1
No Cloud Over the Patriot Act
1. Introduction
1.1. All governments, including Ireland, have become more alert to national security risks in the wake of the 9/11 attacks and the attacks in London in 2005. Various laws have been introduced nationally and treaties have been put in place between nations to address these concerns and bolster the ability of law enforcement authorities to co-operate across borders in the investigation, apprehension and conviction of criminals and terrorists.
1.2. There has been recent coverage of legal concerns expressed in relation to the USA Patriot Act 2001 (“the Patriot Act”), particularly in the context of cloud computing services. These concerns primarily focus on a suggestion that the legislation provides over-broad powers for US law enforcement authorities to subpoena business records from companies connected with the US, regardless of location or jurisdiction. Those said to be at particular risk are businesses that store data on a cloud service provided from the US, or who rely on a US cloud service provider company operating through a European subsidiary or parent.
1.3. Cloud computing does not in fact give rise to any legal issues over and above those that naturally arise in the purchase of IT services and applications over the internet. National and European laws dealing with IP, IT and ecommerce are in place for many years and are well equipped to regulate these type of solutions. European data protection legislation, amongst other laws, fully regulates the offering and use of cloud computing services. That law is flexible and its application is determined by the nature of the specific services and adapts to the sector in which the cloud computing customer operates, be that for example banking, retail, high tech, or indeed the public sector. 1.4. One must accept however that at times there appears to be a knowledge deficit in
relation to how well in fact data protection laws protect users of cloud computing services. It is therefore important to understand the extent of the legal framework in place. Existing law only allows justifiable disclosure of data across jurisdictions, and strongly mitigates against the risk of data misuse.
1.5. Ireland has a progressive cloud services market and legal ecosystem. The robust regulatory environment and sophisticated legislation, along with other factors, positions Ireland, from a legal perspective, as a logical and leading location for consumers and providers of cloud solutions in Europe. As an example of Ireland’s regulatory reputation, many multinationals are choosing Ireland as the jurisdiction of choice for European wide data protection law compliance, favouring the Irish Data Protection Regulator over other national regulators to take responsibility for their business activities in Europe. 1.6. This note addresses the perceived concerns about the Patriot Act and in the data
protection context cloud computing. We look at the data access regime under the Patriot Act and under Irish and European law. Although the analysis is carried out from an Irish comparative law perspective, we know from other international commentaries that broadly similar conclusions are reached when carrying out the same analysis of national legislation in other European jurisdictions.
3 2. Executive Summary
2.1. The following facts should inform the basis for any discussion on the Patriot Act:
(i) The Patriot Act provides for the U.S. government to issue legal proceedings compelling the production of data to specific law enforcement authorities, such as the FBI, for the purposes of national security or investigating crimes related to national security threats, such as terrorism. It does not relate to technical security of data. All service providers must separately ensure adequate technical and security measures are in place pursuant to strict provisions of Irish and European data protection law.
(ii) Provision of cloud services requires the same level of legal compliance, and brings no additional legal risk, to that of any other form of IT service and application over the internet. The powers conferred by the Patriot Act do not have any specific application to cloud service providers, whether based in the US or Europe. The powers of law enforcement pertain to both cloud and other IT architectures meaning that there are no “cloud specific” jurisdictional issues that arise.
(iii) The powers granted to specific US law enforcement authorities under the Patriot Act already existed prior to the enactment of the statute in 2001 and are no broader than equivalent powers granted to law enforcement authorities in Ireland, and in other European jurisdictions. Existing national laws in Ireland already allow for law enforcement access to data for the purposes of national security and investigating crime. The general principles enshrined in the Patriot Act are not new to Irish citizens.
(iv) International co-operation between governments on criminal investigations is a long established practice. Mutual Legal Assistance Treaties signed by Ireland allow for the sharing of information with authorities in other jurisdictions, including the US. These treaties, while proportionate, in fact go beyond the investigative powers given to the US authorities by the Patriot Act.
(v) Irish contract law fully functions alongside the regulatory framework as a risk management tool for users in relation to access and security of their data. The law caters for robust contract provisions regarding security breaches, data back-up procedures and access controls. Users seek to rely on brand and reputation as barometers of assurance on these issues, and there is significant choice of players in the cloud services market to ensure the appropriate protection is secured.
(vi) Data retention, which is not the subject matter of the Patriot Act (and which in fact is not a matter specifically addressed under US law), is subject to an EU wide legal regime requiring adherence by service providers, whether based in the US or the EU, and whether offering cloud or other services. Ireland and Europe have strict data retention laws and a regime that provides for access rights of governments to communications data by way of established legal processes.
