An often-repeated concern that the U.S. Patriot Act gives the U.S. government unequaled access to personal data stored on cloud services is incorrect, with several other nations enjoying similar access to cloud data, according to a study released Wednesday.
The governments of several other countries, including the U.K., Germany, France, Japan and Canada, have laws in place allowing them to obtain personal data stored on cloud computing services, said the study, by Hogan Lovells, an international law firm that focuses on government regulations and other topics.
The Patriot Act, passed as an anti-terrorism measure in 2001, is "invoked as a kind shorthand to express the belief that the United States government has greater powers of access to personal data in the cloud than governments elsewhere," wrote study co-authors Christopher Wolf, based in Washington, D.C., and Winston Maxwell, based in Paris. "However, our survey finds that even European countries with strict privacy laws also have anti-terrorism laws that allow expedited government access to cloud data."
Since late 2011, some European cloud providers have promoted their services as so-called safe havens from the U.S. Patriot Act. In September 2011, Ivo Opstelten, the Dutch minister of safety and justice, said that U.S. cloud providers could be excluded from Dutch government because of the Patriot Act. Opstelten later softened his stance.
But the Hogan Lovells study, released by think tank the Openforum Academy Wednesday, said there are "misconceptions" about the Patriot Act and other countries' laws allowing access to cloud data. Some people believe, and some cloud providers have advertised, "that choosing a cloud service provider based on its location will make some data stored in the cloud more secure and less subject to governmental access," Wolf and Maxwell wrote.
However, the Patriot Act generally didn't create "broad new investigatory powers" in the U.S., but instead, expanded existing investigative methods, the study said.
There are "meaningful limitations" on the cloud data U.S. authorities can access, with law enforcement authorities needing court-ordered search warrants in some cases, and investigators able to issue subpoenas in other cases, the study said. Many other countries studied by Hogan Lovells also require cloud providers to turn over personal data when compelled by a court, the authors wrote.
Other countries have their own privacy challenges, the report said. ISPs in the European Union must retain telecom customer data for between six and 24 months, when U.S. ISPs have no such requirement, Wolf and Maxwell wrote. The E.U. data-retention directive gives European investigators access to information that may be deleted in other countries, they said.
Under the data-retention directive, "police and security agencies are able to access, with judicial permission, details such as IP address and time of use of every email, phone call, and text message sent or received," the study's authors wrote.
Sign up for CIO Asia eNewsletters.