Cloud service providers and users are becoming aware that data or communications held in the cloud may be subject to requests for access by third parties such as a government conducting an investigation, or a party involved in a lawsuit. Requests for access by law enforcement, intelligence and secret services are governed by very complex rules, and predictably, these rules differ from country to country.
A program sponsored by Box and the Cloud Security Alliance, and held in conjunction with the RSA San Francisco 2013 Conference, featured European and North American attorneys specializing in information privacy and information security, in a discussion of the laws that regulate government access to cloud data.
The General Counsel of Box, Peter McGoff, explained in his introductory remarks that cloud service providers (CSP) receive frequent requests for access to data or communications stored on their servers. Box, a major provider of cloud services, will respond to these requests in a manner that addresses its obligations to comply with the applicable laws and its obligations to the customers affected by the access request, while ensuring that its resources are used efficiently and reasonably and it otherwise maintains its commitments to its customers.
Francoise Gilbert, Managing Director of the IT Law Group, then presented an overview of the applicable laws in the United States. The Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA) are the primary laws governing these issues, and they are supplemented by other federal laws and a plethora of state laws. ECPA and FISA were enacted in the 1970s and 1980s, and have been amended numerous times, including through the USA PATRIOT Act 2001, and in the case of FISA, most recently through the FISA Amendment Act 2013.
A discussion with attorneys practicing in Canada, the United Kingdom, Switzerland, Italy, France, and Belgium followed. For example, Canada’s Security Intelligence Service Act (Part II) allows designated judges from the Federal Court to issue warrants authorizing the interception of communications and obtainment of any “information, record, document or thing.” In the United Kingdom, government agencies find their authority in the Regulation of Investigatory Powers Act 2000 (RIPA). Among other things, RIPA allows the interception of communications, use of communications data, following people and the use of covert human intelligence sources. The program concluded with tips from Peter McGoff. CSPs and other companies that anticipate receiving third party requests for access to data or communications should have in place a plan for responding to these requests in a manner that is consistent with the terms and conditions of their service, and that takes into account their obligations under the laws of the countries that have jurisdiction over their operations.
The program was the first half of a two-day series of events focused on global data protection issues. On March 1, 2013, Santa Clara University’s Markkula Center for Applied Ethics sponsored “Hot Issues in Global Privacy and Security”, a program featuring attorneys practicing on all continents who provided updates of the privacy, security and data protection laws in their countries, and a panel moderated by Francoise Gilbert, where the chief privacy counsel of McAfee, Symantec and VMWare talked about how to drive a global privacy and security program in multinational organizations.