(vii)Only when there is serious crime or a threat to national security do the powers under the Patriot Act come into play. The access rights are not unfettered but exercised subject to judicial review procedures as well as having executive and legislative oversight. A suggestion that a person using the data services of a US company will be automatically subject to US government scrutiny and interception of their data, is incorrect, in the same way that a suggestion that a person using the services of a company resident in one EU country will be automatically or only subject to the laws of that country is incorrect.
(viii) Being subject to the jurisdiction of the Patriot Act does not affect a company’s ability to fully comply with European data protection legislation. The reality is that all companies dealing with personal data of European data subjects are subject to commitments mandated by the European data protection legislation, for example safe harbor and model contracts are mechanisms widely used by US corporations. (ix) Finally, there is no basis for a view that data is more likely to be subject to
interception or other investigative orders in one jurisdiction over another, or as a result of the Patriot Act. There is also no basis for a view that cloud services are more susceptible to the laws than other forms of data processing and storage. The laws apply because an entity processes data, not because it does so in a particular jurisdiction or in the cloud.
2.2. There are six sections to this note, each supporting the conclusions reached above following an analysis of the relevant laws, under the following headings:
(i) The USA Patriot Act 2001 (as amended); (ii) Equivalent law in Ireland;
(iii) Inter-governmental cooperation; (iv) Jurisdiction and cloud services; (v) The rights of Data Subjects; and (vi) Compliance with data protection law. 3. The USA Patriot Act 2001
Scope of the Patriot Act
3.1. The Patriot Act has a defined bounded scope and limitations as regards access to records. Section 215 of the Act permits the issuance of ex parte Magistrate Judge court orders as follows:
“The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an
investigation to protect against international terrorism or clandestine intelligence activities, provided that such investigation of a United States person is not conducted solely upon the basis of activities protected by the first amendment to the Constitution.”
5
3.2. Similarly, pursuant to Section 505 of the Patriot Act, the FBI may, through the use of National Security Letters (NSLs) obtain personal non-content related customer records, such as basic subscriber information and some records from financial institutions, such as basic credit history reports, without prior court approval. These actions are still however subject to executive and legislative review and due process procedures
3.3. The US statute and courts recognise an extra-territorial reach outside the US jurisdiction where a company has a presence in the US, or impacts the US from afar1
and is in “possession, custody or control” of data. The US courts examine whether a particular entity has the requisite degree of control over relevant documents and looks at the closeness of the relationship between entities in order to determine whether it is an entity whose data is covered by US law. If the US courts conclude that to be the case, it may issue a court warrant or a subpoena against that entity pursuant to the provisions of US law.
3.4. The powers under the Patriot Act are not novel to the US system, or indeed as we will see below, not novel to the Irish or European legal systems. The US courts have, for many years, had the power to require companies who are subsidiaries or affiliates of US governed entities, to produce documents located abroad over which they have control.2
The Patriot Act merely clarified, and arguably only slightly expanded, some pre-existing laws to enable the United States to more effectively combat terrorism threats.
3.5. The US government is not required to serve notice of a search warrant, which has been served on a service provider, to affected subscribers who sent or received e-mails. The service provider may be prevented from notifying their subscribers on foot of the Court Order obtained. This is a similar approach to that which applies to interceptions of emails in Irish law under the 1993 PPTM Act (discussed below), which logically provides that the circumstances of interception should not be disclosed to the subscriber who sent or received the intercepted message.3
3.6. If US law is not applicable to a situation say, on jurisdictional grounds, US law enforcement agencies may still seek the assistance of Irish law enforcement agencies under the Mutual Legal Assistance Treaties. In fact, even if US law would apply they may still opt to take this alternative route. Similarly where Irish law enforcement authorities wish to seek delivery up of certain documents from a US governed entity, it is open to them to seek the assistance of US law enforcement agencies under the Mutual Legal Assistance Treaties. This particular mechanism of access to data is discussed in more detail below in Section 5.
3.7. Neither the Patriot Act nor the equivalent Irish legislation in any way changes in their application because a service is being provided by means of the cloud or otherwise. The jurisdiction tests applied to cloud services providers are the same as for any other IT services providers. This is discussed in more detail below in Section 6.
No application to Technical Security
1In re Grand Jury Proceedings (Bank of Nova Scotia), 691 F. 2d 1384 (11thCir 1982) cert denied, 462 U.S. 1119
(1983).
2In re Uranium Antitrust Litg. Westinghouse Electric Corp., 480 F.Supp. 1138, 1148 (ND 111 Nov. 7, 1979 – This case
involved a US company that transferred certain information with its parent company in Canada. The court looked at the “control” exercised by the US subsidiary over the information held by the Canadian parent company.
