The USA PATRIOT Act (more commonly known as “the Patriot Act”) was signed into law by George W. Bush on October 26, 2001 as a response to the September 11 attacks. The title of the act (USA PATRIOT) is actually an acronym that stands for “Uniting (and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and) Obstruct Terrorism”. Many aspects of the Act were to expire in 2005; however, renewals and extensions mean that the Act is here for a while yet.

For Security & Risk Professionals, the Patriot Act comes up in conversation mostly with regard to data access. The Act suggests that the US government is able to gain access to data held on US soil, or even by a US firm outside US territory, without the data owner being notified; this is of significant concern when it comes to considerations around the adoption of cloud technology. EU-based organizations are concerned that utilizing cloud as part of their infrastructure will make their data accessible to the US government. In 2004, the Canadian government passed laws prohibiting the storage of citizens’ personal data outside their physical boundaries, and a recent news article suggested that one large UK defense contractor walked away from Microsoft’s Office 365 due to lack of assurances on data location.   

Competitors to the US-based cloud vendors are utilizing this concern to leverage marketing by stating that their solutions will “shelter users from the US Patriot Act.” There may be truth here but,, as always, the rabbit hole goes further down than that.

A new version of the EU Data Protection Directive is expected early in 2012, and the proposed reforms may effectively replace the much maligned EU/US Safe Harbor agreement with adequacy statements and agreements which would make it illegal for the US government to utilize the Patriot Act to access data held within the EU by a US-based cloud vendor or data processing company unless it was also approved by the Data Protection Agency of the relevant European country. If these agreements were ignored for any reason, the EU Data Protection Agencies would be able to impose sanctions, which could range up to a maximum of 5 percent of the cloud vendor's annual worldwide turnover; when you look at the leading cloud vendors, this is serious money.

So, will this proposed legislation really change the cloud playing field and remove the specter of the Patriot Act from EU considerations? This analyst thinks not. Data Protection is focused on personal data, and whilst that is undoubtedly valuable to major organizations, it is often their other intellectual property (IP) which is considered the most precious – these proposals don’t really cover that corporate IP treasure trove and, as such, the Patriot Act is likely to remain a topic that casts a shadow across Europe for some time to come.