M A R C H / / 2 0 1 2
GOVERNMENT ACCESS
TO INFORMATION
IN ”THE CLOUD”
CONTENTS
1. INTRODUCTION AND EXECUTIVE SUMMARY.........................................................................................................3
2. DANISH LAW ON PUBLIC AUTHORITIES’ AND LAW ENFORCEMENT AGENCIES’
ACCESS TO BUSINESS RECORDS..............................................................................................................................4
2.1 Overview of the Danish rules regarding the management, storage and processing of data......................................4
2.2 Danish government agencies’ and bodies’ access to business records......................................................................5
2.3 International cooperation regarding access to foreign-based information and evidence..........................................6
3. U.S. LAW ON PUBLIC AUTHORITIES’ AND LAW ENFORCEMENT AGENCIES’ ACCESS TO 3RD PARTY DATA............6
3.1 Overview of the USA PATRIOT Act...........................................................................................................................6
3.2 U.S. government agencies’ and bodies’ access to business records..........................................................................7
4. THE U.S. AND DANISH GOVERNMENTS’ ACCESS TO 3RD PARTY DATA STORED IN ”THE CLOUD”...........................8
5. CONCLUSION........................................................................................................................................................ 13
Kromann Reumert
Publi Cation
M A R C H 2012
1. INTRODUCTION AND EXECUTIVE SUMMARY
services for the management, storage and processing of
In Denmark, as well as in the rest of the European Union
the company’s data.
(hereinafter referred to as the ”EU”), the scope and consequences of the USA PATRIOT Act1 in relation to cloud
The fact that a company’s data becomes subject to U.S.
computing services has been a subject of wide debate in
laws, when the data is transferred to a (cloud) service
the IT industry.
provider based in the U.S., has raised concerns among
regulators and customers about the possibility of the U.S.
The key issue up for debate has been the U.S. government
government getting access to data or even falling into
agencies’ and bodies’ access to business records and data
the hands of unauthorized third parties.
through the application of the act and U.S. law. In this respect it is worth noting that the U.S. government’s access
As a consequence, some European commentators and
to 3rd party data is not unique. The Danish government
service providers have suggested that the solution to
as well as other EU governments are also authorized by
this problem is to ensure that the storage and process-
law to access such data in connection with the investiga-
ing of any personal data should only be entrusted to EU
tion of crimes relating to the national security or terrorism.
service providers.
This article describes the rules enabling the public au-
However, an obligation to disclose data for the purpose
thorities’ and law enforcement agencies’ access to 3rd
of an on-going investigation apply to data whether it
party data under the U.S. and Danish applicable laws
is stored in a cloud, externally on-premises of a service
and addresses the consequences of these laws in various
provider or internally on-premises of the company itself
situations where a Danish company outsources the man-
and the obligation may pertain to records that are held
agement, storage and processing of data to a cloud serv-
by companies located in the U.S. and even records that
ice provider in the U.S. as well as within the EU. Finally,
are held by companies located outside of the U.S. Such
the article points to some of the data protection con-
legal obligations may follow from U.S. law or from do-
siderations a company should take into account when
mestic laws and the countries’ voluntary mutual legal
entering into an agreement with an external provider of
assistance, and for this reason many (cloud) service providers will be affected. 1 The USA PATRIOT Act, Pub.L. 107-56, 115 Stat. 272. The full title of the act is: Uniting
(and) Strengthening America (by) Providing Appropriate Tools Required (to) Intercept (and)
Obstruct Terrorism.
3
Nevertheless, it should be stressed that the Patriot Act
2. DANISH LAW ON PUBLIC AUTHORITIES’ AND
only applies to data relating to terrorism or clandestine
LAW ENFORCEMENT AGENCIES’ ACCESS TO
intelligence activities, and for this reason it is highly un-
BUSINESS RECORDS
likely that the act is of any relevance to most companies
and the investigative tools such as orders for the produc-
2.1 Overview of the Danish rules regarding the
tion and access to data are still subject to judicial review
management, storage and processing of data
of the U.S. and Danish courts to protect against mistak-
In Denmark, the processing of personal data2 is gov-
en or arbitrary orders. Thus the investigative powers of erned by the Danish Act on Processing of Personal
public authorities and law enforcement agencies are not
Data3 (hereinafter referred to as “Danish Data Protec-
unlimited. This should at least ensure that there are clear
tion Act”) which entered into force on 1 July 2000. The
limits to governments’ prerogatives in connection with
act implements the EU Directive on the protection of in-
the access of third party owned data.