3Interception of Postal Packets and Telecommunications Messages (Regulations) Act 1993, Section 12 which provides
3.8. The Patriot Act does not relate to, nor do cloud services give rise to, any particular legal issues in respect of physical or technical data security. Cloud service providers operating in Europe must have adequate technical security measures in place in relation to the processing and storage of data, pursuant to EU data protection legislation. This applies in the same way and to the same extent as any other provider of services, whether cloud or otherwise. Companies from the US must equally comply with the provisions of such legislation in relation to data transferred to the US from the EU through for example safe harbor or model clauses. The distinction between technical standards and data privacy is an important one. They are separate legal and commercial concepts, and the Patriot Act has no application to technical standards. Those attempting to discourage use of the services of US linked service providers often confuse the two saying that the US government can readily access data from non-US based service providers because of the Patriot Act.
4. Equivalent Law in Ireland
4.1. In Ireland, various legislative provisions give state authorities the power to access third party owned data and records. It is to be noted that the Irish legislation has no application that is in any way particular to cloud computing services. It equally applies to all forms of information technology services. A summary of the relevant legislation is set out in the table below and then discussed in more detail in the paragraphs that follow.
Table - Legislative Summary
Legislation Application
Postal and Telecommunications Services Act 1983 (“the 1983 PTS Act”) and the Interception of Postal Packets and Telecommunications Messages (Regulations) Act 1993 (“the 1993 PPTM Act”)
Permits limited authorisation for interception of postal packages and telecommunications messages (to include emails) for national security or criminal investigations. This is only applicable to certain licensed providers of
telecommunications networks under Irish law.
The European Communities (Electronic Communications Networks and
Services) (Privacy and Electronic Communications) Regulations 2011 (“the 2011 Regulations”)
Provides that listening, tapping, storage or other kinds of interception or
surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, is prohibited (unless
authorised under the PPTM Act or other laws that would fall under Article 15 of Directive 2002/58 EC).
Criminal Justice (Surveillance) Act 2009 (“the 2009 CJ Act”)
Permits ex parte orders for surveillance. Criminal Justice Act 2011
(“the 2011 CJ Act”)
Permits a court to make orders for delivery and/or making available of documents (to include electronic files and other formats) to the Gardai in the
context of a criminal investigation. Data Protection Acts 1988 – 2003
(“the Data Protection Acts”)
Provides for strict governance of data processing by controllers and processors
7
of data. Data processing carried out by a Garda or a member of the Defence Forces or by order of a court will be excluded from the general rules under the Data Protection Acts.
Communications Retention of Data Act 2011
(“the 2011 Data Retention Act”)
Data (to include call records and traffic data) which is retained by a person engaged in the provision of publicly available electronic communications service or public communications
network under this Act may be requested by the Garda where it is required for the prevention, detection, investigation or prosecution of a serious crime, the safeguarding of the security of the State, or the saving of human life
The 1983 PTS Act & the 1993 PPTM Act & the 2011 Regulations - Interception
4.2. Under the Postal and Telecommunications Services Act 1983 (“the 1983 PTS Act”) and the Interception of Postal Packets and Telecommunications Messages (Regulations) Act 1993 (“the 1993 PPTM Act”), interceptions of postal packets and telecommunications messages are permitted when undertaken on the order of the Minister for Justice, Equality and Law Reform in circumstances where a serious crime is being investigated or in the interests of national security. Interception is otherwise prohibited. Interception is defined as including:
“An act that consists of the opening or attempted opening of a postal packet addressed to any person or the delaying or detaining of any such postal packet or the doing of anything to prevent its due delivery or the authorising, suffering or permitting of another person (who is not the person to whom the postal packet is addressed) to do so”4
or
“An act that consists of the listening or attempted listening to, or the recording or attempted recording, by any means, in the course of its transmission, of a telecommunications message, other than such listening or recording, or such an attempt, where either the person on whose behalf the message is transmitted or the person intended to receive the message has consented to the listening or recording.”5
4Interception of Postal Packets and Telecommunications Messages (Regulations) Act 1993, Section 1 5ibid
4.3. The Irish Law Reform Commission has indicated that the reference to “telecommunications message” in the 1983 PTS Act would include electronic mail.6 The
Commission is a body set up by the Irish government to review certain areas of the law from time to time to understand where such law may require revision or amendment. 4.4. The 1993 PPTM Act applies to interception of communications being transmitted by
certain licensed providers of telecommunications services in Ireland (and so would not apply to all electronic content services). The European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011 (“the 2011 Regulations”) now also provide that the listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, is prohibited.7 This however is without prejudice to the rights to intercept
granted under the 1993 PPTM Act.
