This one was spurred by something I just saw on the news. The US government is planning to extend the Patriot Act. And here’s the funny bit: it’s been stuck in as part of a jobs bill. It doesn’t matter what party or ideology is in power over there, they want that power.
As I have stated previously, the Patriot Act allows the US government access to data in any USA owned data centre, no matter what country it is in. So lines from Google, Microsoft, Amazon, etc regarding data centres being in Ireland or the Netherlands are pretty pointless. The Patriot Act will override Safe Harbour so that means you will not be compliant with the EU Patriot Act.
I’m not the only person to highlight this. Far from it:
- IT Business Edge: Patriot Act May Hamper Cloud Computing Adoption
- Network World: The U.S. Patriot Act Has an Impact on Cloud Security
- Computer World: Patriot Act Rains on Cloud Storage Parade
- The Irish Department of Finance Warns Other Departments About Cloud Computing
There’s lots more. Let me remind you, it’s not just the location of the data centre, hosting company and SaaS application. It is also the nationality of the owner. American companies are subject to the Patriot Act no matter where they build their services. Amazon data centres in Ireland must comply with the Patriot Act. Microsoft owned data centres in the Netherlands must comply with the Patriot Act.
Those online services may be find for pushing non-sensitive information around, e.g. YouTube style sites. But putting data about European citizens onto them is contravening the Data Protection Act.
And if you think the Patriot Act is bad then you should see what both the Democrats and the Republicans have been working on. The Cybersecurity Act of 2009 gives unbelievable powers to the USA President and uncontrolled access to the Department of Commerce.
“The Secretary of Commerce— shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access…
In other words, the bill would give the Commerce Department absolute, non-emergency access to “all relevant data” without any privacy safeguards like standards or judicial review”.
That means the department that runs business will have free access to business data from foreign businesses. And governments have never done anything untoward with that sort of power before …. France/Bull, and rumours about Russia and China allegedly being involved.
The only truly safe approach is to subscribe to services that are local owned and locally located. Don’t play dumb. Don’t hope that everything is OK. You are probably liable if you do not perform due diligence. For example, do you want to be sued by your customers because your company subscribed to a SaaS CRM system that is located in a data centre that is not compliant with the EU data protection laws? Forget the protests from that CRM SaaS company. They may be cutting corners but you cannot afford to.
> The only truly safe approach is to subscribe to services that are local owned and locally located.
Until they are purchased by a US company, and all of a sudden the Patriot Act comes into play. This is a risk that we have tossed around; basically is the risk worth it? probably not at this moment in time
> The only truly safe approach is to subscribe to services that are local owned and locally located.Until they are purchased by a US company, and all of a sudden the Patriot Act comes into play.
This has happened recently with the purchase of keepITsafe by US company J2 Global – any thoughts?
Strictly speaking, data kept with them is now subject to the Patriot Act.
Aidan, could I ask how that works. I’ve been looking around and the only information I can find when I Google about this act in Ireland is from the Bank of Ireland or yourself. I’ve been reading the data protection act and I’m no wiser. Any help would be appreciated. You can email me directly rather than respond in your blog
Thank you…….Gordan
PS Your photo of the rite kite is spectacular
Hi Gordon, the topic is not being widely talked about because it doesn’t suit the agenda of many people. Your best bet is a solicitor that specialises in online services. But beware, some admit the problem is there but take the “it’ll never happen to you” argument.