Cloud Computing and the USA Patriot Act (November 2011)

Many cloud computing customers raise concerns about the storage of their data in the cloud, in particular if their data is to be stored in jurisdictions which endow their law enforcement authorities with broad powers to lawfully intercept and possibly also seize data retained by cloud service providers. In this connection, customers particularly fear the USA Patriot Act, which was adopted in reaction to the terrorist attacks of September 11, 2001. But is there really anything to fear?

The USA Patriot Act (an acronym that stands for “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001”) increased the ability of law enforcement agencies to search telephone and e-mail communications, medical, financial, and other records; in this respect, this piece of legislation considerably changed the existing, rather patchy, laws. Yet, despite its rather pompous and formidable name, a closer scrutiny of the Act shows that the law enforcement competencies it grants to US authorities are largely comparable to powers currently available to state authorities in many European countries including the Czech Republic.. In the Czech Republic as well as other European countries, the laws authorize relevant state authorities to seize documents and electronic data, tap the wires or intercept electronic communications in certain circumstance, under strictly defined conditions. The following provides an overview of the Czech statutory rules relating to surveillance procedures and its comparison to the USA Patriot Act.

With respect to searches, seizures, wiretapping or lawful intercept of electronic data in the Czech Republic, the Code of Criminal Procedure (Act No. 141/1961 Coll., as amended) grants a wide range of competences to the Police of the Czech Republic, the courts and the Public Prosecutor’s Office. The court may issue a search warrant in order to allow the competent body (usually the Police) to, for example, enter a house, an apartment or business premises. The court can also issue an order to surrender a thing or a seizure warrant (which may apply also to seizure of shares, money stored in cash or deposited on bank accounts or even real estate). If a search and/or seizure warrant is issued by the court, the competent authority can enter the searched premises and seize anything that is covered by the court order. In case of cloud service providers, this may include servers and data stored thereon.

Often, the law enforcement authorities need not even to resort to such draconian measures such as the search and seizure warrant. They may enforce compliance by simply requesting that the cloud service provider provides certain data stored in the cloud (i.e. either discloses the identity of the customer or surrenders customer data to the Police) under the general obligation to cooperate with the bodies acting in the criminal proceedings upon request of such bodies under Article 8 of the Code of Criminal Procedure.

The Code of Criminal Procedure and the Act on the Police of the Czech Republic (Act No. 273/2008 Coll., as amended, the “Police Act”) also allow the Police and other bodies, namely the Public Prosecutor, to tap the wires as well as intercept electronic data, including e-mail or chat messages and, in the case of a terrorism suspect, to monitor traffic and/or operation data relating to electronic communications. The Electronic Communications Act (Act No. 127/2005 Coll., as amended) correspondingly obliges electronic communications providers to enable the Police of the Czech Republic to connect to the network in order to intercept electronic communications.

Furthermore, the Czech intelligence and security agencies, i.e. the Security Information Service (BIS), the Office for Foreign Relations and Information (ÚZSI), and the Military Intelligence of the Czech Republic (VZČR), are also authorized by specific legislation (Act No. 154/1994 Coll., as amended, on Security Information Service; Act No. 153/1994 Coll., as amended, on Intelligence Services of the Czech Republic; and Act No. 289/2005 Coll., as amended, on Military Intelligence, respectively) to monitor traffic and/or operation data relating to electronic communications, tap the wires and intercept electronic data, under circumstances envisaged by these Acts.

When it comes to the jurisdictional reach of the Czech criminal law, the obligation to comply with the request of the relevant enforcement authorities and provide all required cooperation to them under Article 8 of the Code of the Criminal Procedure extends to any legal entity or natural person having its registered office or residing in the Czech Republic or having another connection to the Czech Republic; any such entity or individual may also be subject to the obligations under the Code of Criminal Procedure and the Police Act. In addition, the Czech Police, courts or Public Prosecutor may request any foreign authority to cooperate and to issue a search warrant or another similar order as described above if the entity or person in question is located outside the Czech jurisdiction. Such requests to a foreign state’s authorities are usually submitted by virtue of various mutual legal assistance treaties and EU legislation providing for mutual legal assistance in criminal matters.

Although the USA Patriot Act is viewed by some as controversial and many stakeholder raise concerns about the security and privacy of their data if they were to be subjected to the USA Patriot Act, such fears might seem exaggerated in the light of the fact that the substance and outreach of the Act is hardly new or unique to the USA.

First of all, the USA Patriot Act was not adopted primary with the view to provide a new vehicle for the U.S. authorities to access user data but rather to unify and strengthen already existing fragmented legislation. The USA Patriot Act did not in any way extend the jurisdictional reach of the U.S. authorities; in compliance with preexisting case law, a company or a person being present or having contacts in the U.S. had been subjected to the U.S. jurisdiction already before the Act was enacted.

Contrary to a common perception, the USA Patriot Act does not allow unlimited or unduly extensive access to data about individuals; any investigation proceedings conducted by law enforcement agencies remain subject to numerous statutory limitations and, above all, must be compliant with the United States Constitution. When the constitutionality of the USA Patriot Act was challenged in the so-called Mayfield case, the appeal court upheld its constitutionality and declared it was not contrary to the Fourth Amendment, which protects the citizens against unreasonable searches and seizures.

In conclusion, the practical implications of the USA Patriot Act may be rather limited for both cloud computing providers and customer as the Act is targeted primarily against terrorism, financing of terrorism and other illegal intelligence activities. It is thus rather likely that the majority of cloud computing customers who entrust their data to a U.S. service provider (or any other provider that might eventually come within the reach of the USA Patriot Act) will never be confronted with the application of the USA Patriot Act. And as was highlighted at the outset, the laws of most European countries, the Czech Republic being no exception, provide their domestic authorities with very much similar tools to intercept electronic communications and seize data, whether stored in the cloud or elsewhere. Viewed through this prism, the USA Patriot Act does not bring an altogether exceptional or new threat to cloud computing customers.