By Paul Hemsley

Data belonging to an Australian government agency can be subject to the long arm of the USA Patriot Act, according to a whitepaper released from legal firm Freshfields Bruckhaus Deringer and commissioned from Macquarie Telecom.

The whitepaper titled The long arm of the Patriot Act: tips for Australian businesses selecting data service providers said sourcing data services from an Australian subsidiary of a US service provider, or a local provider who stores data on a server in the US will mean an agency or company’s data will fall under US jurisdiction.

Whitepaper co-author, Connie Carnabuci said the Patriot Act, implemented in 2001 following the September 11th terrorist attacks, gives US authorities the ability to pass orders compelling disclosure of non-US data stored outside of the US.

“The basis for actually compelling that disclosure is that you have to establish what they call a ‘sufficient connection’ with the US,” Ms Carnabuci said.

According to Ms Carnabuci, the US can issue a cross-border subpoena for information using a National Security Letter, an informal request for information disclosure.

“It could cost you money because if you are served up with an NSL to supply data or information and you don’t want to comply, you would actually have to go to court in the US and make an application asking the court not to require you to produce the information,” Ms Carnabuci said.

“The cost of doing that may just mean that you don’t do it and you just give up the information,” she said.

Ms Canabuci said that risk is one that must be "intelligently informed in the context of due diligence".

The whitepaper said the Department of Defence issued a paper referring to the Defence Signals Directorate (DSD) recommending Australian agencies to refrain from outsourcing information technology services and functions outside of Australia, unless the data is publically available already.

The paper encouraged agencies to choose either a locally owned vendor or a foreign owned vendor that is located in Australia and stores, processes and manages sensitive data only within Australian borders.

“If the vendor is subpoenaed by a foreign law enforcement agency for access to data belonging to the vendor’s customers, the vendor may be legally prohibited from notifying their customers of the subpoena,” the Department of Defence paper said.

Ovum research director, Dr Steve Hodgkinson said concerns regarding the Patriot Act are substantially overstated.

“This is one legal issue that needs to be examined as agencies evaluate the relevance of cloud computing services for their needs,” Dr Hodgkinson said.

Dr Hodgkinson said it may be a relevant cause of concern for some agencies for some categories of data, but the reality for most is that exposure to the Patriot Act would be unlikely to be a ‘showstopper’ in their choice of a cloud or ICT services provider.

According to Dr Hodgkinson, there are several substantial sized Australian agencies and councils who are mature users of public cloud services from US-based cloud services providers and who do not see this as a material risk.

He said this conclusion came “after thorough risk assessment, privacy impact assessment, audit reviews and in-depth legal opinion”.

“The considerations that agencies need to focus on are the quality of the cloud provider’s offering in terms of its functionality, technical performance, operational reliability, cost, and the investments that the provider is making in iterative service improvement and the specific terms & conditions of the contract.”

Dr Hodgkinson said theoretical exposure to the Patriot Act is usually a minor issue in the broader landscape of these other considerations.

He said these can be mitigated if required by internal process control and information categorization within the agency; specific contractual protections with the cloud services provider; and encryption of data at rest.