Cloud

If You Deal With A US Cloud Company, The Patriot Act Could Apply

It’s a topic of constant debate amongst potential cloud computing adopters around the world: is my data potentially vulnerable to intrusion by the US government under the auspices of the Patriot Act? According to one prominent Australian lawyer, the answer is indisputably ‘yes’, if only in theory.

Patriot picture from Shutterstock

Adrian Lawrence is a partner at Baker & McKenzie and the co-author of a guide to data sovereignty issues, co-authored by the Cyberspace Law and Policy Centre at UNSW and sponsored by NEXTDC, which was launched in Sydney today. Speaking at the launch, he directly addressed the question of whether the Patriot Act applied if you dealt with a US company, regardless of where the data itself is located:

“Your basic rule of jurisdiction in most countries is that a country will assert jurisdiction over its geographic borders and its subjects, and its subjects will include corporations that are registered in the country and the children corporations. We see that in a number of different areas,” he said, citing anti-bribery laws as a prominent recent example.

“The US Patriot Act is no different, and is not special in that respect. To the extent that an American corporation is involved in the storage of data, whether itself doing it and whether onshore or offshore or through a subsidiary, ultimately the US authorities will at least assert their right to access that data. Physically undertaking that activity may be a different question.”

Vendors often dispute that position. As we reported last month, Microsoft argues that one of the reasons it has data centres outside the US is so customers can be confident their data is subject to local rather than American law.

For businesses which operate with particularly sensitive data, we’ve always advised a case-by-case investigation of the issues. In the words of the classics: better get a lawyer, son.