Fact or Fiction? U.S. Government Surveillance in a Post-Snowden World Bret Cohen Hogan Lovells US LLP September 18, 2014
The Snowden effect 2
U.S. cloud perception post-snowden July 2013 survey of non-u.s. Cloud Security Alliance members 66% either cancelled a project with or reported that they were less likely to use U.S.-based cloud providers May 2014 survey of European IT professionals 51% do not trust U.S.-based clouds (13% unsure) 47% believe data is more secure in EU-based clouds 59% do not believe EU governments conduct surveillance to the same extent as the U.S. 3
Bottom-line cost estimates Information Technology & Innovation Foundation: The U.S. cloud computing industry stands to lose $22 to $35 billion over the next three years (Aug. 2013) Forrester Research We think [ITIF s] estimate is too low and could be as high as $180 billion or a 25% hit to overall IT service provider revenues in that same timeframe. (Aug. 2013) 4
Overheard from a non-u.s. provider [The] Service is based and operated by companies in the European Union offering European customers full compliance with EU data protection laws and a safe haven from the reaches of the US Patriot Act. 5
Overheard from a non-u.s. provider EU customers can now benefit from the savings and flexibility enabled by cloud-based database services safe in the knowledge that they will not fall under the jurisdiction of the Patriot Act. Under the Patriot Act data from EU users of US-owned cloud-based services can currently be shared with US law enforcement agencies without the need to tell the user. 6
Overheard from a non-u.s. provider The Americans say that no matter what happens I ll release the data to the government if I m forced to do so, from anywhere in the world. Certain German companies don t want others to access their systems. That s why we re well-positioned if we can say we re a European provider in a European legal sphere and no American can get to them. 7
The Facts: What exactly can the U.S. government do? 8
How can the U.S. obtain customer data? 9
I noticed you didn t mention the Patriot Act. So why do I keep hearing about it? Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 10
What are the concerns of non-u.s. companies? 11
Can a company with U.S. ties guarantee that the U.S. government won t access non-u.s. customer data? 12
So, customer data must be less safe from government access in the U.S., right? 13
A Global Reality All provide authority to compel disclosure of customer data In almost all instances, government can compel remote disclosure Outside of the U.S., most countries permit voluntary disclosure MLATs mitigate issue of foreign access 14
A Sober Look The U.S. imposes at least as much, if not more, due process in national security investigations Other countries protect economic interests Many programs are run by national security establishment, not subject to court review 15
How, then, should companies with U.S. ties respond to concerns from non-u.s. customers? 16
How to respond to concerns Dispel misconceptions about the Patriot Act Compare laws to those outside of the U.S. The U.S. absolutely prohibits voluntary disclosure of data customers store in the cloud Providers outside of the U.S. with U.S. ties can t guarantee that their data won t be accessed, either Most countries permit the same level of surveillance and access, some with greater authority than the U.S. Release a transparency report detailing the number of government requests 17
Questions? Bret Cohen bret.cohen@hoganlovells.com Detailed outline included with handouts www.hldataprotection.com 18
Hogan Lovells has offices in: Alicante Amsterdam Baltimore Beijing Brussels Budapest* Caracas Colorado Springs Denver Dubai Dusseldorf Frankfurt Hamburg Hanoi Ho Chi Minh City Hong Kong Houston Jakarta* Jeddah* Johannesburg London Los Angeles Luxembourg Madrid Miami Milan Moscow Munich New York Northern Virginia Paris Philadelphia Prague Rio de Janeiro Riyadh* Rome San Francisco São Paulo Shanghai Silicon Valley Singapore Tokyo Ulaanbaatar Warsaw Washington DC Zagreb* "Hogan Lovells" or the "firm" is an international legal practice that includes Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses. The word "partner" is used to describe a partner or member of Hogan Lovells International LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee or consultant with equivalent standing. Certain individuals, who are designated as partners, but who are not members of Hogan Lovells International LLP, do not hold qualifications equivalent to members. For more information about Hogan Lovells, the partners and their qualifications, see. Where case studies are included, results achieved do not guarantee similar outcomes for other clients. Attorney Advertising. Hogan Lovells 2014. All rights reserved. *Associated offices