A program sponsored by Box and the Cloud Security Alliance, and held in conjunction with the RSA San Francisco 2013 Conference, featured European and North American attorneys specializing in information privacy and information security, and members of the Lexing Network, in a discussion of the laws that regulate government access to cloud data.
The topic is of great importance to cloud services providers and users, which are increasingly becoming aware that data or communications held in the cloud may be subject to requests for access by third parties such as a government conducting an investigation, or a party in a lawsuit. Requests for access by law enforcement, intelligence and secret services, are governed by very complex rules, and predictably, these rules differ from country to country.
As Peter McGoff, the General Counsel of Box, a major provider of cloud services, explained in his introductory remarks, cloud service providers (CSP) receive frequent requests for access to data or communications stored on their servers. They will respond to these requests in a manner that addresses the CSP’s obligations to comply with the applicable laws and its obligations to the customers affected by the access request, while ensuring that the CSP’s resources are used efficiently and reasonably.
The program followed with an overview of the applicable laws in the United States by Francoise Gilbert, Managing Director of the IT Law Group. The Electronic Communications Privacy Act (ECPA) and the Foreign Intelligence Surveillance Act (FISA) are the primary laws governing these issues, and they are supplemented by other federal laws and a plethora of state laws. ECPA and FISA were enacted in the 1970s and 1980’s, and have been amended numerous times, including through the USA PATRIOT Act 2001, and most recently through the FISA Amendment Act 2013.
A discussion with attorneys practicing in Canada, the United Kingdom, Switzerland, Italy, France, and Belgium followed. For example, Canada’s Security Intelligence Service Act (Part II)allows designated judges from the Federal Court to issue warrants authorizing the interception of communications and obtainment of any “information, record, document or thing.” In the United Kingdom, government agencies find their authority in the Regulation of Investigatory Powers Act 2000 (RIPA). Among other things, RIPA allows the interception of communications, use of communications data, following people and the use of covert human intelligence sources.
The program concluded with tips from Peter McGoff. CSPs and other companies that anticipate receiving third party requests for access to data or communications should have in place a plan for responding to these requests in a manner that is consistent with the terms and conditions of their service, and that takes into account their obligations under the laws of the countries that have jurisdiction over their operations.