dividuals with regard to the processing of personal data
and on the free movement of such data4 (hereinafter
In sum, it is the opinion of the authors of this article that
referred to as “Data Protection Directive”).
the rules should not prevent companies from procuring
cloud services for the management, storage and process-
The Danish Data Protection Act applies to the process-
ing of its data. The outsourcing of such services, how-
ing of personal data carried out by a data processor5 on
ever, calls for careful consideration and a robust legal
behalf of a data controller6 who is established in Den-
framework, including: mark, and if the data processing activities are carried
out within the territory of the European Community.7
•
•
•
Implementation of sound information management
The rules of the Danish Data Protection Act apply practices concerning the decisions of what data is
regardless of whether the data is stored and processed
appropriate for what types of storage sites (internal,
on-premises of the data processor or in a cloud pro-
external on-premises or cloud services).
vided by the data processor. Require the service provider to - in so far as it is reasonable - challenge an order to produce data con-
One of the main purposes of the Danish Data Protection
cerning the company and to, unless prohibited by
Act and the Data Protection Directive is to secure a high
law, inform the company of such disclosure. level of protection for individual citizens’ personal data
Information to the company’s clients and customers
and to ensure that the risk of such information falling
that data in some situations are governed by U.S.
into the hands of unauthorized third parties is mitigated
law and that the U.S. government may require the
to the extent possible.
disclosure of data under certain circumstances.
As the Danish Data Protection Act does not apply to
data which has been transferred to a country outside of
the EU or EEA (referred to as “non-European country” or
2 The term “personal data” means: “any information relating to an identified or identifiable natural person”, cf. the definition in the Danish Act on Processing of Personal Data
paragraph 3(1), 1. Accordingly, the act does not apply to the processing of other data,
i.e. information relating to an unidentified or unidentifiable natural person or information
relating to legal entities.
3 In Danish: Lov nr. 429 af 31. maj 2000 om behandling af personoplysninger (Act No. 429
of 31 May 2000). The act was most recently amended on July 1st 2007.
4 In Danish: Europa-Parlamentet og Rådets direktiv 95/46/EF af 24. oktober 1995 om
beskyttelse af fysiske personer i forbindelse med behandling af personoplysninger og om fri
udveksling af sådanne oplysninger (Directive 95/46/EC of 24 October 1995).
5 The term “data processor” is used in accordance with the definition in the Danish Data
Protection Act section 3(1), 5.
6 The term “data controller” is used in accordance with the definition in the Danish Data
Protection Act section 3(1), 4.
7 The Danish Data Protection Act section 4(1).
4
“third country”8), the transfer of data to a third country
2.2 Danish government agencies’ and bodies’
may only take place if the third country in question en-
access to business records
sures an adequate level of protection . As far as the U.S.
As a consequence of the terrorist attacks around the
is concerned, the making of the “Safe Harbor” scheme
World and the increased terror threats against Denmark
between the EU and the U.S. has entailed that all Amer-
in 2001 and the following years, the Danish parliament15
ican companies which adhere to these regulations are
enacted two anti-terrorism measures known as “Terror-
considered to be companies located in a third country
pakke 1”16 and Terrorpakke 2”17 in 2002 and 2006 re-
which ensures adequate levels of protection10.
spectively. Similar law initiatives have been enacted in
9
other EU member states over the same period of time.
These provisions of the Danish Data Protection Act entail that the data controller at all times is required to
The Danish anti-terrorism measures led to changes
know the geographic location of the data processor’s
in the Danish Administration of Justice Act with the data centre to which the data is transferred. However,
insertion of new provisions regarding the Danish law
the transmission of data from a data processor in the
enforcement agencies’ access to data in connection
EU to a sub-processor in a third country may occur if
with criminal investigations.
the data controller grants a clear mandate to the data
processor to enter into agreements with sub-processors
According to the provisions of the Danish Administration
on behalf of the data controller and in its name and
of Justice Act, the Danish law enforcement agencies are
if such agreements are based on the EU Commission’s
permitted to carry out reading of data (on a computer
standard contractual clauses .
