Measures in the Patriot Act have given businesses and individuals a reason to think twice before adopting cloud services. While the US Government has been singled out as a data boogeyman, it’s certainly not alone in this practice. A recent report, published by international law firm Hogan Lovells, details similar data policies being enacted around the globe.
The study looked at policies enacted by the US, Australia, Canada, Germany, France, Denmark, Ireland, Japan, Spain and the UK. To base their conclusions, researchers benchmarked each government based on six questions regarding data monitoring and disclosure processes.
The report also dispelled a number of misconceptions regarding data privacy. The authors wrote that “some believe (and some providers have advertised) that choosing a Cloud service provider based on its location will make data stored in the Cloud more secure and less subject to governmental access.”
At best, the practice only provides a false sense of security. Researchers found no evidence where the geographical locations of service providers, or their datacenters, deterred government access. Despite variances in domestic policies, governments have implemented Mutual Legal Assistance Treaties (MLATs). The treaties provide a means for countries to legally access data housed outside their borders.
Click here for larger version
On the subject of domestic policies, the report noted that the Patriot Act was not as invasive as many believe. If the government wished to access data stored by a cloud provider, it would have to follow Electronic Communications Privacy Act (ECPA) regulations. This means that cloud providers can only disclose data after receiving a warrant, ECPA court order or government provided subpoena.
Surprisingly, France was found to have a number of far reaching policies. Cloud providers in France can be compelled to disclose data with a search warrant or requisition letter from the government. However, no court order is required to intercept electronic communications and encryption service providers can be forced to hand encryption keys to officials.
“As one observer put it, France’s anti-terrorism laws make the Patriot Act look ‘namby-pamby’ by comparison.”
Of all the countries studied, Japan appeared to have the least intrusive policies. Like other nations, the Japanese government may require service providers to disclose customer information held domestically. If the data happens to be housed internationally, the other government must cooperate with Japan’s request before a cloud provider can hand over the data.
The Lovells report has helped debunk a number of perceptions regarding US data policies. Simultaneously, it has also raised awareness about international privacy laws. Unfortunately, none of the findings have made compliance issues simpler for service providers.