This one was spurred by something I just saw on the news. The US government is planning to extend the Patriot Act. And here’s the funny bit: it’s been stuck in as part of a jobs bill. It doesn’t matter what party or ideology is in power over there, they want that power.
As I have stated previously, the Patriot Act allows the US government access to data in any USA owned data centre, no matter what country it is in. So lines from Google, Microsoft, Amazon, etc regarding data centres being in Ireland or the Netherlands are pretty pointless. The Patriot Act will override Safe Harbour so that means you will not be compliant with the EU Patriot Act.
I’m not the only person to highlight this. Far from it:
- IT Business Edge: Patriot Act May Hamper Cloud Computing Adoption
- Network World: The U.S. Patriot Act Has an Impact on Cloud Security
- Computer World: Patriot Act Rains on Cloud Storage Parade
- The Irish Department of Finance Warns Other Departments About Cloud Computing
There’s lots more. Let me remind you, it’s not just the location of the data centre, hosting company and SaaS application. It is also the nationality of the owner. American companies are subject to the Patriot Act no matter where they build their services. Amazon data centres in Ireland must comply with the Patriot Act. Microsoft owned data centres in the Netherlands must comply with the Patriot Act.
Those online services may be find for pushing non-sensitive information around, e.g. YouTube style sites. But putting data about European citizens onto them is contravening the Data Protection Act.
And if you think the Patriot Act is bad then you should see what both the Democrats and the Republicans have been working on. The Cybersecurity Act of 2009 gives unbelievable powers to the USA President and uncontrolled access to the Department of Commerce.
“The Secretary of Commerce— shall have access to all relevant data concerning (critical infrastructure) networks without regard to any provision of law, regulation, rule, or policy restricting such access…
In other words, the bill would give the Commerce Department absolute, non-emergency access to “all relevant data” without any privacy safeguards like standards or judicial review”.
That means the department that runs business will have free access to business data from foreign businesses. And governments have never done anything untoward with that sort of power before …. France/Bull, and rumours about Russia and China allegedly being involved.
The only truly safe approach is to subscribe to services that are local owned and locally located. Don’t play dumb. Don’t hope that everything is OK. You are probably liable if you do not perform due diligence. For example, do you want to be sued by your customers because your company subscribed to a SaaS CRM system that is located in a data centre that is not compliant with the EU data protection laws? Forget the protests from that CRM SaaS company. They may be cutting corners but you cannot afford to.