or in a data information system) which is not available
11 12
to the public if the data reading activities are carried out
The Danish Data Protection Act includes some excep-
in connection with an investigation of a crime relating to
tions to the main rule restricting the transfer of data to
the national security or terrorism.18 An order permitting
third countries. For example, transfer of data may also
data reading must be obtained from the courts and is
take place if the transfer of data is necessary for the
subject to judicial review19, and the issuing of such an
prevention, investigation and prosecution of criminal
order requires proof of probable cause. Furthermore, the
offences and the execution of sentences or the protec-
law enforcement agencies must show that the reading
tion of persons charged, witnesses or other persons in
of data is of significant importance to the investigation.
criminal proceedings; or is necessary to safeguard public or national security etc13. The law enforcement agencies are required by law to
inform the owner of the computer or the data informa-
Moreover, the Data Protection Directive does not apply
tion system of the data reading activities subsequent to
to the processing of personal data concerning public
the execution thereof. In addition, the law enforcement
security, defence, state security and the activities of a
agencies must inform the user of the computer or data
Member State in areas of criminal law.
information system which has been the object of data
14
reading activities if that person holds the computer or
8 The term “third country” means: “any state which is not a member of the European
Community and which has not implemented agreements entered into with the European
Community which contain rules corresponding to those laid down in [the Data Protection
Directive]”, cf. the definition in the Danish Data Protection Act section 3(1), 9.
data information system in its possession.20
9 The Danish Data Protection Act section 27(1).
15 I.e. Folketinget.
10 A list of the organizations, who have notified the U.S. Department of Commerce that
they adhere to the “safe harbor” framework developed by the U.S. Department of Commerce in coordination with the European Commission, can be found here:
http://safeharbor.export.gov/list.aspx.
16 Lov nr. 378 af 6. juni 2002 om ændring af straffeloven, retsplejeloven, lov om konkurrence- og forbrugerforhold på telemarkedet, våbenloven, udleveringsloven samt lov
om udlevering af lovovertrædere til Finland, Island, Norge og Sverige (Act No. 378 of 6 June
2002).
11 Commission Decision of December 27th 2001 on standard contractual clauses for the
transfer of personal data to processors established in third countries, under Directive 95/46/
EC, (2002/16/EC).
17 Lov nr. 545 af 6. august 2006 om ændring af lov om konkurrence- og forbrugerforhold
på telemarkedet, lov om radiofrekvenser og lov om radio- og teleterminaludstyr og elektromagnetiske forhold (Act No. 545 of 6 August 2006).
12 The Danish Data Protection Agency’s decision of February 3rd 2011 concerning the
processing of personal data in a cloud solution (Odense Municipality’s use of Google Apps).
18 Cf. the Danish Administration of Justice Act section 791 b.(1), (inserted through
Terrorpakke 1).
13 The Danish Data Protection Act sections 27(7) and 27(8).
19 Cf. the Danish Administration of Justice Act section 791 b.(3)
14 The Data Protection Directive article 3(2).
20 Cf. the Danish Administration of Justice Act section 788 and paragraph 791 b.(4).
5
The obligation to inform the person who is in possession
For situations between the EU member states, two of the computer or data information system does not ap-
subsequent regulations25 have replaced the Hague
ply if such information is considered to have an adverse
Conventions; however, these regulations do not ap-
effect on the investigation and the data reading activities
ply to Denmark due to its opt-outs to the Maastricht
are carried out in connection with an investigation of a
Treaty26.
crime relating to the national security or terrorism.21
Moreover, the aforementioned conventions and regulaFurthermore, the courts may - in connection with a
tions only cover civil and commercial matters whereas
criminal case or a civil lawsuit - compel a third party
criminal cases are not covered.
to produce tangible things, including data and business
records, which are in the possession of that third party if
For assistance on taking of evidence in criminal cases,
such data or business records in the reasonable opinion
the governments must rely on mutual legal assistance
of the court are considered to be of material impor-
treaties. The EU and the U.S. entered into the Agree-
tance to the outcome of the proceedings.
ment on mutual legal assistance between the European
22
Union and the United States of America in 2003. At
Accordingly, a person who is the object of a criminal this point in time there is no supplementing mutual
investigation where the reading of data from a computer legal assistance treaty in force between Denmark and
or data information system is ordered is not necessarily
the United States. As a consequence, any requests for
informed thereof. Furthermore, a person or company
evidence in criminal cases from the U.S. to Denmark
may be compelled to produce business records or data
and vice versa must be made in the form of letters roga-
in its possession if these are considered to be significant
tory27 (court-to-court requests).
evidence in a case or lawsuit.
