A Global Reality: Governmental Access to Data in the Cloud

August 6, 2013

Since the early days of Cloud computing, there has been concern over the level of control over who can access data held by the Cloud service provider, and in particular the possibility and extent of governmental access to this data.  This concern has only grown as the adoption of Cloud computing solutions by business has increased, and is particularly topical at present following Edward Snowdon’s recent disclosures in relation to the ‘PRISM’ surveillance activities by the United States National Security Agency. 

What has become apparent, both before Edward Snowdon’s disclosure and in the subsequent response, is that Cloud users and providers of Cloud services are struggling to understand – and indeed have a number of misconceptions regarding – when and how governments can access users’ data.  

Last year, we undertook a comparative analysis of the nature and extent of governmental access to data in the Cloud in ten jurisdictions around the world.[1] The results of that analysis were published in a White Paper in May 2012,[2] and were supplemented by a further White Paper which we published in May 2013.[3] 

In light of the wider current interest in this area, this article summarises our key findings on the question of when and how governments can access users’ data. Those interested in the more detailed position in any of the ten jurisdictions surveyed are referred to the White Papers themselves. 

Data Protection Regimes

In our experience, it seems to us that businesses often assume knowledge of the laws regulating governmental access to data in their home jurisdictions, and they make further assumptions about the legal regimes abroad where Cloud service providers may be located.  For example, especially in Europe, the 2001 USA PATRIOT Act (‘Patriot Act’) has been invoked as a kind of shorthand to express the belief that the United States government has greater powers of access to personal data in the Cloud than governments elsewhere.  However, our research and analysis revealed that even European countries with strict privacy laws also have anti-terrorism laws that allow expedited government access to Cloud data. Frequently, there are misconceptions about what the law allows, at home and abroad. 

Such misconceptions encourage speculation that governmental access to data stored in the Cloud is more likely in some places than in others, and that the best way to limit such access is to use Cloud service providers present only in ‘safe’ jurisdictions – places where data is thought to be free from troublesome governmental access.  Thus, some believe (and some providers have advertised) that choosing a Cloud service provider based on its location will make data stored in the Cloud more secure and less subject to governmental access. 

However, in the course of our research we have discovered that it is not possible to isolate data in the Cloud from governmental access based on the physical location of the Cloud service provider or its facilities.  A government’s ability to access data in the Cloud extends across borders.  It is also incorrect to assume that the United States government’s legal right to access to data in the Cloud is greater than that of other advanced economies. As the summary table (see below but also viewable by downloading the pdf file from the panel opposite) reveals, in a number of important areas, the US provides more restrictions on the access of personal data than do EU Member States. 

Mutual Legal Assurance Treaties 

In addition to domestic legal frameworks enabling governmental access to data within a country, there are Mutual Legal Assistance Treaties (MLATs) in place between countries around the world in this area.  These can provide governments with the ability to access data stored in one jurisdiction but needed for lawful investigative purposes in another.  Despite the procedural hurdles that may exist to request and obtain information pursuant to MLATs, these treaties make borders and the physical location of data much less significant barriers to governmental access than is sometimes suggested.  

The existence of MLATs diminishes any argument that data stored in one jurisdiction is immune from access by governmental authorities in another jurisdiction.  For example, Germany signed a Mutual Legal Assistance Treaty in Criminal Matters with the United States in 2003, and a Supplementary Treaty to the Mutual Legal Assistance Treaty in Criminal Matters in 2006.  Both treaties entered into force on 18 October 2009, and allow authorities in each country to request and receive information located in the other’s jurisdiction (including information stored in third-party facilities). 

Off-shore Data

On a related issue, there is significant discussion today about the power of a government to require a party in its jurisdiction to access and produce data stored in another jurisdiction, based on principles of physical presence of the party (not the data, or where the party is headquartered).  In other words, the fact that a business located in one country may have chosen to store its data in the Cloud in another country does not mean that the business is immune from governmental demands for the production of that off-shored data.  Of the countries we surveyed, Germany and Japan are the only two that, in some instances, limit the data that the government can access to that which is physically located on servers within their national borders. 

Cloud Service Providers 

Out of the ten countries we examined, it was notable that every single country vests authority in the government to require a Cloud service provider to disclose customer data in certain situations. In most instances, this authority enables the government to access data physically stored outside the country’s borders, provided that there is some jurisdictional hook, such as the presence of a business within the country’s borders.  Even without that ‘hook,’ MLATs can be used to allow access to data across borders. 

Furthermore, as illustrated in the summary table, in jurisdictions outside the United States, there is the real potential of data relating to a person, but not technically ‘personal data,’ which is stored in the Cloud being disclosed to governmental authorities voluntarily, without legal process and protections.  In other words, governmental authorities can use their ‘influence’ with Cloud service providers – who, it can be assumed, will be incentivized to cooperate since it is a governmental authority asking – to hand over information outside of any legal framework. 