4.5. Under the 1993 PPTM Act, where an authorisation for interception of an electronic communications has been made, the existence of such authorisations, or the contents of any communications which have been intercepted pursuant to such authorisations, must not be disclosed, save to the extent necessary for the purpose of the prevention or detection of serious offences or in the interests of the security of the State.8 This
would include, where the circumstances demand it, no disclosure to the data subject being investigated.
The 2009 CJ Act - Surveillance
4.6. Under the Criminal Justice (Surveillance) Act 2009 (“the 2009 CJ Act”) the Gardai (the Irish Police force), Revenue and Defence Forces can each apply to a judge ex parte for authorization to carry out surveillance. The word surveillance excludes anything which could be interpreted as meaning “interception” but it includes “monitoring, observing,
listening to or making a recording of a particular person or group of persons or their movements, activities and communications, or monitoring or making recordings of places or things”.9
The 2011 CJ Act - Document Delivery-Up Orders
4.7. Under the Criminal Justice Act 2011 (“the 2011 CJ Acts) a member of the Gardai may apply to a District Court Judge for an order in relation to the making available by a person of any particular documents or documents of a particular description.10 In this
context, “documents” will include documents in electronic or any other form from which information can be extracted. The application is to the District Court, in the district where the documents sought are located or where the person ordinarily resides, or if that person is a company (within the meaning of the Irish Companies Acts) the district in which the registered office of the company is situated or the company carries on any
6The Law Reform Commission Consultation Paper on “Privacy: Surveillance and the Interception of Communications”
from 1996 indicated that the meaning of “telecommunications message” would include email which was intercepted while it is being transmitted by a licensed operator of a telecommunications service
7European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications)
Regulations 2011, Section 5(1)
8This position has been confirmed by the Information Commissioner in a decision in X and the Department of Justice,
Equality & Law Reform [2003] IEIC 5 (12 February 2003) (which involved a request for information under the Freedom of Information Act)
9Criminal Justice (Surveillance) Act 2009, Section 1 10Ibid, Section 3
9
business.11 Orders of this nature do not extend to privileged documents, and that
principle continues to apply in any prosecution.
4.8. The 2011 CJ Act is silent as regards whether the Gardai must notify third parties who are affected by an order for delivery up of documents. It is likely that restrictions on notifying or, conversely, obligations to make notifications to, third parties would be addressed by the District Court when making any Order under the 2011 CJ Act. It is assumed that if a company is ordered by this mechanism to make available documentation or personal data relating to an individual in the context of an investigation into crime and/or a national security threat, circumstances would require the individual not to be notified. This view is supported by the approach under the 1993 PPTM Act discussed above and by the position in law that processing of data carried out by a Garda or a member of the Defence Forces is expressly excluded from the general rules under the Data Protection Acts applicable to personal data.12 This is the same
approach as enshrined in the anti-tip-off provisions in the Patriot Act. The 2011 Data Retention Act - Data Retention
4.9. Although data retention obligations are not matters covered by the Patriot Act, under the Irish Communications Retention of Data Act 2011 (“the 2011 Data Retention Act”) a service provider (a person engaged in the provision of publicly available electronic communications service or public communications network by means of fixed line or mobile telephones or the Internet) must retain certain data (call records) for a period of 2 years and other data (to include traffic data) for a period of 1 year. A Garda (not below the rank of Superintendant) may request the data described above where he is satisfied that it is required for the prevention, detection, investigation or prosecution of a serious crime, the safeguarding of the security of the State, or the saving of human life.13 This type of data is as to the “who, where and when” of communications – so
called communications data. In our opinion data retention compliance also represents a significant obligation in Irish and European legislation to respond to requests for disclosure of personal data to law enforcement authorities. The principles behind the Patriot Act are not therefore novel to Ireland or Europe when one considers the ability for government access to data under this legislation alone.
5. Inter-Governmental Cooperation Mutual Legal Assistance Treaties
5.1. The mutual legal assistance provisions of the Criminal Justice (Mutual Assistance) Act 2008 provide for co-operation between Member States (as they are defined in that Act). The term “Member States” encapsulates “designated states” (to include the US) with respect to certain types of assistance, for example, the provision of evidence (however, data interception assistance is only provided to EU Member States).14In particular:
11Criminal Justice Act 2011, Section 15(18)
12Data Protection Act 1988 (as amended), Section 8 provides that, where a Garda (not below the rank of
Superintendant) or a member of the Defence Forces (not below the rank of colonel) is of the view that it is necessary to process personal data for the purpose of safeguarding the security of the State, or for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, then the provisions of the Data Protection Acts 1988 – 2003 (“the Data Protection Acts) do not apply.
