Businesses often assume knowledge of the laws regulating governmental access to data in their home jurisdictions, and they make further assumptions about the legal regimes abroad where cloud service providers may be located. This is according to Conor Ward, Chair of the Cloud Industry Legal Forum (CILF), the legal advisory sub-group of the Cloud Industry Forum and partner at Hogan Lovells.
“A lot of assumptions are being made about legal regimes abroad and none so controversial in Europe than the US 2001 Patriot Act cited by many as an example of where the US government has greater powers of access to personal data than any other government. This is nothing short of FUD (fear, uncertainty and doubt),” stated Conor Ward.
Governments need some degree of access to data for criminal investigations and for purposes of national security. But privacy and confidentiality also are important issues.
Conor continued: “We surveyed the legal environments of the major European countries and found that even those ones with strict privacy laws also have anti-terrorism laws that allow expedited government access to Cloud data.
“Our findings have led us to a number of conclusions. On the fundamental question of government access to data in the Cloud, we conclude that it is not possible to isolate data in the cloud from government access based on the physical location of the Cloud service provider or its facilities. Government’s ability to access data in the cloud extends across borders. And it is incorrect to assume that the US government’s access to data in the cloud is more advanced than any other advanced economy,” he added.
“The existence of Mutual Legal Assistance Treaties greatly diminishes any argument that data stored in one jurisdiction is immune from access by other governmental authorities in anther jurisdiction. Furthermore, every single country we examined vests authority in the government to require a cloud service provider to disclose customer data in certain situations and in most instances this authority enables the government to access data physically stored outside the country’s borders, provided there is some jurisdictional hook, such as the presence of a business within the country’s borders.”
Andy Burton, chair of the Cloud Industry Forum and CEO of Fasthosts added: “This research – and subsequent White Paper produced by Hogan Lovells – reveals the great myth. Businesses are misleading themselves and their customers if they contend that restricting cloud service providers to one jurisdiction better insulates data from governmental access. For many end users the message to-date has been one of fear, uncertainty and doubt, and that has had the potential to hold the market back. Now is the time to recognise that governments across the developed world have their own legal parameters within which they work either in isolation or together. The plain fact of the matter is that the existence of Mutual Legal Assistance Treaties diminishes any argument that data stored in one jurisdiction is immune from access by a government in another.”