Hogan Lovells today published Pan-American Governmental Access to Data in the Cloud, the fifth installment in a series of White Papers examining government access to data held by Cloud service providers. Examining the right of governments in the United States and Latin America to access data in the Cloud, the White Paper concludes that the physical location of Cloud servers does not significantly affect government access to data stored on those servers, and that it is fundamentally incorrect to assume that the United States government’s access to data in the Cloud is greater than that in the Latin American countries examined.
Cloud adoption and growth in Latin America is expected to increase dramatically over the next few years. This growth has been accompanied by concerns about where and how that information is stored, particularly when hosted in a foreign country, and especially in the United States.
The White Paper, authored by Christopher Wolf and Bret Cohen of Hogan Lovells’ Privacy and Information Management Practice, addresses these concerns by comparing governmental authority to access data in the Cloud in the United States with the authority to access the data in seven Latin American countries: Argentina, Brazil, Chile, Colombia, Mexico, Panama, and Peru. To conduct the analysis, experienced counsel in each jurisdiction provided input on the scope and effect of their respective national laws.
The White Paper also concludes:
- Every single country examined vests authority in the government to require a Cloud service provider to disclose customer data and to intercept data transmitted to or from the servers of Cloud service providers.
- In addition to domestic legal frameworks enabling governmental access to data within a country, Mutual Legal Assistance Treaties and other foreign treaties, which are in effect between and among countries around the world, can provide governments the ability to access data stored in one jurisdiction but needed for lawful purposes in another.
- The laws of only a minority of the countries surveyed purported to preclude law enforcement access to foreign services if accessible within the country. In addition, one commentator has noted, based on discussions with Latin American law enforcement experts, that in practice if a search warrant grants access to a location and, in turn, to the computer terminals there, law enforcement officers will access data regardless of where the data are held.
- In a majority of the Latin American jurisdictions surveyed, there is the real potential of proprietary Cloud customer data being disclosed to governmental authorities voluntarily, without legal process and protections.
- None of the Latin American countries surveyed required notification to customers when a Cloud service provider is compelled to supply customer data to the government, except in Mexico where the disclosure to law enforcement is of personal data being processed on behalf of another organization.
- Colombia does not require prior judicial authorization in a number of law enforcement scenarios, including when the government seeks to search Cloud databases for proprietary (but non-personal) information and when a prosecutor seeks to intercept electronic communications or transfers taking place over a communications network. These scenarios both require prior judicial authorization in the United States.
In providing their analysis, local counsel answered the same questions presented as in A Global Reality: Governmental Access to Data in the Cloud, a 2012 Hogan Lovells White Paper comparing government access in the United States, Australia, Canada, Denmark, France, Germany, Ireland, Japan, Spain, and the United Kingdom. These White Papers therefore can be reviewed in tandem to compare governmental access to Cloud data in the 17 countries examined.
Our series of White Papers on governmental access to Cloud data also includes the following:
- Individual Rights to Challenge Government Access to Data in the Cloud, comparing the ability of citizens and non-citizens to challenge government access to data in the U.S., France, Germany, the UK, and Australia.
- An Analysis of Service Provider Transparency Reports on Government Requests for Data, comparing the number of government access requests to Cloud service providers who have published those numbers; and
- A Sober Look at National Security Access to Data in the Cloud, comparing the mechanisms international governments can use to access sensitive foreign intelligence information.