13Communications Retention of Data Act 2011, Section 6(1) – (3)
(i) A request may be made to Ireland for interception of data where a criminal investigation is underway in a Member State. Conditions of interception include: (a) existence of a lawful interception order or warrant issued in the Member
State; and
(b) a request made to the Minister for Justice, Equality and Law Reform for the interception and immediate re-transmission or recording of telecommunications messages and later transmission to the relevant foreign authority.
The specified person must be present in a Member State and Ireland’s assistance to intercept should be required, or the person must be present in Ireland and interception can take place within Ireland. If the person whose communications are to be intercepted is present in Ireland, the Minister may only authorise interception where the conduct under investigation would, if occurring in Ireland, constitute a serious offence and would justify the making of an interception authorisation.
(ii) A request for a search for evidence from a Member State (which in this case can include the US), for assistance in obtaining evidence for the purposes of a criminal investigation or criminal proceedings in that Member State where a search power exists in Ireland in relation to the conduct giving rise to the offence, may be transmitted to the Irish Central Authority. The request may be dealt with:
(a) in cases where the offence is punishable under Irish law and that of the Member State concerned by imprisonment for at least six months; or
(b) where the offence is punishable under Irish law by at least six months’ imprisonment and where it is being prosecuted in the Member State concerned by administrative authorities, whose decision may give rise to criminal proceedings; and
(c) in cases from a “Designated State” (meaning, in this context, a country with which Ireland has a Mutual Legal Assistance Treaty but who is not a member of the EU e.g. the US) when dual criminality applies.
(iii) Requests may be made for information in relation to any financial account(s) that may be held in Ireland by a person who is the subject of a criminal investigation in Member States (to include the US).
5.2. Where an investigation is ongoing in Ireland and the Minister has given an authorisation under the 1993 PPTM Act for interception and a person to which the authorisation applies is present in EU Member States, the Minister may cause a request for interception to be made to the competent authority in that country or may communicate a request for evidence.15
5.3. Many other European countries have similar Mutual Legal Assistance Treaties in place between them. If the Patriot Act cannot be utilised for a particular set of circumstances, the US authorities may separately rely on these treaties in order to seek orders, for
11
example, for information regarding financial transactions or other similar evidence. The Patriot Act does not therefore increase the ability of the US government to gain access to data in the limited circumstances covered by it, as that ability already exists pursuant to Mutual Legal Assistance Treaties.
5.4. The Irish legislative provisions mentioned above are broadly in line with the provisions of a recently published proposal for a new EU Directive. The proposed EU Directive on the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences has been recently published.16 This new Directive will oblige Member States to enact laws to
regulate the processing of personal data by competent authorities within the Member States. Of note the Directive expressly provides for derogation from certain controls on the transfer of personal data to third countries or international organisations. The derogation permits those transfers by competent authorities where:
(i) the transfer is necessary in order to protect the vital interests of the data subject or another person; or
(ii) the transfer is necessary to safeguard legitimate interests of the data subject where the law of the Member State transferring the personal data so provides; or
(iii) the transfer of the data is essential for the prevention of an immediate and serious threat to public security of a Member State or third country; or (iv) the transfer is necessary in individual cases for purposes of prevention ,
investigation, detection or prosecution of criminal offences or the execution of criminal penalties; or
(v) the transfer is necessary in individual cases for the establishment, exercise or defence of legal claims relating to the prevention, investigation, detection or prosecution of a specific criminal offence or the execution of a specific criminal penalty.
It is hard to see material differences between the objectives of this new proposed Directive in EU law, and the objectives of the Patriot Act under US law.
Letters Rogatory
5.5. Finally, in addition to Mutual Legal Assistance Treaties, many nations can rely upon letters rogatory (which are court to court requests for evidence) in order to access foreign based information.17 This method is used for obtaining judicial assistance from
abroad in circumstances where there is no mutual assistance treaty or agreement in place. The availability of the letters rogatory regime has been in place as a practice and used for many years, well prior to the introduction of the Patriot Act.
