us data protection laws and loopholes revision1111 UK revision-1

Document Sample
us data protection laws and loopholes revision1111 UK revision-1 Powered By Docstoc

To:        House of Commons Subcommittee on the Treasury

From: Privacy International and the American Civil Liberties Union

Date: February 28, 2008

Main Question

How secure is the personal information of UK citizens in light of the USA
PATRIOT Act and the limited privacy protections of the United States?

      I.      Summary of Conclusions

       The security of British personal information is generally based on
where it is located and who controls it.

      •    Information in the United States. If British personal information is
           located in the U.S., its disclosure will be governed by U.S. law
           including the USA Patriot Act and several sector specific laws
           including those governing medical and financial information. These
           laws provide substantially less protection than British and European

      •    Information under the custody or control of a U.S. party. If British
           information is accessible to an entity within the U.S., even if it is
           held in Britain, U.S. law obligates U.S. actors to disclose this
           information. This access will be governed by U.S. law, which is
           generally permissive.

      •    Information in Britain that is not accessible to a U.S. party.
           Information inaccessible to a U.S. party, or barred from disclosure
           by foreign law, still may be disclosed to U.S. law enforcement.
           Assuming a U.S. court or agency can gain jurisdiction, a five part
           balancing test determines whether the U.S. entity should be granted
           access to the requested information.

      •    Information in Britain that is not accessible to a U.S. party and
           outside the jurisdiction of any U.S. entity. In this situation a U.S.

          court or agency will not be able to force disclosure of information.
          This does not preclude sharing through other means such as law
          enforcement information sharing agreements or mutual legal
          assistance obligations.

        Considering lessons learned from a number of cases, including the
outsourcing of information to private corporations, the information of
British citizens will be in the hands of U.S. actors and unprotected by British
law. This point is dramatically illustrated by the case of Indymedia, where a
U.S. entity operating in the UK shared personal information with U.S.

        Taking into account U.S. and international law, there would seem to
be a number of avenues for protecting personal information, including
reliance on existing national agreements, enacting specific statutes to block
access, limiting disclosure to entities not subject to U.S. jurisdiction and
creating incentives for British corporations to fight disclosure. The best
mechanism may be the enactment of a new, specific, bilateral agreement
that covers all information sharing between the U.S. and Britain.

        Parliament must therefore proceed with great care as it considers
developing new information systems capabilities and using vendors who
have strong links to the U.S.

    II.      Introduction

         On February 6 2008 the Treasury Minister Angela Eagle was
reported to have informed the House of Commons Treasury Sub-committee
that the government had received legal assurances that U.S. authorities
could not gain access to UK census data if a U.S. firm was to win the
current bidding process. Believing that if the British census data remained
in the UK, the Minister promised “[w]e have received legal advice that there
is no risk that [a transfer to U.S. intelligence authorities] would happen".1

        As experts in international data-flows and anti-terrorism policies
around the world, we have reason to believe that the Minister has been
misinformed about the extent of U.S. surveillance powers, and the weakness
of U.S. privacy law. Without adequate safeguards as this contract bidding
process moves forward, this could leave British census data vulnerable to
abuse. In fact, this could lead to problems with any data-collection system
developed by U.S. contractors, including e-borders, health information, and
identity cards.

 ‘Census data security fear denied’, BBC Online, February 7, 2008, available at

        The concern about the U.S. authorities gaining access to data on
citizens of other countries is not new. For many years Canada conducted
reviews of outsourcing arrangements involving health data being stored in
the U.S.2 Most recently, privacy commissioners across Canada decided in
February 2008 that personal information about Canadian drivers must not be
transferred to the U.S. even as new systems are developed to enhance
identification systems at the U.S. border.3

       At the international level, serious concerns emerged around the
world after it was discovered that the international banking co-operative
SWIFT, though based in Belgium with data operations in Europe and the
U.S. was compelled by the U.S. Government to hand over vast data stores to
the U.S. Treasury for analysis. Other national governments were not
informed of the data transfers despite their citizens and businesses making
extensive use of the international financial network. SWIFT was caught in a
bind that although it was a Europe-based company it was compelled,
because of its operations in the U.S., to abide by U.S. rules.

       We are therefore surprised that the legal assessments received by
HM Treasury assuage all these concerns. Below we explain the U.S. legal
landscape for access to data held in the U.S. and beyond U.S. borders under
the USA PATRIOT Act (see section II) and other laws (see section III).

        We also point out type of problem has previously raised concerns in
the UK Parliament. In 2004 the U.S. government seized servers from a U.S.
company operating these servers in the UK without ever notifying the UK
authorities (see section IV).

        We recommend that Parliament review this legal situation and liaise
with the Information Commissioner to discuss the risks of foreign
governments gaining access to the personal data of British residents and

  Information and Privacy Commissioner for British Columbia, ‘Privacy and the USA
Patriot Act: implications for British Columbia Public Sector Outsourcing’, October 2004,
available at
   See ‘Privacy Concerns About Enhanced Driver’s Licences’, Privacy Commissioner of
Canada, February 5, 2008, available at
c/2008/res_080205_e.asp and ‘Enhanced driver’s licences concern Canada’s privacy
guardians’, Privacy Commissioner of Canada, February 5, 2008, available at, and ‘Privacy czars want
condition on new IDs’, Dirk Meissner, Canadian Press, February 6, 2008.

    III.        U.S. Law on Access to Data

           i.      What access to information does the USA PATRIOT Act
                    give U.S. law enforcement?

        Section 218 of the USA PATRIOT Act authorizes physical searches
and electronic surveillance under the lesser standard applicable to foreign
intelligence gathering, as long as the search has as a “significant purpose”
the gathering of intelligence information.4 This change allows searches that
are part of criminal investigations to be conducted without meeting the
probable cause standards of the 4th Amendment of the Constitution of the
United States.

        Section 505 expands the government’s power to issue National
Security Letters in any case that is “relevant to an authorized investigation
to protect against international terrorism or clandestine intelligence
activities” or “sought for foreign counter intelligence purposes to protect
against international terrorism or clandestine intelligence activities.”5 These
Letters allow the FBI unilaterally to order the disclosure of certain kinds of
records without judicial oversight.6 Nor is there any limitation on the
number of records that may be released, so that a single Letter could be used
to gain access to entire databases. The Letters also contain an automatic gag
order barring the individuals who comply with the order from disclosing that
the FBI has sought the information.7

         Perhaps the most significant new tool granting government the
ability to access personally identifiable information is Section 215. It gives
law enforcement broad power to seek an order from the Foreign Intelligence
Surveillance Act court to access any tangible things that are “sought for” an
investigation “to obtain foreign intelligence information not concerning a
United States person or to protect against international terrorism or
clandestine intelligence activities.”8

       Section 215 is a powerful tool for law enforcement because of the
broad scope of entities and individuals it affects. The provision can be used

  The previous requirement was that intelligence gathering be the primary purpose.
  Previously the requesting entity had to prove that there were “specific and articulable
facts giving reason to believe that the person or entity to whom the information sought
pertains is a foreign power or an agent of a foreign power”.
  The Federal Bureau of Investigation used these letters to seize the names and personal
information of approximately 270,000 people who were staying in Las Vegas for the week
between Christmas 2003 and New Year’s Day 2004.
  The ACLU was recently involved in litigation with the federal government over this
provision and had to enter into extensive negotiation before being allowed to disclose the
existence of the suit. The headline in the Washington Post reporting on the story read
“Patriot Act Suppresses News of Challenge to Patriot Act.”
  50 U.S.C. § 1861(a)(1).

against any person, business or organization to obtain any tangible thing.
This means that hospitals, libraries, bookstores, schools, businesses or any
other entity would have to comply with a lawfully presented order. Further,
the only requirement for issuing an order under Section 215 is that it be
“sought for an investigation to protect against international terrorism or
clandestine intelligence activities.” There is no requirement for
particularized suspicion, so an order can be used to require the release of an
individual’s personal information without any belief that they may have
engaged in wrongdoing. Like National Security Letters there is no
limitation on the number of records that may be released, so that a single
warrant could be used to gain access to entire databases.9

    ii.       What access to sensitive records does U.S. law give U.S. law

         In order to illustrate the full scope of the problem with U.S. privacy
laws we will now briefly describe two additional aspects of American law
involving sensitive records – the protections for medical and financial
records. The Patriot Act is only one relevant law. As the following
illustrates, other U.S. law on the privacy of records is equally deficient.