Such letters of request from a domestic court to a 2.3 International cooperation regarding access to
foreign court will imply a judicial review of whether or
foreign-based information and evidence
not the request violates a policy or law in the country
Denmark is a party to the Convention on the Service
where the evidence is to be obtained.
Abroad of Judicial and Extrajudicial Documents in Civil
or Commercial Matters23 (commonly referred to as the
3. U.S. LAW ON PUBLIC AUTHORITIES’ AND LAW
“Hague Service Convention”) which enables the by-
ENFORCEMENT AGENCIES’ ACCESS TO 3RD PARTY
passing of the diplomatic route by allowing designated
DATA
authorities in the signatory states to transmit documents
for service to each other. In addition, Denmark is also
3.1 Overview of the USA PATRIOT Act
a party to the Convention on the Taking of Evidence
Following the terrorist attacks upon the United States
Abroad in Civil or Commercial Matters (commonly re-
on September 11th 2001 and in response thereto, the
ferred to as the “Hague Evidence Convention”) which
U.S. Congress passed the USA PATRIOT Act (commonly
sets out formalized procedures for taking of evidence.
known and referred to as the “Patriot Act”), which was
Both conventions have been ratified by most of the EU
then signed into law by President George W. Bush on
member states and the U.S.
October 26th 2001.
21 Cf. the Danish Administration of Justice Act section 788(4) and paragraph 799(1).
25 Council Regulation (EC) No. 1348/2000 of 29 May 2000 on the service in the Member
States of judicial and extrajudicial documents in civil or commercial matters and Council
Regulation (EC) No. 1206/2001 of 28 May 2001 on cooperation between the courts of the
Member States in the taking of evidence in civil or commercial matters.
24
22 Cf. the Danish Administration of Justice Act section 804(1) and paragraph 805.
23 14: Convention of 15 November 1965 on the Service Abroad of Judicial and Extrajudicial
Documents in Civil or Commercial Matters. The convention entered into force in 1969. For more information on the parties to the convention please visit:
http://www.hcch.net/index_en.php?act=conventions.text&cid=17.
20: Convention of 18 March 1970 on the Taking of Evidence Abroad in Civil or Commercial
Matters. The convention entered into force in 1972. For more information on the parties to
the convention please visit:
http://www.hcch.net/index_en.php?act=conventions.text&cid=82.
26 The Treaty on European Union (TEU). The treaty was signed in Maastricht on February
7th 1992 and entered into force on November 1st 1993.
27 Letters rogatory are the customary method of obtaining judicial assistance from abroad
in the absence of a treaty or executive agreement. Letters rogatory are requests from courts
in one country to a court of a foreign country to assist in effecting service of process or
taking of evidence if permitted by the laws of the foreign country.
6
The Patriot Act was passed with the purpose of deterring
including data and business records, for an investiga-
and punishing terrorist acts in the United States and around
tion undertaken to protect against international terror-
the World. For this purpose, the Patriot Act enhanced the
ism or clandestine intelligence activities.33
law enforcements’ investigatory tools and strengthened
U.S. measures to prevent, detect and prosecute interna-
The effects of section 215 of the Patriot Act, which are
tional money laundering and financing of terrorism.
of most relevance to this article, are listed below:
Firstly, the requirements for obtaining an order requir-
One of the effects of the Patriot Act is the enhancement
ing the production of records and other items seem less
of the investigatory tools available to U.S. law enforce-
strict under the Patriot Act. According to the proce-
ment agencies. This objective has been reached by great-
dures applicable to such orders, a court or judge must
ly reducing the restrictions in government agencies’ and
issue an order to produce records and other items if the
bodies’ tracking and intercepting of communications
application is submitted in connection with an existing for foreign intelligence information gathering purposes.
investigation concerning terrorism and clandestine These activities are governed by Title II of the Patriot Act:
intelligence activities, provided that this investigation is
Surveillance procedures, which contain many of the most
conducted in accordance with guidelines set out by the
controversial provisions of the Patriot Act.
