The Washington Post recently ran a story suggesting that customer data stored on a cloud service outside the U.S. could be subject to search by the U.S. government under Section 215 of the Patriot Act. We disagree. The U.S. Government cannot compel a U.S. headquartered cloud provider to turn over its customer data that is stored outside the U.S. Here’s why:
Two types of data may be stored on a cloud service: the service provider’s own data and its customers’ data. The U.S. Government may use Section 215 of the Patriot Act in a national security case to access a service provider’s own data (considered “business records”), but only the service provider’s own business records. Section 215 of the Patriot Act is a business records statute and doesn’t empower the government to compel a cloud-service provider to turn over its customers’ data.
If the government can’t use Section 215 to access customer records, what other means of legal process are potentially available? Search warrants are a possibility, but only for data in the U.S. Search warrants cannot be enforced outside the U.S. and nothing in the Patriot Act changes this limitation. (While there has been some debate over whether content can be obtained using a subpoena or other types of orders, with recent case law developments in the U.S., most now agree that the government must get a warrant based on probable cause to obtain any communications content. In any event, subpoenas also cannot be enforced outside the U.S., and enforcement within the U.S. is subject to legal tests that we do not believe the government can meet).
If the U.S. Government wants access to customer data stored outside the U.S., therefore, it must (and it is our understanding that it does) request treaty assistance from in-country law enforcement in the country where the data is stored. Other governments around the world do the same.
In sum, data that customers store with cloud providers outside the U.S. is safe from disclosure under the Patriot Act. The real threat to the U.S. cloud industry comes from a lack of understanding of the way the Patriot Act works and the limits of the U.S. government’s authority to compel access to data stored abroad. Customers should not be misled into believing that their data stored outside the U.S. with U.S.-based cloud providers is accessible to the U.S. Government under the Patriot Act. It is not.