A European Perspective On The USA PATRIOT Act

The USA PATRIOT Act (more commonly known as “the Patriot Act”) was signed into law by George W. Bush on October 26, 2001 as a response to the September 11 attacks. The title of the act (USA PATRIOT) is actually an acronym that stands for “Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism”. Many aspects of the Act were to expire in 2005; however, renewals and extensions mean that the Act is here for a while yet.

For Security & Risk Professionals, the Patriot Act comes up in conversation mostly with regard to data access. The Act suggests that the US government is able to gain access to data held on US soil, or even by a US firm outside US territory, without the data owner being notified; this is of significant concern when it comes to considerations around the adoption of cloud technology. EU-based organizations are concerned that utilizing cloud as part of their infrastructure will make their data accessible to the US government. In 2004, the Canadian government passed laws prohibiting the storage of citizens’ personal data outside their physical boundaries, and a recent news article suggested that one large UK defense contractor walked away from Microsoft’s Office 365 due to lack of assurances on data location.   

Competitors to the US-based cloud vendors are utilizing this concern to leverage marketing by stating that their solutions will “shelter users from the US Patriot Act.” There may be truth here but,, as always, the rabbit hole goes further down than that.

A new version of the EU Data Protection Directive is expected early in 2012, and the proposed reforms may effectively replace the much maligned EU/US Safe Harbor agreement with adequacy statements and agreements which would make it illegal for the US government to utilize the Patriot Act to access data held within the EU by a US-based cloud vendor or data processing company unless it was also approved by the Data Protection Agency of the relevant European country. If these agreements were ignored for any reason, the EU Data Protection Agencies would be able to impose sanctions, which could range up to a maximum of 5 percent of the cloud vendor's annual worldwide turnover; when you look at the leading cloud vendors, this is serious money.

So, will this proposed legislation really change the cloud playing field and remove the specter of the Patriot Act from EU considerations? This analyst thinks not. Data Protection is focused on personal data, and whilst that is undoubtedly valuable to major organizations, it is often their other intellectual property (IP) which is considered the most precious – these proposals don’t really cover that corporate IP treasure trove and, as such, the Patriot Act is likely to remain a topic that casts a shadow across Europe for some time to come.


Just what is the EU definition of Personal data?

It's your last paragraph Andy that is of most interest to me. You're saying that there is a difference between personal data and IP although many people's understanding is that the EU Directive covers all data. For this to be so, then the EU would regard a person's or company's IP, for example, as personal - which, admittedly, wouldn't necessarily be too much of a stretch for them. However, from my (brief) reading it seems to me that the Directive is focussed on a much narrower definition of personal data which does not include IP (my interest). If this is indeed the case, what (and where) is the EU a position on the storage of 'non-personal' data outside the EU? Past the time for me to talk to the lawyers I think!

Personal Data vs Intellectual Property

Hi Kevin, from my perspective, there is a clear difference between "personal data" and intellectual property (IP). The Directive states...

"personal data" shall mean any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

So, IP is not in scope, only data about "identifiable persons". If you are interested in reading more, the law firm Linklaters have a great page going through the topic -


Personal Data vs Intellectual Property

Hi Andy, yes, that's my take on it as well. However, many people I talk to make the assumption that it covers all data. There was a rather lively discussion about this at a conference on mobile security I attended in the last fortnight. And articles like this one -


- could be read as reinforcing that assumption. Despite the fact that this is probably simply about BAE's corporate policy on data and nothing to do with any external legislation.

Thanks for your original article and for sharing the Linklaters document.

Cloud and the Patriot Act

Hi All. I just finished a week of European tour, visiting many of Forrester's large clients in UK, France, and Switzerland. The conversations that I had surrounding cloud deployment and the Patriot Act is very interesting. Apparently some of the European governments have now engineered policies that prohibit public-sector entities from doing business with US-based cloud providers, this policy stands even if the provider uses an EU datacenter. Dutch government is already doing that. Apparently a few others will follow suit.