The US Patriot Act: How It May Affect UK Business’ Data

If data privacy and security are major concerns for your business, it may be wise to think twice before deciding where you want your precious resource to be hosted

In the fight against global terrorism, The United States of America has enacted a law that empowers their intelligence agency, the Federal Bureau of Investigation (FBI), to obtain data from European companies that store their data in a US-owned data centre, even if the physical location of the data centres are within the European Union.  Further, the EU-based data centre owner is not allowed to inform their clients that their information has been handed over to the US authorities.

Section 215 of the Act reads:

“SEC.215. ACCESS TO RECORDS AND OTHER ITEMS UNDER THE FOREIGN INTELLIGENCE SURVEILLANCE ACT:

(a)(1) The Director of the Federal Bureau of Investigation or a designee of the Director (whose rank shall be no lower than Assistant Special Agent in Charge) may make an application for an order requiring the production of any tangible things (including books, records, papers, documents, and other items) for an investigation to protect against international terrorism or clandestine intelligence activities.”

If data privacy and security are major concerns for your business, it may be wise to think twice before deciding where you want your precious resource to be hosted. There are a good number of data centres in the UK, some of which are owned by US companies.

UK-owned data centres, on the other hand, are protected by the country’s Data Protection Act (DPA).  It stipulates that a hosting company cannot give data to other parties without the consent of the person or party that the information belongs or relates to.

Of course, there are global treatises in the world that allow countries to cooperate with each other with regards to issues that have global impact. The Mutual Legal Assistance Treaty (MLAT), for example, will allow the US to work with UK official to gain access to data within a UK-owned data centre.  However, it will be harder to be as discreet as the US Patriot Act because of the UK’s DPA. When the MLAT is invoked, the US embassy in the UK will need to inform the UK government why they want to access a data inside a UK-owned data centre, what they want to do with it and how they wanted to do it.  In effect, the data centre will be obliged to inform their clients that their information had been handed to the government.

Frontier Technology’s data centres are owned by a UK registered company.  Data access cannot be provided through the US Patriot Act and is protected by the UK Data Protection Act.