Speaking to Lawyers Weekly following the release of a whitepaper detailing the effects of the USA’s Patriot Act 2001 on Australian businesses, Hong Kong-based Freshfields Bruckhaus Deringer partner Connie Carnabuci said the power of the US Government to seize sensitive information under the Act has no parallel in Australia and is a growing concern for Australian companies.
The whitepaper, titled The long arm of the USA Patriot Act: tips for Australian businesses selecting data service providers, details how the Act allows US authorities to exercise extraterritorial powers in relation to non-US entities to obtain data if that data has a “sufficient connection” with the US, such as being stored on a server located in the US or being controlled by a US company.
Under the Act, the US Government can order Australian companies, via the distribution of national security letters (NSLs), to surrender data if it falls within the “sufficient connection” test.
The amount of NSLs being sent globally, along with gag orders which prevent companies from discussing them, is growing 30 per cent per year, with 39,000 being sent out in 2003.
While there is yet to be a test case in Australia, it is highly likely that companies issued with an NSL would have to provide the requested data – thus potentially suffering significant brand damage – or take the matter to court.
“US courts have been particularly aggressive in compelling production of non-US data and have required compliance with US subpoenas even where disclosure of the materials violated the laws of the country where the data was located,” reads the whitepaper.
“If a data centre is located in Australia but owned or operated by a US entity, data stored in that centre could be accessed under a Patriot Act request even if such a request would violate Australia’s National Privacy Principles.”
According to Carnabuci, the far reach of the Act has law firms and their clients on notice.
“Data management is a really important issue,” she said. “[Freshfields] quarantines what we can, in terms of trying not to mix up US information with information from Europe or service providers in Europe. All of our service providers are in Germany. We have structured our IT architecture in a manner that we think minimises our risk, but we can’t reduce it to zero.”
Carnabuci was in Sydney to discuss the whitepaper with private practice lawyers, barristers and in-house counsel. Around 30 lawyers attended the roundtable, held in Sydney on Wednesday (25 January).
Heather Tropman, the general counsel of Macquarie Telecom, joined Carnabuci at the roundtable and said those in attendance – including partners from Gilbert + Tobin and Norton Rose – were well aware of the growing importance of safe data management for both themselves and their clients.
“We did have one law firm confess that someone in their IT department had signed up to a server that was located overseas, and when one of the lawyers found out, they had to take action to have the data brought back to Australia,” Tropman told Lawyers Weekly.
“Companies are doing their due diligence and setting procurement guidelines for those sorts of services, and that includes law firms.”
While the Patriot Act was established in 2001 in the wake to the September 11 terrorist attacks, with the aim of assisting the fight against terrorism, Carnabuci and Tropman said the way in which it has been used demonstrates that the US is “overzealous” in its attempts to regulate cyberspace.
Though unrelated to the Patriot Act, Tropman pointed to the recent arrest of Kim Dotcom, the founder of Megaupload, for alleged copyright infringement, as providing an example of how the US is wielding significant power in this space.
“I think the point needs to be made that whilst other jurisdictions have anti-terrorism legislation in place, this sort of activity, with the helicopters landing in New Zealand to go and arrest [Dotcom] … and the way in which the Patriot Act has been enforced by the US, is unparalleled,” she said.
“They are overzealous in their reach.”
Carnabuci added that growing disquiet about the USA’s power in this space means Australia is well positioned to establish itself as a regional data haven. Tropman confirmed that Macquarie Telecom is part of a consortium named OzHub which is working towards establishing an Australian cloud computing centre.