The continuing legitimacy of such practice, at least in respect of EU citizens, may be short-lived in light of the memo of 19 July 2013 in which EU Vice President and Commissioner Viviane Reding stated that governments collecting data on EU citizens outside their territory should never obtain it directly from a company, but should function only under judicial control. 

In contrast, United States law specifically protects such data from access by the government outside of legal process. US law prohibits the voluntary disclosure of any type of Cloud customer data to the government without a formal legal request, unless certain limited exceptions apply, such as in the event of an emergency involving death or serious bodily injury requiring disclosure.  Cloud providers in the US face civil and criminal penalties for violating the laws against voluntary disclosure to the government. 

Conclusion 

Our research suggests that civil rights and privacy protections related to governmental access to data in the Cloud are not significantly stronger or weaker in any one jurisdiction, and that any perceived locational advantage of stored Cloud data can in practice be rendered irrelevant by MLATs.  When looked at in a legislative context, it would seem that businesses mislead themselves and their customers if they rely on an assumption that selecting Cloud service providers based in one jurisdiction or another better insulates data from governmental access.  Instead, our study suggests that it may well be in the interest of businesses to support governmental cooperation in this area, as it is the consistent and reasonably restrained exercise of existing legal authorities that will enable the economic growth and other benefits of Cloud computing. 

The authors are Quentin Archer (partner) – London office at Hogan Lovells; Winston Maxwell (partner) – Paris office at Hogan Lovells; and Christopher Wolf (partner) – Washington DC office at Hogan Lovells. 

GOVERNMENTAL AUTHORITIES’ ACCESS TO DATA IN THE CLOUD: A COMPARISON

The table below summarises by jurisdiction the position concerning governmental access to data in the Cloud (it may be more easily viewed by downloading the pdf file from the panel opposite). 


 

May government require a Cloud provider to disclose customer data in the course of a government investigation?

May a Cloud provider voluntarily disclose customer data to the government in response to an informal request?

If a Cloud provider must disclose customer data to the government, must the customer be notified?

May government monitor electronic communications sent through the systems of a Cloud provider?

Are

government orders to disclose customer data subject to review by a judge?[§]

If a Cloud provider stores data on servers in another country, can the government require the Cloud provider to access and disclose the data?

Australia

Yes

Yes, except for personal data without a legal purpose

No

Yes

Yes

Yes

Canada

Yes

Yes, except for personal data without a legal purpose

No

Yes

Yes

Yes

Denmark

Yes

Yes, except for personal data without a legal purpose

No

Yes

Yes

Yes

France

Yes

Yes, except for personal data without a legal purpose, electronic communications

No

Yes

Yes

Yes

Germany

Yes

Yes, except for personal data without a legal purpose, electronic communications

Yes, except may withhold until disclosure no longer would compromise the investigation or in investigation of serious criminal offenses, national security, or terrorism

Yes

Yes

No, not without cooperation from the other country’s government, except for telecommunications customer non-content data

Ireland

Yes

Yes, except for personal data without a legal purpose

No

Yes

Yes

Yes

Japan

Yes

No – must request data through legal process

No

Yes

Yes

No, not without cooperation from the other country’s government**

Spain

Yes

Yes, except for personal data without a legal purpose

No

Yes

Yes

Yes

United Kingdom

Yes

Yes, except for personal data without a legal purpose

No

Yes

Yes

Yes

United States

Yes

No – must request data through legal process

Yes, for content data, except when the government obtains a search warrant or unless disclosure would compromise the investigation

Yes

Yes

Yes

 



[1]           Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, UK and US.

[2]           Available at http://www.hldataprotection.com/2012/05/articles/international-eu-privacy/hogan-lovells-white-paper-on-governmental-access-to-data-in-the-cloud-debunks-faulty-assumption-that-us-access-is-unique/

[3]           Available at http://www.hldataprotection.com/2013/05/articles/international-eu-privacy/white-paper-cloud-national-security/

[§] ‘Review by a judge’ encompasses either an initial review when issuing the court order, warrant, etc. or subsequent review when the court order, warrant, etc. is challenged by the service provider or customer.

** Under a recently revised criminal procedure law, Japanese law enforcement officials may obtain copies of data located on a remote server if a computer in Japan is able to create, change, or delete data on the server, even if the server is located outside of Japan.  Although computers of Cloud providers may be able to change or delete customer data, the Japanese Ministry of Justice currently takes the position that computers of Cloud providers are not subject to the law.  It is not certain, however, whether Japanese courts would read this same limitation into the law.