which is a Canadian company (RIM – Research in Motion), not a US one.

    I’m not a specialist of US laws, but rather of EU data protection laws. So please tell me if I’m wrong!

    • says

      Thank you for raising these two queries, as this is a complicated and uncertain area of law.

      With regard to your query about McAfee an EU subsidiary of McAfee could be obliged to disclose data to its controlling parent company – McAfee based in the USA, if the US parent company received a disclosure request under the Patriot Act. As the US parent company is bound by US law it would make the subsidiary comply to ensure that it (the US parent company) was not in breach of the Patriot Act.

      With regard to the Blackberry issue, although RIM has a Canadian parent company, data is as far as I am aware processed by servers located in the USA and therefore the Canadian company falls under the Patriot Act. Also, any subsidiary of RIM in the US would be bound to comply with the Patriot Act.

  2. Alberto Borghi says

    Hallo Irene,

    I have an enquiry about the issue of the article:

    - if we use wmware (US company) services to provide the web interface and virtual machines to our clients for clouding computing purposes, does it mean that we are bound by the Patriot Act even though the data is stored in a DC in Switzerland owned by a Swiss private company?

    Thank you very much for your time!

    • says

      Hello Alberto, the information provided on this website and in the articles we publish is given purely for general information purposes. You should seek the assistance of a lawyer to advise on the legal position raised by your specific query, as this will be individual to you. Thank you for your comment!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>