Cloud Computing in Higher Education and Research Institutions and the USA Patriot Act
The legal implications of cloud computing have been the subject of much debate in recent years. In light of ongoing developments relating to the use of cloud services in higher education and research, the debate is also relevant to this sector. Given its key role in the academic community in the Netherlands, the Dutch umbrella organization for ICT-driven innovations in higher education and research (SURF) commissioned this study with a view to gaining a better insight into the existing legal framework. This should enable it to contribute effectively to the decision-making process about the use of cloud services by institutions of higher education and research.2 This use of cloud computing consists of the use a wide array of services, such as email, document sharing, and contacts.
An important question in the debate is whether information security and data confidentiality can continue to be guaranteed in the transition to cloud computing. What will be the implications for privacy, for the protection of personal data and for information security if the data of students, researchers and managers are no longer controlled in their own ICT environments, but end up in an electronic environment offered by a third – possibly foreign – party? Do Dutch and European privacy laws permit the storage of these data by an American provider – the major cloud service providers are
U.S. based companies – outside European territory, where less strict rules apply with respect to the protection of personal data?4 And could a situation arise in which the cloud service provider is required by a foreign government entity to disclose information in the context of criminal investigations or national security? If that is a possibility, how should it and its associated risks be assessed?
This report addresses the last two questions: what are the implications of the transition to cloud computing for access to data by foreign intelligence and law enforcement agencies, and what are the risks involved for institutions of higher education and scientific research in the Netherlands? At this point, the implications of existing U.S. legislation are uncertain and have become the topic of debate, with a particular focus on the implications of the ‘USA Patriot Act’.
This Act, as well as comparable statutory provisions in the United States such as the Foreign Intelligence Surveillance Act, permit authorities in the United States to request data stored on behalf of Dutch cloud service users. As a result, the Patriot Act is frequently referred to in discussions about the cloud, whether in the media, the political arena, among policy-makers in the Netherlands, or elsewhere, such as by higher education and research institutions when negotiating cloud computing contracts. In view of these discussions and the need to properly assess the risks for the privacy of end users and for the information security of the data stored, an understanding of these legal instruments is required. This study seeks to bring clarity to this discussion, in which there is a pressing need for a proper overview of the facts and real risks.
This report addresses the implications of the Patriot Act (USA PATRIOT Act) and the risks it may pose in terms of privacy, information security and confidentiality as a result of the use of cloud services by higher education and research institutions. Given the content of the Patriot Act, it looks into the powers of government (in particular the U.S. government) to access data in the cloud in the context of criminal investigations and national security. This is not the same question as the issue referred to above regarding compliance with European and Dutch law governing personal data protection.
To be able to answer the question whether the information security and privacy of cloud service users will continue to be sufficiently guaranteed, a number of points should be borne in mind. First, we note that the Patriot Act has come to play a symbolic role in the public debate, and that in practice we are dealing with a more complex interplay of legal powers and safeguards provided for in U.S. legislation in connection with access to data for law enforcement and national security purposes.
Given this complexity, a study of the implications of a particular legal instrument such as the Patriot Act should necessarily include a review of all comparable norms in the national legislation concerned. In view of the possible repercussions for the trade interests of the American businesses involved, the European concerns about access to data in the cloud by US authorities have not gone unnoticed. As a result, some of the information provided in this field is somewhat biased because of the strategic importance of dispelling the concerns that have been raised.
A second point is that a study into the implications mentioned above needs to address not only the implications and risks of the specific statutory framework for cloud computing, but also the extent to which these risks vary depending on the type of cloud services and the circumstances under which they are provided. Pertinent questions in this context relate to the existence of jurisdiction and the relevance of the geographical location where the data are stored.
These questions feature prominently in the debate about cloud computing and the Patriot Act.7 Are the privacy and information security risks really smaller in the case of alternatives for services provided by companies such as Google and Microsoft, if, for example, the data are stored on Dutch or European territory? What is the value of contractual guarantees in this respect? To what extent does it matter for the U.S. legal framework whether or not the provider is based in, has an office in or conducts business in the United States? And what are the advantages of a European or strictly Dutch cloud service provider for higher education and research in the Netherlands?
Third, it is important to place the risks for information security and privacy in a broader perspective. Of special importance in this regard is whether disproportionate attention is being paid to the risks arising from the Patriot Act. Other nation states, including the Netherlands, have comparable provisions in place for access to data in the context of law enforcement and national security. And from an information security perspective, other risks and dependencies relating to cloud computing may deserve equal attention. A better insight into these risks and dependencies is needed in order to develop informed cloud computing policies that take the possibility of data retrieval by foreign governments into account.
Structure of this report
In view of the above, this report is divided into three sections, followed by a conclusion and recommendations. The first part (Section 2) describes and explains the Patriot Act and comparable relevant legislation in the United States. It also addresses the constitutional safeguards for privacy and data confidentiality in the United States (Fourth Amendment) and the dynamic character of the existing statutory framework, as shown by recent developments in the area of cyber security legislation. In addition, the section shortly considers the existing statutory framework in the Netherlands governing requests for data from cloud providers, and gives some examples of legislation in other European countries.
The second part (Section 3) discusses the implications for cloud service use from the Netherlands of the American statutory framework governing requests for data from cloud providers in the context of law enforcement and national security. It first assesses the powers available to U.S. authorities to gain access to cloud data of higher education and research institutions both in the context of foreign intelligence and for the purpose of criminal investigations. These powers are then placed in context by briefly comparing them with the statutory framework in Europe and the Netherlands.
How this legal framework works out in practice is then illustrated with the aid of three scenarios. Each of these scenarios concerns the request for access to data from the cloud by government authorities. The scenarios include a discussion of various types of cloud services and their implications for the possibility of requests for access, as well as the possible implications for the legal protection of those concerned.
The third part of this report (Section 4) outlines how institutions of higher education and research in the Netherlands should assess, from a legal point of view, the risks arising from the existing powers granted under U.S. legislation. When answering this question, specific attention is paid to the question of how the issue can be addressed in the existing framework for the protection of data confidentiality.
The research for this report was carried out by the Institute for Information Law (IViR, University of Amsterdam, www.ivir.nl) and commissioned by SURFdirect, the SURF Digital Rights Expertise Community. SURFdirect is part of SURF, the Dutch umbrella organization for ICT-driven innovations in higher education and research. When conducting research commissioned by third parties, IViR adheres to the principle of academic integrity embraced by the Royal Netherlands Academy of Arts and Sciences, KNAW.8 The project was carried out by Dr. J.V.J. van Hoboken, A.M. Arnbak, LL.M. and Prof. Dr. N.A.N.M. van Eijk with the assistance of N.P.H. Kruijsen, LL.M. The research is based on a study of primary legal sources and literature.