        There is no overarching U.S. law to protect private, personally
identifiable data. Instead what U.S. law does exist is a patchwork of
protections covering specific sectors of the economy. This is referred to as
the “sectoral approach”. With a few exceptions, e.g. the law covering video
rental records, these protections are generally weak and do not begin to offer
the protections contemplated in the fair information principles that underlie
much of the law in the rest of the developed world.

          a. Medical Records

        Regulations created pursuant to the Health Insurance Portability and
Accounting Act of 1996 (HIPAA) created limited privacy protections for
personally identifiable medical information.10 However, these same
regulations contain broad exemptions that grant law enforcement agents the
authority to seize this same information in conjunction with almost any
investigation and without a warrant.11

        The procedural requirements for obtaining medical records are
slight. Law enforcement has a number of mechanisms for seeking records:
pursuant to a warrant or court order (both reviewed by a neutral judge and

  The sole limitation on this authority is that an investigation of a United States person not
be “conducted solely upon the basis of activities protected by the first amendment to the
   45 C. F. R. 160 & 164.
   45 C. F. R. 164.512

requiring probable cause), a grand jury subpoena (typically issued by a
prosecutor in the name of the grand jury), or an administrative subpoena,
summons or civil investigative demand. It is this last category that provides
such broad access to law enforcement because these are all legal instruments
issued without judicial review. The standard for obtaining these records is
that they are: (1) "relevant and material to a legitimate law enforcement
inquiry"; (2) "specific and narrowly drawn as is reasonably practicable"; and
(3) "de-identified information could not reasonably be used."12 There is no
requirement that the subject of the subpoena be given notice of the search
and an opportunity to contest its validity.

        Even this limited standard does not have to be met in many
situations including (1) law enforcement requests for information to identify
or locate a suspect, fugitive, witness, or missing person, (2) instances where
there has been a crime committed on the premises of the covered entity, and
(3) in a medical emergency in connection with a crime.13 The regulations
also contain a blanket exemption for “[n]ational security and intelligence
activities” and “[p]rotective services for the President and others.” One of
these subsections states that a “covered entity may disclose protected health
information to authorized federal officials for the conduct of lawful
intelligence, counter-intelligence, and other national security activities
authorized by the National Security Act.”14 The other subsection allows
analogous disclosures in order to protect the President, former Presidents,
Presidents-elect, foreign dignitaries and other VIPs.15

        b. Financial Records

        Law enforcement agents have wide ranging powers to collect
personal financial information. The United States Supreme Court ruled in
United States v. Miller, that individuals do not have a “reasonable
expectation of privacy” under the Fourth Amendment in financial records
pertaining to them, but maintained by a bank in the normal course of
business.16 While the general statutory rule is that the government may not
access financial records, it is riddled with exceptions.17 The government
may gain access through consent from the customer, an administrative
subpoena, a search warrant, a judicial subpoena or written request (similar to

   45 C.F.R. 164.512 (f)(2).
   Id. at 164.512 (f). The regulations create different, lesser, standards for release of
information in these cases.
   45 C.F.R. 164.512(k)(2).
   45 C.F.R. § 164.512(k)(3).
   425 U.S. 435 (1976); see also California Bankers Assoc. v. Shultz, 416 U.S. 21 (1974)
(upholding the then limited reporting requirements of the Bank Secrecy Act). The ACLU
was a plaintiff in this case
   12 U.S.C. § 3403.

a subpoena).18 Subpoenas and written requests can be served only after the
customer has notice and an opportunity to contest the subpoena.19

         Nothing in these provisions prevents banks and other financial
institutions from reporting possible evidence of a crime. In fact, over the
past few decades, banks have been required to systematically report a
variety of customer transactions to the government in compliance with laws
like the Federal Bank Secrecy Act.

        With limited exceptions including the Right to Financial Privacy Act
enacted in 1978 (which created the limited protections discussed above),
Congress has consistently limited rather than expanded financial privacy.20
In 1992 Congress amended the Bank Secrecy Act to authorize the Treasury
Department to adopt the Suspicious Activity Reporting requirements,21
mandating the Treasury Department to report any "suspicious transaction
relevant to a possible violation of law or regulation."22 At the same time,
Congress completely insulated financial institutions from civil liability for
reporting their customers as "suspects" to the government, and barred
financial institutions from telling their customers that their bank had spied
on them by reporting their transactions. Notice is not given when
Suspicious Activity Reports are furnished to law enforcement officials.23

        More recently, the Gramm-Leach-Bliley Act of 1999 required all
financial institutions (companies that offer financial products or services to
individuals, like loans, financial or investment advice, or insurance) to
disclose any nonpublic personal information “for an investigation on a
matter related to public safety”24 or “to comply with Federal, State, or local
laws, rules, and other applicable legal requirements; to comply with a
properly authorized civil, criminal, or regulatory investigation or subpoena
or summons by Federal, State, or local authorities; or to respond to judicial
process or government regulatory authorities having jurisdiction over the
financial institution for examination, compliance, or other purposes as
authorized by law.”25

   12 U.S.C. § 3404 through 12 U.S.C. § 3408.
   12 U.S.C. § 3401 et seq.
   The Annunzio-Wylie Anti-Money Laundering Act Title XV of P.L. 102-550, 106 Stat.
4044, 4059.
   31 U.S.C. § 5318(g)(1).
   12 U.S.C. Section 3412(b).
   15 U.S.C. § 6802(e)(5).
   Id. at §6802(e)(8).

     IV. American Access to British Personal Data

     ii. What U.S. law applies to the holders of British personal
     information when the information is held in the U.S.?

        We now turn to the core question of interest to British residents and
citizens – how great an impact will these laws have on the United States
government’s ability to access their personal information. There is no case
law on this issue in the context of the USA Patriot Act. However, there is
an extensive body of law discussing the general legal doctrine involved in
seeking records held in foreign countries as part of U.S. disputes and

        There is no doubt that records held in the United States are in all
cases subject to U.S. law and hence completely accessible to U.S. law
enforcement – regardless of the nationality of the individuals described in
the underlying records. Law enforcement access to records is at least as
broad under the Patriot Act as it would be under the provisions of the Right
to Financial Privacy Act (discussed above). In that context it is clear that
records held in the United States are subject to lawful government
requests.26 For instance in Botero-Zea the defendant is a Columbian
national contesting the validity of an administrative subpoena of his U.S.-
held bank records by the Drug Enforcement Agency. It is assumed by both
the government and the defendant in this case that the defendant’s
nationality is irrelevant. Neither side raises it as a reason for not disclosing
the requested records. Further, the language of both the Right to Financial
Privacy Act and the Patriot Act refer to records in sweeping terms.27

       Any record held in the United States, including records outsourced to
U.S. companies from Britain, would be subject to the medical, financial and
law enforcement disclosure provisions discussed in this memo. In sum, if
information is outsourced to the United States, it will likely be widely
available, not only to law enforcement, but to other private entities as well.
The UK and its citizens will likely have very little say over how this
information is disseminated.

     iii. What U.S. law applies to the holders of British personal
     information when the information is held in Britain but may be
     accessible to an entity in the U.S.?

  Botero-Zea v. U.S., 915 F.Supp. 614 (S.D.N.Y.1996).
  The Right to Financial Privacy Act defines "financial record" as “an original of, a copy
of, or information known to have been derived from, any record held by a financial
institution pertaining to a customer's relationship with the financial institution.” Similarly
Section 215 of the Patriot Act requires the production of “any tangible things”.

        Before discussing the substantive law regarding the subpoenaing of
records held in foreign countries, a brief discussion of the question
jurisdiction is necessary. Records held in a foreign country are obviously
outside of the direct reach of a U.S. court or investigative agency. In order
for the United States government to subpoena foreign records, it must
establish jurisdiction over some entity within the U.S. giving it the power to
enforce any action. In cases involving records relevant to a U.S. action but
held in a foreign country, courts and administrative authorities have
enforced their judgments in a variety of ways including by acting against
U.S. affiliates or agents of the foreign actor,28 by subpoenaing an employee
of the foreign country while he was in the U.S.29 and by relying on explicit
statutory authority30 (these cases are discussed in more detail in the next
section). The general test of jurisdiction is whether a corporation has a
certain minimum level of corporate contact in the U.S.31 If the investigation
is being conducted by the Federal Bureau of Investigation once jurisdiction
is established anywhere in the U.S., the broad reach of the Patriot Act
assures the Act’s record gathering authority will apply.

        Investigators would also likely rely on claims of extraterritorial
jurisdiction: governments have the power to investigate conduct that
produces harmful effects within their territory.32 This type of jurisdiction is
widely used in anti-trust cases where the anti-trust activities take place
outside of the U.S., but cause harm within the country.33 The harm in this
case could be a terrorist act or possible terrorist attack within the United
States. Finally, the question of jurisdiction over cross-jurisdictional
searches is unsettled.34 From a practical point of view, there is little
preventing a law enforcement officer who has gained a search warrant for a
corporation’s records from searching records that are not held within the
United States.

        Turning to the main question, records held in a foreign country are
not automatically shielded from access by a U.S. court or U.S. law

   Securities and Exchange Commission v. Banca Della Svizzera Italiana, 92 F.R.D. 111.
   United States v. Field, 532 F.2d 404 (5th Cir.).
   Montship Lines, Ltd. v. Federal Maritime Board, 295 F.2d 147 (D.C.Cir.1961) (shipping
company transacted significant business in the United States and hence was amendable to
   International Shoe Co. v. State of Wash., Office of Unemployment Compensation and
Placement, 326 U.S. 310 (due process requires only that in order to subject a defendant to a
judgment in personam, if he be not present within the territory of the forum, he have certain
minimum contacts with it such that the maintenance of the suit does not offend 'traditional
notions of fair play and substantial justice).
   Strassheim v. Daily, 221 US 280 (1911) (“Acts done outside a jurisdiction, but intended
to produce and producing detrimental effects within it, justify a state in punishing the cause
of the harm as if he had been present at the effect).
   See In re Investigations of World Arrangements with Relation to the Production,
Transportation, Refining and Distribution of Petroleum, 13 F.R.D 280 (D.D.C. 1952)
   Patricia L. Bellia, CHASING BITS ACROSS BORDERS, 2001 U. Chi. Legal F. 35.

enforcement.35 Nor is access barred by the fact that the disclosure of the
records in question would be illegal in the country where they are held.36
Instead the court will consider the request for information in two basic
factual contexts. The first context (dealt with in this section) is when the
records sought are held in a foreign country but may be accessible by an
entity in the United States. The second context (next section) is when the
records are not accessible to a party in the U.S.

        Cases where foreign records may be accessible to a U.S. entity
typically occur in the context of corporations with foreign affiliates. In
order to determine whether documents can be compelled, the court will
consider the relationship between the corporate parent and affiliate, and
whether the U.S. affiliate has custody or control over the records.37
Specifically, the documents and records that a corporation requires in the
normal course of its business are presumed to be in its control unless the
corporation proves otherwise.38 Any other rule would allow corporations to
improperly evade discovery.39

         In Cooper Indus. Inc. the defendant sold and serviced planes
manufactured by the parent company and the court concluded that the
American affiliate would have to regularly use the records in question (flight
manuals and blueprints) as part of its daily work. A similar test would likely
be applied for personal record information. Would the American affiliate
have access to the records or could they receive them upon request? Would
the affiliate be part of the processing of the records including oversight for
quality control or management? If the answer to any of these questions
were yes, then these records would be accessible to American law
enforcement under a subpoena type power like a National Security Letter or
a warrant under Section 215. In a worst-case scenario, any data that the
American affiliate had access to, even data on servers in the UK with no
connection to the United States, could be released to law enforcement
because of a desire on behalf of the affiliate to fully comply with the
government request.

     iv. What U.S. law applies to the holders of British personal
     information when the information is held in the UK and not
     accessible by an entity in the U.S.?

        Having discussed the legal test for situations when a U.S. actor has
access to the requested records, the next logical question is: what is the test

   Cooper Indus.,Inc. v. British Aerospace,Inc., 102 F.R.D. 918, 920 (S.D.N.Y.1984).
   Banca Della Svizzera Italiana, at 115.
   Cooper Indus., Inc., 102 F.R.D 918 at 920; Hunter Douglas, Inc. v. Comfortex Corp.,
1999 WL 14007 (S.D.N.Y. 1999).
   Cooper Indus.,Inc., 102 F.R.D 918 at 920.

for situations when no U.S. actor has such access but a U.S. court or agency
may still have jurisdiction? This situation usually arises because the records
are in a foreign country and a U.S. actor either does not have access to them
or is barred from disclosing the records under the laws of another
jurisdiction. These types of cases frequently arise as part of a civil or
criminal investigation when U.S. courts or investigators seek access to bank
records held in a foreign country and those records are subject to those
country’s bank secrecy laws. For example both the 5th and 11th Circuits
have ordered the release of bank records held in the Cayman Islands and the
Bahamas as part of a criminal grand jury investigation.40

