Study: Patriot Act gives US government no special acess to cloud data

Other countries also can obtain personal data stored in the cloud, an international law firm found

An often-repeated concern that the U.S. Patriot Act gives the U.S. government unequaled access to personal data stored on cloud services is incorrect, with several other nations enjoying similar access to cloud data, according to a study released Wednesday.

The governments of several other countries, including the U.K., Germany, France, Japan and Canada, have laws in place allowing them to obtain personal data stored on cloud computing services, said the study, by Hogan Lovells, an international law firm that focuses on government regulations and other topics.

The Patriot Act, passed as an anti-terrorism measure in 2001, is "invoked as a kind shorthand to express the belief that the United States government has greater powers of access to personal data in the cloud than governments elsewhere," wrote study co-authors Christopher Wolf, based in Washington, D.C., and Winston Maxwell, based in Paris. "However, our survey finds that even European countries with strict privacy laws also have anti-terrorism laws that allow expedited government access to cloud data."

Since late 2011, some European cloud providers have promoted their services as so-called safe havens from the U.S. Patriot Act. In September 2011, Ivo Opstelten, the Dutch minister of safety and justice, said that U.S. cloud providers could be excluded from Dutch government because of the Patriot Act. Opstelten later softened his stance.

But the Hogan Lovells study, released by think tank the Openforum Academy Wednesday, said there are "misconceptions" about the Patriot Act and other countries' laws allowing access to cloud data. Some people believe, and some cloud providers have advertised, "that choosing a cloud service provider based on its location will make some data stored in the cloud more secure and less subject to governmental access," Wolf and Maxwell wrote.

However, the Patriot Act generally didn't create "broad new investigatory powers" in the U.S., but instead, expanded existing investigative methods, the study said.

There are "meaningful limitations" on the cloud data U.S. authorities can access, with law enforcement authorities needing court-ordered search warrants in some cases, and investigators able to issue subpoenas in other cases, the study said. Many other countries studied by Hogan Lovells also require cloud providers to turn over personal data when compelled by a court, the authors wrote.

Other countries have their own privacy challenges, the report said. ISPs in the European Union must retain telecom customer data for between six and 24 months, when U.S. ISPs have no such requirement, Wolf and Maxwell wrote. The E.U. data-retention directive gives European investigators access to information that may be deleted in other countries, they said.

Under the data-retention directive, "police and security agencies are able to access, with judicial permission, details such as IP address and time of use of every email, phone call, and text message sent or received," the study's authors wrote.

Despite the results of the study, firms in other countries should be "reluctant" to turn over data to U.S. cloud providers, said Marc Rotenberg, executive director of the Electronic Privacy Information Center, a privacy group.

Since the Sept. 11, 2001, terrorist attacks on the U.S., "the U.S. government has simply been far more aggressive in its demands for data from other jurisdictions than have other governments," Rotenberg said in an email. "The U.S. is also widely believed to have more powerful data processing tools than any other government. There is simply no other spy agency that competes with the NSA [U.S. National Security Agency]."

The study surveyed the laws in 10 countries, and all 10 allow the government to require a cloud provider to turn over consumer data in the course of an investigation. In eight of the 10 countries, cloud providers may voluntarily turn over some data to the government in response to an informal request, the exceptions being the U.S. and Japan.

Eight countries do not require the cloud provider to notify its customer when it turns over data to government investigators. German and U.S. law allows cloud providers to notify customers, with some exceptions.

All 10 countries allow government agencies to monitor electronic communications sent through the systems of cloud providers, the study said. Eight of the 10 countries allow government investigators to require cloud providers to turn over information stored on a server in another country. Germany and Japan do not allow such access, with some exceptions.

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

More about Electronic Privacy Information CenterIDGNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts