In the context of AE's migration to Office 365, we have been studying legal impact of moving to the cloud. Since a lot of our customers are in the same situation, I wanted to share our findings with all of you via this blog.
Although it is a common assumption that the Patriot Act gives the US unlimited access to your data, the actual impact of the Patriot Act is negligible.
The Patriot Act
The misconception is that people believe this act has created a new mechanism for the US government to get access to cloud provider data. The truth is that the Patriot Act only expands the methods which were already in place.
The Patriot Act allows the FBI to make an application for a so called ‘FISA order’ requiring the production of any tangible things for an investigation to protect against international terrorism. Prior to enactment of the Patriot Act, these FISA orders already existed to obtain business records. Such business records however originally were limited to car rental, hotel storage and common carrier records. The Patriot Act expanded the reach of the orders to obtain any type of business record. Due to severe criticism these FISA orders are rarely used.
The impact is limited
The Patriot Act also gives the FBI the possibility to require national security letters relevant to international terrorism. Because these letters only can obtain ‘envelope’ information (the customers’ name, address, length of service and toll billing records), the impact is limited. These security letters actually are a form of the traditional administrative subpoenas.
Furthermore, most cloud providers join and adhere to the US-EU Safe Harbor Agreement, so they can demonstrate that their data protection practices meet EU data protection requirements in the best possible way.
Joining the Safe Harbor however is no 100% guarantee for the accomplishment to all her principles. Because the FBI (and any government agency) is considered being a third party to the US-EU Safe Harbor Agreement, the Patriot Act still can force American cloud providers to disclose the requested customer data as mentioned above and to keep this request secret.
Beyond the Patriot act
Nevertheless, cloud providers who adhere the Safe Harbor principles always remain obliged to provide sufficient guarantees in respect of the technical and organizational security measuresfor the protection of personal data against accidental or unlawful destruction or accidental loss. The personal data are also protected against unauthorized disclosure or access (in particular where the processing involves the transmission of data over a network), and against all other unlawful forms of processing.
Knowing these facts and understanding the impact of the ‘cloud risks’, we have decided ‘to move in there’.
Curious to know how you have been investigating cloud and legal aspects.