U.S. Attorney General34.
The sections of Title II amend amongst others the For-
The extent of the judicial review was, initially, very limit-
eign Intelligence Surveillance Act (hereinafter referred
ed. With the 2005 amendments to the Patriot Act35, the
to as “FISA”) as well as the Electronic Communications
requirements for obtaining an order to produce records
Privacy Act .
or other items under section 215 were tightened as the
28
29
person, who is served with an order, may now chalThe Patriot Act is considered to establish extraterritorial
lenge the legality of that order by filling a petition with
jurisdiction since orders issued under the act may be
the courts36. served upon an American citizen, regardless of whether
he or she is residing on American soil or abroad.
Secondly, a person or company to whom an order is
served is obligated not to disclose to anyone (other than
3.2 U.S. government agencies’ and bodies’ access
those persons necessary to produce records and other
to business records
items) that the FBI has sought or obtained records and
The amendments to existing laws, including FISA, have
other items under section 215.
increased the public authorities’ and law enforcement
agencies’ access to confidential information in general.
Thirdly, a person or company who, in good faith, produces records and other items under an order pursuant
For instance, section 215 of the Patriot Act
30
enables
the director of the FBI (or his designee) to apply for an
31
to section 215 will not be liable to any other person for
such production of records and other items.
order requiring the production of any tangible things ,
32
28 The Foreign Intelligence Surveillance Act, Pub.L. 95-511, 92 Stat., signed into law on
October 25th 1978.
29 The Electronic Communications Privacy Act, Pub. L. 99-508, 100 Stat., signed into law
on October 21st 1986.
30 The title of section 215 is: “Access to records and other items under the Foreign Intelligence Surveillance Act” and it amends Title V of FISA by inserting a new section 501
named: “Access to certain business records for foreign intelligence and international terrorism investigations”.
31 The Federal Bureau of Investigation is a U.S. national security and law enforcement
organization with the mission to protect and defend the United States against terrorist and
foreign intelligence threats, etc. For more information about the FBI please visit:
http://www.fbi.gov/
32 According to the Patriot Act such “tangible things” include “books, records, papers,
documents, and other items”. Thus, “tangible things” is not limited to electronically stored
records and hard copies of confidential information may also be covered by an order to
produce records and other items to the FBI.
33 For information purposes, the U.S. government only made 96 applications for such
orders in 2010. For further information please see letter from Ronald Weich, assistant
attorney general, U.S. Department of Justice, to the Honorable Harry Reid, Majority Leader,
U.S. Senate of April 29th 2011 which can be found here:
http://www.fas.org/irp/agency/doj/fisa/2010rept.pdf.
34 The U.S. Attorney General is the head of the Department of Justice and chief law
enforcement officer of the Federal Government of the United States. The Attorney General
is appointed by the President. For more information about the U.S. Attorney General please
visit: http://www.justice.gov/ag/index.html.
35 The USA PATRIOT Improvement and Reauthorization Act, Pub.L. 109-177, 120 Stat.
192, signed into law on March 9th 2006.
36 Please see further amendments to section 501 of FISA in the USA PATRIOT
Improvement and Reauthorization Act.
7
Moreover, it is worth noting that information sought or
business records if such business records are consid-
obtained under section 215 is not limited to the eyes
ered to be in the company’s “possession, custody, or
of the FBI as such information may also be made avail-
control”.40 The term “possession, custody, or control”
able to others through section 203 of the Patriot Act
is to be understood in a wide sense as the company is
which authorizes the sharing of such information with
not only obligated to produce business records owned
any Federal law enforcement, intelligence, protective,
by the company; but also to produce foreign business
immigration, national defence, or national security of-
records which the company has control over.
ficial, when the matters involve foreign intelligence or
counterintelligence criminal investigative information.
In deciding whether the company has “control” over
business records in the possession of a foreign com-
Finally, the Patriot Act is as mentioned above extra- pany, the courts in general attach importance to the
territorial in its application. However, extraterritorial following circumstances relating to the closeness of the
jurisdiction is already well-known within other areas of
relationship between the two companies41:
the law37, e.g. in relation to competition law and the
regulation of transnational anti-competitive practices.
