The subject of the Patriot Act vs EU data privacy has once again made headlines. CIO.com has just published “The Patriot Act and Your Data: Should You Ask Cloud Providers About Protection?” But, unlike other articles to date, this one opens up new ground by reminding us that even without the Patriot Act, US Law Enforcement Agencies (LEAs) are still able to access personal data residing in the EU – and legally to boot. This is done through MLATs, or Mutual Legal Assistance Treaties, which allow an LEA in country A to request his counterpart in country B to cooperate in providing information on a suspect in country B – whilst at the same time protecting the suspect’s civil rights. For the details of how MLATs work, see the top of page 11, section B, of the excellent white paper by Joel Margolis entitled “Europe v the Patriot Act: Does U.S. Law Enforcement Violate E.U. Civil Rights?”. This white paper also shows convincing examples of how the Patriot Act works in practice.
Now just because MLATs also enable access to personal EU data doesn’t mean they should be compared with the Patriot Act. There is a world of difference between the two. Not only do the LEAs of each country have to agree on the threat before proceeding, they are also responsible for applying their national data privacy laws. So MLATs, unlike the Patriot Act, do not allow one country to breach another’s data privacy laws. (Note in passing that the MLAT process naturally takes much longer than a direct Patriot Act “subpoena”). Finally, it’s fair to conclude that people would understand and accept the idea of MLATs, since it is normal that countries cooperate legally on subjects like crime and national security.
So it would not be right to downplay Patriot Act concerns by invoking the existence of MLATs. This would be akin to defending a hypothetical Police Act that allows unauthorized access to a suspect’s home by saying that it’s not really a problem because the police can already gain such access through a search warrant. The former breaks the law; the latter doesn’t. Similarly, the Patriot Act today currently breaches EU law; MLATs don’t.
In conclusion, there probably needs to be a more concerted effort on both sides of the Atlantic to understand where the other side’s coming from. In the US, some Americans need to accept that Europeans are not suddenly going to change their data privacy views just because the internet is global (their are historic reasons behind this, as I explained in my post “The Patriot Act and EU data privacy – threats and opportunities“). And in the EU, some Europeans need to reason not just in terms of what is possible under the Patriot Act, but also what is probable or likely – and be reminded that their own countries can also invoke PA-like access to personal data.
At the end of the day though, it’s the legal side that will prevail – in other words, as long as the Patriot Act breaches EU data privacy law (both the current and the revised version, which is now coming out in March), people and companies will naturally do what it takes to not break the law. And at the time of writing, streamlined MLATs rather than the Patriot Act would seem to be the best way for US LEAs to obtain access to EU personal data without breaking any data privacy laws.