Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Australian-based data subject to Patriot Act: Lawyer

Companies with links to the US may find their data subject to investigation under Patriot Act

Data located in Australia but owned or operated by a US company could be accessed under a Patriot Act request, even if this violates National Privacy Principles, a legal expert has warned.

Connie Carnabuci, a partner of the law firm Freshfields Bruckhaus Deringer, said that under the Act which was passed in 2001, US authorities have the ability to pass orders for the disclosure of non-US data that is stored outside the country. “The basis for that disclosure is that you have to establish a sufficient connection with the US,” she said.

“One is that you have a US company with foreign subsidiaries outside the US, such as a service provider setting up in the Asia Pacific. The second might be that you have a non-US company that sets up a US subsidiary.”

Carnabuci added that while the Act has a regime that allows companies to seek a formal subpoena, there is an “intrusive route” called the National Security Letter (NSL), an informal request for disclosure of information.

The other dynamic is the eagerness of US companies to assist the US government because they want to be seen as good corporate citizens, Carnabuci said. “There is almost overzealousness in their willingness to sacrifice civil liberties in the greater good of national security,” she said.

Carnabuci pointed out that if the IT service provider has a connection to the US, it is essential to undertake a vendor due diligence before signing an agreement. “It may cost you money because if you are served with an NSL to deliver up business information and you don’t want to comply, you would have to go to a court in the US and ask them not to require you to produce the information.”

With the high cost of doing that, it may mean companies may just “give up” the information. “It’s one thing if that is business data but if that includes customer data, can you imagine the impact on the brand equity if this information is given out?”

However, if the Patriot Act was brought into play in Australia, a company may have the option of going to the Australian Federal Court and asking for an exemption.

Carnabuci suggested companies to “consider the security and confidentiality risks posed by the Patriot Act and store their data with providers which do not have any US connections.”

Carnabuci's comments follow the release of a whitepaper release in November last year, The long arm of the USA Patriot Act: tips for Australian businesses selecting data service providers, sponsored by Macquarie Telecom.

In 2010, she warned that hosting data in the US can also make domestic legal and regulatory compliance difficult because it has no national privacy regime that is similar to the Australian National Privacy Principles.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: Macquarie Telecom
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: data centres, data sovereignty, Freshfields Bruckhaus Deringer, macquarie telecom, Patriot Act
Latest Blog Posts
Whitepapers
  • Avaya Deploys the Avaya Desktop Video Device with the Avaya Flare® Experience
    A revolutionary new video collaboration device, the Avaya Desktop Video Device has been making waves in the communications industry ever since Avaya introduced the product in the fall of 2010. Avaya’s own employees have been among the earliest users and have seen first-hand how the product can improve collaboration and make people more efficient and effective. Read more.
    Learn more »
  • Providing effective endpoint management at the lowest total cost
    Endpoints, otherwise known as servers, workstations, laptops, mobile devices, and virtually any other network-connected device, are critical components that enable business to be transacted. Properly implemented, endpoint management ensures continuous compliance with IT policies, regardless of where the machines are located and what type of network they are connected to.
    Learn more »
  • Spear Phishing Attacks - Why they are successful and how to stop them
    There's been a rapid shift from broad, scattershot attacks to advanced target attacks that have had serious consequences for victim organisations. The increased use of spear phishing is directly related to the fact that it works, as traditional security defences simply do not stop these types of attacks. This paper provides a detailed look at how spear phishing is used within advanced attacks and the key capabilities organisations need in order to effectively combat these emerging and evolving threats.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments