The new “hot” term among cutting edge lawyers is “cloud data” compliance. As always, experts often confuse an issue in an attempt to make it impenetrable to clients. It is a sophisticated marketing ploy used by the legal profession (and I apologize in advance on behalf of lawyers everywhere).
While I have little technical expertise (and instead rely on so-called “IT experts”), I have a basic understanding of “cloud computing” and “cloud data.” Computer services are moving to the Internet and away from location-based computers. Companies can access and conduct computer operations on the Internet which, in turn, can be “located” anywhere in the world. This change in electronic data has changed how companies respond to government requests for access to data.
I will attempt to simplify what others may call a very complex set of issues relating to our electronic data environment and responding to government requests for data. In many cases, there may be differences when a government requests data for law enforcement purposes and national security purposes.
Government access to cloud data does not necessarily depend on the location of the data service provider or the provider’s facilities. What do I mean?
United States Law Enforcement Requests for Cloud Data
Assume a cloud service provider and its facilities are located in two separate countries in Europe and Asia, respectively. The United States or foreign company (“customer”) has operations in the United States. A United States law enforcement subpoena to the company for data is enforceable against either company in the United States.
The United States government relies on the fact that the company has facilities inside the United States. This fact gives them a jurisdiction hook to require production of data which may be stored or maintained outside the United States.
Even in those cases where a company has on United States presence, the government can rely on “Mutual Legal Assistance Treaties” (“MLATs”) which it has entered into with countries around the world to gain access to cloud data outside the United States. While the process can be burdensome, law enforcement agencies are familiar with the process and can act fairly quickly.
The lesson from this is very clear — A company cannot escape production of cloud data to the United States government by locating cloud data operations or storage outside the United States.
Foreign Law Enforcement Requests for Cloud Data
In many countries outside the United States, companies produce cloud data in response to informal foreign law enforcement requests. The perception that foreign countries are more vigilant in protecting cloud data from access overseas is not entirely accurate Many cloud data providers respond to informal requests out of a desire to cooperate with law enforcement and avoid potential problems. In most cases, MLATs trump country-specific data privacy laws and restrictions.
Interestingly, United States laws contain greater restrictions on disclosure of data to law enforcement. In the United States, a court order or subpoena is required before a company produces such data. Only in emergency cases can a company produce data in response to a non-legal or informal request for data.
Foreign cloud service providers have “successfully” convinced companies that location of data outside the United States gives companies increased abilities to protect data from government request for information. As a result, companies need to re-examine their operations and consider changes which may be appropriate.