16Directive of the European Parliament and of the Council on the protection of individuals with regard to the
processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data, COM (2012) Final – published on 25 January 2012
6. Jurisdiction and Cloud Services
6.1. Cloud computing services in general refer to the provision of off-site third party servers which are connected wirelessly by internet to a customer’s own computer systems thereby allowing the remote transfer, storage and retrieval of large amounts of customer data in an efficient and secure manner. Naturally, this gives rise to data transfers to countries where the data can often be stored on physical servers different to the country in which the customer is based. This is the reason that cloud services have attracted attention and apparently concerns in the wake of the Patriot Act. However such concerns belie the true purpose of the Patriot Act, and similar national legislation in the EU, which is national security and to assist with the investigation of serious crime. It is not to capture information just because it is likely to be processed in different jurisdictions by particular service providers. The target is not the service provider; it is the person who makes use of the service for illegal purposes.
6.2. The US laws discussed above give US authorities jurisdiction over US companies or any companies that have a presence in the US or impact the US from afar (see discussion above at paragraph 3.1 – 3.3). This is sometimes what is termed, “minimum contacts” with the US. It permits the US authorities to enforce its provisions against non-US entities and non-US data. This has given rise to claims that the Patriot Act gives some type of new excessive extra-territorial jurisdiction to the US courts. However the Patriot Act’s reach is anchored in well established US legal precedent. US courts have long required US affiliates or subsidiaries of a foreign corporation to produce documents located abroad by the domestic affiliate or subsidiary that has control over the documents. The same principles in fact apply in Ireland.
6.3. Firstly, the Irish courts exercise a similar extra territorial jurisdiction when it comes to discovery of documents in civil proceedings. At a simple level the jurisdiction of US law is scrutinised on the basis of the twofold test – “minimum contacts” with the US – and then those documents that are in the “possession, custody or control” of the party (although there are some variants which exist between civil and criminal cases). Irish rules of civil discovery permit the Irish court to exercise its jurisdiction over “any
relevant documents” (including personal data), that are in the “possession, power or procurement” of a party.18 Disclosure orders for data can be made against parties that
are not named in legal proceedings by means of pre-action discovery, non-party discovery (discovery against a third party not named in the proceedings) and Norwich Pharmacal orders.19 In terms of criminal cases the position is largely dealt with under
the 2011 CJ Act and other laws discussed above and not dissimilar in scope (although some of the discovery powers are as yet untested). The US concepts are therefore very familiar in Irish law, and disclosure orders in both jurisdictions often extend to companies within an international group. For example, if a foreign company has a presence in Ireland the Irish courts can compel disclosure of any data, here or abroad, that is within the “possession, power or procurement” of the foreign company (which would include data held by any companies within its international group).
18Rules of the Superior Courts, Order 31, Rule 12(1)
19Norwich Pharmacal v Commissioners of Customs & Excise [1974] UKHL 6 – This was the seminal case in which the
UK courts first provided for a Norwich Pharmacal order. Such orders require a defendant to disclose certain documents or information to the plaintiff. The defendant must be a party involved or mixed up in a wrongdoing, whether
13
6.4. Secondly, the Irish legislation gives the Irish authorities jurisdiction over a large number of parties and situations. These include all those situations where an Irish company is involved, and jurisdiction is collectively asserted over:
§ any person or body licensed to operate a telecommunications service in Ireland [interception]; or
§ any company or person who makes calls to any third party in Ireland or sends telecommunications messages to any third party in Ireland through a licensed Irish telecommunications service; [interception]; or
§ any person who ordinarily resides, or carries on any profession, business or occupation in Ireland [delivery up orders or surveillance]; or
§ any company that has an office, agency or branch in Ireland from which it carries on an activity and processes personal data in that context [data protection acts and surveillance]; or
§ any company that makes use of equipment in the state for the purpose of processing personal data [data protection]; or
§ any party engaged in the provision of electronic communications services or public communications networks in Ireland [delivery up of traffic data records,
surveillance, and data protection acts].
6.5. As an observation, one can see that the location of servers is not by any means a determinative factor in deciding jurisdiction or law enforcement powers under the Irish or US legislation. There are situations where the US legislation gives jurisdiction over a company that might have servers in Ireland (or elsewhere). There are situations where the Irish legislation gives jurisdiction over a company that might have servers in the US (or elsewhere) – in fact once data passes through a network in Ireland it is effectively caught by the Irish legislation. In other words the target is not dependent on the location of servers; it is the person who makes use of the service for illegal purposes that is the target of Irish or US authorities.