1. the parent company’s share in the subsidiary/affiliate;
2. whether the companies have linked management
These effects of the Patriot Act entail that the U.S. pub-
structures;
lic authorities and law enforcement agencies - provided
3. the degree of control exercised by the parent com-
that all requirements are fulfilled - can subpoena busi-
pany over the management and employees of the
ness records from any company subjected to jurisdiction
subsidiary;
of the relevant courts .
38
4. the parent company’s connection to transaction issue; and
This raises the question under which circumstances a
company will be subjected to the courts’ jurisdiction?
5. whether the foreign parent refusing the production
of business records will benefit from litigation.
To begin with, any company that has a presence in the
U.S., i.e. companies established within U.S. territory will
Accordingly, business records or data need not be in
be subjected to the courts’ jurisdiction. Furthermore,
the company’s possession to be discoverable; they need
any company that has “minimum contacts” with the
only be in its custody or control.42 Further, a U.S. com-
U.S. will be subjected to the jurisdiction of the courts.
pany must produce business records in the possession
A company is considered to have “minimum contacts”
of a foreign parent or affiliate if the court finds that the
with the U.S. when it markets its products in the U.S.
U.S. company has “the requisite degree of control over
or if the company otherwise meets the criteria of the
the documents”43.
“minimum contacts”-test39.
4. THE U.S. AND DANISH GOVERNMENTS’ ACCESS
A company, which is subject to the courts’ jurisdiction,
TO 3RD PARTY DATA STORED IN “THE CLOUD”
is, moreover, under an obligation to produce foreign
SAs mentioned above, both the Patriot Act and the
Danish Administration of Justice Act permit the pub-
37 See United States v. Aluminum Company of America (Alcoa), 148 F.2d 416 (2d Cir.
1945). The judgement introduced the “effects doctrine” (in Europe referred to as the
“implementation test”) which allows for jurisdiction over a foreign company, which has
shown anticompetitive conduct, provided that the economic effects of this offenders’
conduct are experienced on the domestic market.
38 All applications under section 215 shall be made to i) one of the 11 judges of the court
established by section 103(a) of FISA; or ii) a United States Magistrate Judge, who has the
power to hear applications and grant orders for the production of tangible things under
section 215.
39 An assessment of the criteria of the “minimum contacts”-test will require a factintensive inquiry into the business and activities of the company in question. As a main
rule, the mere placing of products in the “stream of commerce” is insufficient to establish
“minimum contacts” as the company must be seen to avail it-self of any of the privileges or
benefits of U.S. law, cf. World-Wide Volkswagen Corp. v. Woodson, 444 U.S. 286 (1980).
lic authorities and law enforcement agencies to gain access to records and other items, including data stored
in a cloud as well as data stored on-premises of the
40 Cf. the Federal Rules of Civil Procedure, rule 34 a).
41 See In re Subpoena Duces Tecum to Ingeteam, Inc., Case No. 11-MISC-36 (E.D. Wis.
Aug. 16, 2011).
42 See Cooper Industries, Inc., v. British Aerospace, Inc., 102 F.R.D. 918.
43 See Afros S.P.A. v. Krauss-Maffei Corp., 113 F.R.D. 127, and Flavel v. Svedala Industries,
Inc., 1993 WL 580831 (E.D. Wis.).
8
company or an external service provider, if the requirements for obtaining an order for such purposes are met.
The extent to which public authorities and law enforcement agencies can access the company’s business
records is of material significance in connection with a
company’s outsourcing of the management, storage
and processing of data to an external provider of such
services.
The consequences of the aforementioned provisions
are described below in relation to different scenarios of
a Danish company’s outsourcing of the management,
storage and processing of data and the use of cloud
computing services.
The article continues on the next page.
9
SCENARIO 1 - Danish data processor
In the first scenario, the Danish company outsources the processing of data to a domestic data processor. For the
purpose of this scenario the data is assumed to remain located in Denmark and the parties have entered into a
data processing agreement in accordance with the Danish Data Protection Act.
DENMARK
Data processing
agreement
DATA CONTROLLER
DATA PROCESSOR
Transfer of data
In this scenario, the Danish government will be permitted to access the data in connection with a criminal investigation if the requirements for the carrying out of data reading activities in the Danish Administration of Justice Act
are met. Furthermore, the U.S. government may obtain evidence and get access to the data by requesting such
evidence through a letter rogatory.
