While the USA PATRIOT Act (Patriot Act) is frequently identified as the magic wand that allows the government unrestricted and unconditional access to any data, anywhere, anytime, it is merely a series of amendments to laws that have been in existence for more than four decades.
Note on this Series
This article is the second part of a series analyzing the laws that govern access to data and communications by intelligence services and government agencies around the world. Read part one on demystifying the Patriot Act and its impact on cloud computing.
The provisions that govern access to data and communications by U.S. intelligence services and other third parties are found, instead, in dozens of federal laws, such as the Stored Communications Act and the Foreign Intelligence Surveillance Act, and their state equivalents. These comprehensive laws create a complex framework that generally requires review and authorization by judges and annual reports to the Congress on the activities conducted.
While these laws provide a structure for data stored within the purview of the United States, what about data stored in data centers elsewhere in the world? How do applicable foreign data privacy and other laws stack up to the U.S. federal and state laws that regulate government access to data and communications?
In this tip, we'll describe how several countries limit or regulate access by their governments to data stored on their national territory, including how foreign laws affect data stored in the cloud. What may be surprising to some is that most countries grant their law enforcement or intelligence services extensive powers that are similar to, and at times more substantial than, those of their U.S. counterparts.
In Canada, Part II of the Security Intelligence Service Act allows designated judges from the Federal Court to issue warrants authorizing the interception of communications and obtainment of any information, record, document or thing. The judge may issue a warrant authorizing the persons to whom it is directed to intercept any communication or obtain any information, record, document or thing and, for that purpose:
- To enter any place or open or obtain access to any thing;
- To search for, remove or return; or examine, take extracts from or make copies of; or record in any other manner the information, record, document or thing; or
- To install, maintain or remove any thing.
The National Defense Act gives the Minister of National Defense powers that are similar to those granted by the U.S. Foreign Intelligence Surveillance Act, such as the power to authorize the Communications Security Establishment to intercept communications for the purpose of obtaining foreign intelligence. The Minister may only issue an authorization if satisfied of the following:
- The interception will be directed at foreign entities located outside Canada;
- The information to be obtained could not reasonably be obtained by other means;
- The expected foreign intelligence value of the information that would be derived from the interception justifies it; and
- Satisfactory measures are in place to protect the privacy of Canadians and to ensure that private communications will only be used or retained if they are essential to international affairs, defense or security.
Further, several provisions of PIPEDA, the Canadian federal law that governs the protection of personal data, allow national security policies to take precedence over privacy rights. For example, PIPEDA allows an organization to collect, use or disclose an individuals' personal data without the knowledge or consent of the individual in connection with an investigation, or if the information relates to national security, the defense of Canada, international affairs or an investigation, or to comply with a warrant or subpoena.
PIPEDA also contains an exception regarding individuals' right of access to information about them held by organizations, when the organization has disclosed personal information to governmental agencies as described above. If an individual requests that the organization inform him or her about a disclosure of information made to the intelligence services, the organization must notify the government agency (in writing and without delay) to which the disclosure was initially made and cannot respond to the individual until it has received the government agency's response.
In India, the 2008 amendments to the Information Technology Act of 2000 gives extensive powers of investigation to the Indian government for combatting terrorism. For example, the Information Technology Act allows any agency of the Central or State Government to intercept, monitor or decrypt any information transmitted, received or stored through any computer resource, when it is necessary or expedient to do so in the interest of the sovereignty or integrity of India, defense of India, security of the State, friendly relations with foreign states or public order.
In addition, it gives the police the power to enter any public place and search and arrest, without a warrant, any person suspected of having committed, or of committing or about to commit, any act prohibited by the Information Technology Act.
The United Kingdom's Regulation of Investigatory Powers Act 2000 (RIPA) defines the powers of public agencies to carry out surveillance and investigations, intercept and use communications, conduct other related investigations, and follow people and use human intelligence sources.
The law allows public agencies to take part in such activities for national security and for detecting crime, preventing disorder, public safety and public health. RIPA allows the interception of communications, use of communications data, following people and the use of covert human intelligence sources. It may require individuals or companies to supply decrypted information that has been previously encrypted. Failure to disclose this information may be subject to up to two years in jail.
The broad powers of intelligence services
In the global fight against terrorism, espionage and money laundering, among others, intelligence services have been granted significant powers in most countries. All countries have the same general needs for information and concerns over secrecy. International intelligence services frequently cooperate with each other across borders as a result.
U.S.-based entities seem to be better-protected from the invasive activities of intelligence services when compared with the regulations in other countries.
If a cloud service provider receives a request from an intelligence service or other law enforcement authority of the country in which it is located, in the manner prescribed by applicable law, it does not have many choices beyond providing access to the company's data, unless the CSP opts to fight the request and argue that the request is illegal, does not conform to the legal requirements or is too broad. This should be considered a rule of thumb in most countries and applies just as much when the government authority is that of the United States, Canada, India or any other country.
The problem of the prerogatives and powers granted to United States intelligence services may actually be less serious than in other countries, because U.S. laws generally contain strict and detailed rules, provide transparency and require law enforcement agencies to make numerous disclosures of their activities. U.S. laws also feature many control measures (e.g., annual reports), detailed procedures (e.g., warrant or a court order) and procedural rules. In countries such as India, access to servers by judicial police or intelligence services is less regulated. This lack of transparency may cause the public to be unaware of the extent of the government's surveillance capabilities.
U.S.-based entities seem to be better protected from the invasive activities of intelligence services, compared with the regulations in other countries. At least in the United States, laws require reports on the activities of these investigative services.
From the editors: More on international cloud computing laws
How do EU regulations affect cloud users?
Review legal issues stemming from data location in the cloud.
Wherever their data is stored or hosted by a third party, cloud service users should remain aware of the possibility that a government can obtain access to the data, especially when there are overarching reasons, such as national security or the prosecution or prevention of serious crimes. This has always been the case, even when data was stored on server farms in the same city. The cloud changes the dynamic, because the data may be held in a server located anywhere in the world, which makes data accessible by more governments under many more laws.
When CSPs operate within the jurisdiction of a country, they must understand and abide by the rules in effect in that country. Concurrently, they have an obligation to their customers to respond to government and other requests for access to data in their custody in a responsible manner. They must evaluate the request for access to determine whether it conforms to the requirements of the applicable law and, when possible and permitted, inform the customer that their data was accessed.
To be able to address such requests in an appropriate manner, they should implement processes and procedures to analyze government and third-party requests for access and to respond to these requests in accordance with the applicable laws. Before engaging a CSP, customers should perform due diligence and inquire about the existence of these processes and procedures, as a way to evaluate the CSP's level of awareness of these laws and complex issues.
About the author
Francoise Gilbert focuses on information privacy and security, cloud computing and data governance. She is the managing director of the IT Law Group and serves as the general counsel of the Cloud Security Alliance. She has been named one of the country's top privacy advisors in a recent industry survey and, for several years, has been recognized by Chambers USA and Best Lawyers in America as a leading lawyer in the field of information privacy and security. Gilbert is the author and editor of the two-volume treatise Global Privacy and Security Law, which analyzes the data protection laws of 65 countries on all continents. She serves on the Technical Board of Advisors of the ALI-ABA and co-chairs the PLI Privacy and Security Law Institute. This article only reflects her personal opinion and not that of her clients or the Cloud Security Alliance.