A program held in conjunction with the RSA San Francisco 2013 Conference and sponsored by the Cloud Security Alliance and Box – a major provider of cloud services – recently featured some of the contributors to the Global Privacy & Security Law treatise, Jean-Francois Henrotte (Philippe & Partners, Belgium), Frederic Forster (Alain Bensoussan Avocats, Paris), Raffaele Zallone (Studio Zallone, Italy) and Francoise Gilbert (IT Law Group, USA). The program presented a discussion of the US and foreign laws that regulate government access to cloud data.
Governments around the world make frequent requests from cloud service providers (CSP) and other companies in connection with law enforcement or intelligence activities conducted for the protection of national security, counter-terrorism, or criminal investigations such as the prosecution of drug trafficking. The number of these requests and the scope of these investigations can be very extensive. The Google Transparency Report, for example, provides an excellent glimpse at the requests that Google receives from the US Government agencies or from other law enforcement and intelligence services from all continents.
When these investigations are launched, CSP, service providers, or other entities may receive requests for access to data or communications stored on their servers. When responding to these requests, companies usually take into account several elements such as the terms and conditions of their agreement with their customer, their obligations to comply with the applicable laws, and their internal resources – human and technical – available to respond to the request.
Requests for access by law enforcement, intelligence and secret services, are governed by very complex rules, and predictably, these rules differ from country to country. The program provided an overview of the applicable laws in the United States by Francoise Gilbert. The Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA) are the primary laws governing these issues; they are supplemented by other federal laws and a plethora of state laws. ECPA and FISA were enacted in the 1970s and 1980s, and have been amended numerous times, including through the USA PATRIOT Act 2001, and most recently through the FISA Amendment Act 2013.
A discussion focusing on the equivalent laws abroad followed. For example, Canada’s Security Intelligence Service Act (Part II) allows designated judges from the Federal Court to issue warrants authorizing the interception of communications and obtainment of any “information, record, document or thing.” In the United Kingdom, government agencies find their authority in the Regulation of Investigatory Powers Act 2000 (RIPA). Among other things, RIPA allows the interception of communications, use of communications data, following people and the use of covert human intelligence sources.
The program concluded with tips from Peter McGoff, General Counsel of Box, a major cloud service provider, which co-sponsored the event. CSPs and other companies that anticipate receiving third party requests for access to data or communications should have in place a plan for responding to these requests in a manner that is consistent with the terms and conditions of their service, and that takes into account their obligations under the laws of the countries that have jurisdiction over their operations. A video of the program is available by clicking here.