SCENARIO 2 - U.S. data processor
In the second scenario, the Danish company outsources the processing of data to a data processor in the U.S.
which is on the Safe Harbor list. For the purpose of this scenario the data is assumed to remain located in the U.S.,
and the parties have entered into a data processing agreement in accordance with the Danish Data Protection Act.
DENMARK
Data processing
agreement
DATA CONTROLLER
DATA PROCESSOR
(on Safe Harbor list)
Dataoverførsel
U.S.
10
In this scenario, the Danish government will be able to access the data concerning the Danish company if the
requirements of the Danish Administration of Justice Act are met. Likewise, the U.S. government will be able to
access the data if the requirements of the Patriot Act are met, as the data is in the “possession, custody, or control”
of an American citizen.
SCENARIO 3 - EU data processor and U.S. parent or subsidiary (to data processor)
In the third scenario, the Danish company outsources the processing of data to a data processor in the EU which is
a parent or subsidiary to a U.S. company. The parties have entered into the necessary data processing agreement
and, furthermore, the Danish company has granted the data processor a clear mandate to enter into agreements
based on the EU Commission’s standard contractual clauses with sub-processors on behalf of the data controller
and in its name. The transfer of data has been properly authorized by the Danish Data Protection Agency.
DENMARK
Transfer of data
DATA PROCESSOR
(parent or subsidiary to
a U.S. company)
DATA CONTROLLER
Data processing
agreement + mandate
Transfer of data/
access to data
U.S. PARENT
OR SUBSIDIARY
(of an EU data processor)
Agreement based on the EU Commission's
standard contractual clauses or ownership
U.S.
In this scenario, the Danish government will be able to access the data concerning the Danish company if the
requirements of the Danish Administration of Justice Act are met. Like-wise, the U.S. government will be able to
obtain an order for the U.S. parent or subsidiary of the data processor to produce the data if the requirements of
the Patriot Act are met, as the data is in the “possession, custody, or control” of an American citizen.
Scenario 4 - EU data processor and U.S. subsidiary/affiliate (to data controller)
In the fourth and last scenario, the Danish company outsources the processing of data to a data processor in the
EU, and the parties have entered into the necessary data processing agreement. The Danish company is a parent
or subsidiary to a U.S. company.
11
DENMARK
Transfer of data
DATA PROCESSOR
Data processing
agreement
DATA CONTROLLER
(parent or subsidiary to
a U.S. company)
Ownership
Remote access to group data
U.S. PARENT
OR SUBSIDIARY
(of an EU data controller)
U.S.
In this scenario, the Danish government will be able to access the data concerning the Danish company if the
requirements of the Danish Administration of Justice Act are met.
The U.S. government will also be able to obtain an order for the production of the data if the requirements of the
Patriot Act are met, as the Danish company has “minimum contacts” and/or the data is in the “possession, custody,
or control” of the U.S. parent or subsidiary, an American citizen.
These scenarios show that the governments’ access to business records and data are determined not only by
circumstances relating to the data processor’s place of business and presence in other countries due to business
activities or ownership, but also to such circumstances regarding the data controller. The linkages from the data
processor or data controller to the U.S. need not be clear or considerable for the U.S. government to be able to
obtain an order to have the business records or data of an EU company produced during an investigation concerning terrorism and clandestine intelligence activities
Finally, it should be stressed that the rules described will apply regardless of whether the data is stored and processed on-premises of the data processor or in a cloud provided by the data processor since the type of storage site
does not affect the governments’ possibilities of obtaining orders to have business records or data produced. The
U.S. government may also be able to obtain an order to have the business records or data produced even when
the data is stored in the EU company’s own data centre if the company is subject to U.S. jurisdiction due to the
principle of “minimum contacts”, or the principle of “possession, custody, or control” applies to a U.S. parent or
subsidiary of the company.
