Data located in Australia but owned or operated by a US company could be accessed under a Patriot Act request, even if this violates National Privacy Principles, a legal expert has warned.
Connie Carnabuci, a partner of the law firm Freshfields Bruckhaus Deringer, said that under the Act which was passed in 2001, US authorities have the ability to pass orders for the disclosure of non-US data that is stored outside the country. “The basis for that disclosure is that you have to establish a sufficient connection with the US,” she said.
“One is that you have a US company with foreign subsidiaries outside the US, such as a service provider setting up in the Asia Pacific. The second might be that you have a non-US company that sets up a US subsidiary.”
Carnabuci added that while the Act has a regime that allows companies to seek a formal subpoena, there is an “intrusive route” called the National Security Letter (NSL), an informal request for disclosure of information.
The other dynamic is the eagerness of US companies to assist the US government because they want to be seen as good corporate citizens, Carnabuci said. “There is almost overzealousness in their willingness to sacrifice civil liberties in the greater good of national security,” she said.
Carnabuci pointed out that if the IT service provider has a connection to the US, it is essential to undertake a vendor due diligence before signing an agreement. “It may cost you money because if you are served with an NSL to deliver up business information and you don’t want to comply, you would have to go to a court in the US and ask them not to require you to produce the information.”
With the high cost of doing that, it may mean companies may just “give up” the information. “It’s one thing if that is business data but if that includes customer data, can you imagine the impact on the brand equity if this information is given out?”
However, if the Patriot Act was brought into play in Australia, a company may have the option of going to the Australian Federal Court and asking for an exemption.
Carnabuci suggested companies to “consider the security and confidentiality risks posed by the Patriot Act and store their data with providers which do not have any US connections.”
Carnabuci's comments follow the release of a whitepaper release in November last year, The long arm of the USA Patriot Act: tips for Australian businesses selecting data service providers, sponsored by Macquarie Telecom.
In 2010, she warned that hosting data in the US can also make domestic legal and regulatory compliance difficult because it has no national privacy regime that is similar to the Australian National Privacy Principles.
Follow Hamish Barwick on Twitter: @HamishBarwick
Follow Computerworld Australia on Twitter: @ComputerworldAU