How worried should UK data guardians be about the Patriot Act?

In June of this year the managing director for Microsoft UK, Gordon Frazer, sent a wave of panic through businesses across Europe when he told a room full of journalists at the Microsoft Office 365 launch in London that he could not guarantee that data stored in Microsoft’s European datacentres would not end up in the hands of the US government.

The US Patriot Act is the source of this fear. In the aftermath of the September 11 attacks on the World Trade Center and the Pentagon, the US government implemented the Act to combat international terrorism, and since the legislation came in, Section 215 has been the focus of much attention from those engaging in cloud services in Europe. Section 215 reads as follows:


SEC. 215. ACCESS TO RECORDS AND OTHER ITEMS UNDER THE FOREIGN INTELLIGENCE SURVEILLANCE ACT:

(a)(1) The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities.


Simply put, the FBI can obtain data from European companies that have their data stored in US-owned datacentres, even if the datacentres are on EU soil.

In addition, because any request for data would be part of a terrorist investigation, the company that owns the datacentre would be subject to a gagging order, and would also not be allowed to inform any customer that their information had been handed over to authorities.

This means that European businesses that store their data in US-owned datacentres could find their data ends up in the hands of the US government. These businesses would not know that their data had even left the country.

Some European companies are worried. Thibault Chevillotte, senior manager at UK business and technology service company Logica, says organisations in the European Economic Area should be concerned if their data is held in a datacentre owned by a US company.

“Businesses in the UK and Europe should definitely be worried about the US Patriot Act. US vendors have said that they can be requested to provide information back from European companies to US authorities,” says Chevillotte.

Ulterior motive
Some industry watchers even believe the US could use the powers enshrined in the Patriot Act to gain information for purposes other than fighting terrorism.

“The Patriot Act is supposed to be linked with terrorism, but the truth of the matter is that we just don’t know how it is being used. US companies [could] gain a competitive advantage against those in Europe,” says Chevillotte. “We do not know that it is being used for these purposes, but we also cannot exclude the possibility.”
Adding to this anxiety is an apparent determination on the part of US cloud technology providers to avoid discussing the issue of US government snooping. When asked for an interview on the subject, Microsoft declined. HP and Amazon did not respond to our request, while Dell and Salesforce said they did not have a spokesperson available to talk to us.