12
5. CONCLUSION
intelligence activities, and for this reason it is highly un-
The Patriot Act as well as the Danish Administration
likely that the act is of any relevance to most companies. of Justice Act permit the public authorities and law enforcement agencies to access business records and
If a company, nevertheless, fears that its data is made
data if the requirements for obtaining an order for such
more accessible to the public authorities and law en-
purposes are met.
forcement agencies by storing it in a cloud, and the
company is not comfortable with this, then the com-
These rules should not prevent companies from procur-
pany should simply abstain from placing data in a cloud.
ing cloud services for the management, storage and
processing of its data, though, as the rules described
Secondly, the terms and conditions should require of
above apply regardless of the geographic location of
the service provider to - in so far as it is reasonable -
the data and regardless of whether the data is stored
challenge an order to produce data concerning the
and processed on-premises of the service provider or in
company, and if so compelled, inform the company of
the service provider’s cloud.
such disclosure, unless the service provider is prohibited by law to inform the company hereof. In addition,
Moreover, there is nothing to suggest that the govern-
the service provider should be under an obligation to
ments have focus or favour data stored in a cloud when
ensure that the data produced to the government is obtaining an order to produce or gain access to data for
reduced to an absolute minimum.
the purpose of investigations of crimes relating to the
national security or terrorism nor are there any indica-
Thirdly, if relevant the cloud service provider should tions that the geographic location of the data makes it
inform its clients and customers that domestic and more exposed to such governmental access.
foreign governments or agencies may get access to
data in some situations subject to the law.
For these reasons, the authorities’ ability to obtain access to data through the Patriot Act or the Danish Finally, both the cloud service providers and their users
Administration of Justice Act should not have any mate-
would benefit from a revision of existing laws governing
rial impact on the decision to use a cloud solution.
data privacy and the processing of personal data in the
U.S. as well as in the EU for the purpose of standard-
The fact that the company’s data becomes subject to
izing the rights and obligations of the parties in such
another country’s law does raise some concerns which
contractual relationships.
can and should be dealt with prior to the procurement
of storage and processing services and in connection
Thus, a solution to the possible issues between coun-
with the drafting of the legal framework for the parties’
tries involved in the transfer of data and the companies’
agreement.
concerns in relation to the use of such transfers, be-it
through on-premises storage or cloud services, will re-
Firstly, the company should, if not already present in
quire close cooperation between the U.S. and the EU
the organization, practice sound information manage-
in the drafting of integral regulations governing data
ment when deciding what data is appropriate for what
privacy and the processing of personal data.
types of storage sites, some data may most seemingly be
stored internally while other information is adequate for
At the moment there have been some political and self-
storage at an external service provider either in a data
regulating initiatives to settle the issue of differences
centre on the premises of that provider or in “the cloud”.
between U.S. and EU laws governing data privacy and
The companies should bear in mind that the Patriot Act
the processing of personal data, but the possible out-
only applies to data relating to terrorism or clandestine
come thereof is still uncertain.
13
CONTACT
If any questions to the article please contact:
TORBEN WAAGE, partner
Direct: +45 38 77 45 60
Mobile:+45 40 61 08 86
E-mail: [email protected]
Nina Petri, advokat
Direct: +45 38 77 44 87
Mobile:+45 61 55 21 93
E-mail: [email protected]
KROMANN REUMERT
C O P E N H A G E N - d E nmark
L ondon - E N G L A N D
S undkrogsgade 5
4 2 N ew B road S treet DK-2100 COPENHAGEN Ø
L ondon E C 2 M 1 J D
PHONE +45 70 12 12 11
PHONE +44 207 920 3030
cph @ kromannreumert. com
L O N @ kromannreumert. com
A A rhus - d E nmark
B ru S S E L S - B E L G I U M
R å dhuspladsen 3
R ue du L uxembourg 3
D K - 8 0 0 0 A arhus C
B - 1 0 0 0 B ru S S E L S
P H O N E + 4 5 7 0 1 2 1 2 1 1
PHONE +32 2 501 07 00
arh @ kromannreumert. com
bru @ kromannreumert. com
Kromann Reumert provides this article as a service and for informational purposes only. It does not constitute legal advice and does not create any form of attorneyclient relationship with our firm. While every effort is made to ensure that the information in this article is accurate, it may contain errors or omissions for which we
disclaim any and all liability.
Kromann Reumert’s vision is ”We set the standard”. Good is not enough - we want to be the best. We provide value-adding solutions and advice with full involvement
and commitment. We get there by focusing on quality, business know-how, spirited teamwork, and credibility. We are Denmark’s leading law firm, employing approximately 600 staff members, 320 of whom are lawyers. Our offices are located in Copenhagen, Aarhus, London, and Brussels.
www . kromannreumert. com
14