7. The Rights of Data Subjects
7.1. As with Irish law, US law counterbalances any legitimate and lawful intervention by making it a legal requirement that any authorisation, subpoena or warrant granted under the Patriot Act must overcome the legal test of being justified as “necessary and
proportionate” to any given set of circumstances. Furthermore the authorisation,
subpoena, warrant or other order made under the Patriot Act is subject to robust review and oversight procedures from judges, executive branch officials or the US legislature. As with Irish law and the relevant Irish legislation, only where there is suspicion of a serious criminal offence or a threat to national security do the powers under the Patriot Act come into play. Accordingly, any suggestion that a person using the data services of a US service provider will be automatically subject to US government scrutiny and interception of their data, is wrong.
Proportionality and Privacy
7.2. Ireland has a written Constitution which, like the Constitution of the United States, recognises and guarantees a general right to privacy. It is also accepted legal principle that the right to privacy is always balanced with other competing interests, such as the need to pursue criminal investigations and protect national security. This balance is expressly acknowledged in several European Directives including Directive 2002/58/EC (on privacy and electronic communications) and Directive 2006/24 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks. Both of these Directives recognise the necessity of data interception and retention principles in national law, subject always to the requirement that such measures be “appropriate,
strictly proportionate to the intended purpose and necessary within a democratic society”.20
7.3. The provision of cloud computing services is caught squarely by existing privacy laws and in Europe those laws are now seen as reflecting fundamental human rights, as evidence by their inclusion in the European Charter of Fundamental Rights. There are fundamental protections in place under privacy law for data subjects.
Contract Law
7.4. A further important legal check on any risks or exposure arising in the context of the provision of cloud services is in contract law. Parties are free at all times to negotiate the terms of their contracts and in that way protect themselves by robust contract provisions regarding security breaches, data back-up procedures and access controls. Users seek to rely on brand and reputation as barometers of assurance on these issues, and there is significant choice of branded players in the cloud services market to ensure that for any particular needs of a user the most appropriate protection is secured. Users can contractually ensure that service providers may only access their private data to operate, maintain and protect the service on their behalf, and if access is required by law that appropriate mechanisms and maximum protections are put in place.
Confidentiality
7.5. All parties to cloud services arrangements are subject to strict confidentiality obligations in law. There are well established common law principles that require the service provider not to disclose any information to third parties. In the US there is also the Electronic Communications Privacy Act (ECPA) which provides for specific statutory protections.21 There may be exceptions to this obligation, and the Patriot Act may
qualify as one, but any stepping outside the very strict and protective provisions of the ECPA will give rise to a claim in damages under the law for misuse of confidential information.
8. Compliance with Data Protection Law
8.1. Some commentary on the Patriot Act suggests that it may affect the ability of a company coming under its jurisdiction to fully comply with its European data protection obligations. This is not the case. All companies dealing with personal data of European
20EC Directive 2002/58, Recital 11
15
data subjects are subject to commitments mandated by the European Data Protection Directives (i.e. under safe harbor and/or model contracts). These mechanisms are widely used and legally safe. For example, under the EU Standard Contractual clauses, footnote 1 to clauses 5 provides:
“Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society …that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses.”
8.2. Accordingly the exercise of rights by the US government under US law, while obeying fair process principles and pursuing public security interests, is no obstacle for a data transfer from Ireland to the U.S. Along the same line of argument the Safe Harbor Principles provide for exclusion from the normal rules “to the extent necessary to meet
national security, public interest, or law enforcement requirements”. Therefore
transmissions for cloud computing purposes to a non-European country can be justified on the basis of EU Standard Contractual Clauses or, in particular with respect to the U.S., on the basis of Safe Harbor. The remote risk of a data access by U.S. authorities based on the Patriot Act does not preclude this.
8.3. Under Irish law where a court order is granted in respect of, or request made to (where the request must by law be acceded to), a service provider for delivery of documents, records, call logs or traffic data, there will be no data protection law breach by such disclosure. Section 8 of the Irish Data Protection Acts 1998-2003 lifts the restriction on disclosure in certain circumstances, so that disclosures may be made in cases where the individual’s right to privacy will be balanced against other needs of civil society. These circumstances include:
(i) “in the opinion of a Garda Siochana not below the rank of chief superintendent or
an officer of the Defence Forces who holds an army rank not below colonel and is designated by the Minister for Defence…required for the purpose of the security of the State”22;
(ii) “required for the purpose of preventing, detecting or investigating offences,
apprehending or prosecuting offenders…”23;
(iii) “required in the interests of protecting the international relations of the State”24;
(iv) “required by or under any enactment or by rule of law or order of a court”25.
In addition the Data Protection Acts provide that personal data may be processed where it is “necessary in order to comply with a legal obligation to which the data controller is
22Section 8(a) of the Data Protection Acts 1988-2003 23Section 8(b) of the Data Protection Acts 1988-2003 24Section 8(c) of the Data Protection Acts 1988-2003 25Section 8(e) of the Data Protection Acts 1988-2003
subject other than an obligation imposed by contract”.26 A cloud services user or provider facing a request by local enforcement authorities under the Patriot Act or pursuant to the Irish legislation, will be compliant with data protection laws if it accedes to such request by relying on any number of the above exemptions.
8.4. A Draft Regulation at a European level has been published which is of some relevance to the above discussion. The provisions of the Draft Regulation may provide further footing for data controllers who are subject to the Patriot Act and based in Europe (albeit that it may require more compliance actions by those entities).27 The Draft
Regulations envisage the establishment of “supervisory authorities” in Member States with the authority to supervise the application of the Draft Regulations.28 The Draft
Regulation would provide that a data controller operating in the European Union will be prohibited from disclosing any personal data to a recipient located in a third country if so requested by the judicial or administrative authority in the third country unless: (i) this transfer is authorized by an international agreement; or
(ii) is provided by mutual legal assistance treaties; or (iii) is approved by a supervisory authority.29
This may mean that a US governed entity who receives a warrant or subpoena under the Patriot Act requesting the disclosure of personal data, may need to notify the supervisory authority of the request and obtain prior authorization for the transfer unless the data is requested through the Mutual Legal Assistance Treaty provisions already outlined above.
8.5. We understand that it is anticipated that the above Draft Regulations will not come into effect until at least two years from their publication (i.e. until mid-late 2014). It will mean that the legal position will be further clarified by means of European regulations, which will likely set out clearly the level of compliance and co-operation required under the Patriot Act. The promotion of co-operation through international agreements, assistance treaties and through considered regulation, is to be encouraged.
9. Conclusion
9.1. The Patriot Act and concerns about privacy and security are cited as justifications for companies not migrating to cloud based services from US linked providers. These concerns are typically raised by supporters of service providers with predominant links to Europe, to drive a competitive advantage. There is another view that in fact greater security, privacy and reliability are available where data is backed up to a cloud rather than the PC-based computing model. Notwithstanding the technical security comparisons between solutions, there is certainly no basis for a view that data is more likely to be subject to interception or other investigative orders in one jurisdiction over another, for US service providers more than European service providers, or as a result of the Patriot Act. There is also no basis for a view that cloud services are more
26Data Protection Act 1988 (as amended), Section 2A(1)(b)(iii)
27Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard
to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM (2012) 11/4 draft – published January 25 2012
28Ibid, Article 46 - A Supervisory Authority is to be appointed by each Member State 29Ibid, Article 42
17
susceptible to these laws than other forms of data processing and storage such as on-premises, or that governments have any particular appetite to gain access to data stored in the cloud. The international laws apply because an entity processes data, not because it does so on servers in one jurisdiction or in the cloud; the target of law enforcement authorities’ international cooperation is the person who uses the service for illegal purposes, regardless of location or solution. If interception or other investigative orders are to be avoided entirely, then the only solution would be not to process data at all.
9.2. There will always be circumstances where law enforcement authorities will have the right to obtain or intercept data. Putting in place the correct procedures and protocols to deal with such eventualities is of greater importance than trying to find ways of avoiding international law enforcement by jurisdiction shopping to attempt to avoid US law. In deciding whether to adopt a cloud solution the focus should be on more important and productive matters such as the nature of the data, the corresponding security required, the ease with which data will need to be accessed, the contract and the reputation of the cloud service provider. Measures introduced by the Patriot Act, and under Irish and European law in this area, are proportionate and address the very limited circumstances. They should not determine the choice of provider or solution. The laws that are in place ensure the correct balance between privacy and other interests so that data storage that is dependent on cloud technology is no less attractive than alternative options because of these laws.
For further information please contact John Whelan Partner [email protected] Sally-Anne Hinfey Solicitor [email protected] A&L Goodbody Head Office IFSC, North Wall Quay, Dublin 1
www.algoodbody.com About the Authors
John Whelan is a Partner and heads up the IP & Technology Group at A&L Goodbody. His practice spans commercial and contentious IP/IT, and he also co-heads the Data Protection Advisory Group. He has spoken at many data protection conferences including the IIR Annual Conference both in Ireland and the UK, has authored articles and is the Irish correspondent writer for the online publication Data Guidance.
Sally-Anne Hinfey is a solicitor in the IP & Technology Group in A&L Goodbody. She has a degree and a PhD in law and has written in topics in relation to intellectual property, information technology and data protection law including recently in the Journal of Intellectual Property Law and Practice ((2011) 6 Jnl of Intellectual Property Law & Pract 494).