        As noted in the previous section, U.S. courts and other entities can
secure this disclosure even against entities that are not within the U.S. For
example in Banco Della Svizzera Italiana the Securities and Exchange
Commission gained jurisdiction to pursue an insider trading investigation
against a plaintiff through a subsidiary operating in the U.S., even though
the records in question were in Switzerland.41 In another instance an
employee of a foreign bank was subpoenaed by a grand jury as part of a tax
investigation while he was in the U.S.42 The employee was forced to testify
in spite of the fact that his testimony exposed him to criminal liability in the
Cayman Islands. Finally, the D.C. Court of Appeals gained jurisdiction over
the foreign actions of a shipping company because the company conducted
significant business in the United States and the court had a specific grant of
jurisdiction under the Shipping Act of 1916.43 This type of extra-territorial
jurisdiction gives U.S. courts the authority to act against entities that are not
in the U.S. as long as they are engaging in behavior that has an impact
within the United States. In sum, the power of U.S. courts and law
enforcement agencies does not stop at the territorial borders of the United

        When a court or agency is confronted with a statute that blocks
access to records, or when the records in question are otherwise inaccessible
to any entity in the U.S., the seeking entity will employ the following
balancing test:

     [A] court or agency in the United States should take into account the
     importance to the investigation or litigation of the documents or
     other information requested; the degree of specificity of the request;
     whether the information originated in the United States; the
     availability of alternative means of securing the information; and the
     extent to which noncompliance with the request would undermine
     important interests of the United States, or compliance with the

   See Field at 404; United States v. Bank of Nova Scotia I, 691 F.2d 1384 (11th Cir.1982).
   Banca Della Svizzera Italiana at 112.
   Field at 405.
   Montship Lines, Ltd at 147.

     request would undermine important interests of the state [or country]
     where the information is located.44

This balancing test is constructed to allow the court (or agency if it is
seeking information under an administrative subpoena) to balance its own
need for the information with the needs and values of the country protecting
the information. While is it difficult to make conclusive judgments on how
the court would treat a records request absent specific facts, the language of
this standard and court decisions give some general guidance.45

        The most important portion of the balancing test is the weighing of
the interests of the two states involved.46 Courts have tended to be
extremely deferential in cases where the state interest is a criminal
prosecution.47 Because requests involving the Patriot Act apply not only to
criminal acts but to terrorism (a crime that all nations have an important
interest in resolving and that tends to be international in scope), it is likely
that a U.S. court would give significant weight to this interest. Courts have
also recognized that the other nations have a legitimate and important
privacy interest in their citizens’ personal information,48 but have tended to
be skeptical of secrecy laws (general in the context of bank records) when
they interfere with criminal investigations or strong state interests.49

        Another relevant factor is the requirement that records requests be
specific. While several of the Patriot Act provisions allow for broad records
requests, the dictates of this test would tend to argue against granting such
requests. Courts have struck down sweeping demands for information that
could not meet the test of being "reasonably relevant" to an actual,
authorized investigation.50 Similarly the courts have denied requests when
the information in question seemed to be of minimal importance to the
investigation, available elsewhere or of non-U.S. origin.51

        As a practical matter, cases brought by the government (especially
those involving violations of criminal law) have tended to favor the
disclosure of records because courts accord them great weight under the
“significant government interest” prong of the test. While it is difficult to
predict the access that U.S. courts will grant to foreign records, it is likely

   Volkswagen, A.G. v. Valdez, 909 S.W.2d 900, 901, 902 (Citing The Restatement (Third)
of Foreign Relations Law §442(c)1)
   The law on blocking statutes encompasses cases involving both private litigation and
actions by the government.
   Field at 407.
   Field at 404; Bank of Nova Scotia I at 1384.
   Volkswagen, at 900 (information request violated German data privacy law)
   United States v. Vetco Inc., 691 F.2d 1281 (9th Cir.) (collecting taxes and prosecuting tax
fraud outweighs Switzerland’s interest in preserving business secrets).
   See Montship Lines at 154- 55.
   See Volkswagen at 900.

that if the U.S. government claims that its interest lies in preventing terrorist
activity and it attempts to limit the amount of the request, a court will find
that it has satisfied the prongs of the balancing test and should be granted
the records it seeks.

     v. What U.S. law applies to the holders of British personal
     information when the information is held by a company or entity
     without contacts in the U.S.?

        When foreign records are sought from a company or entity that has
no contacts in the United States, a U.S. court clearly has no jurisdiction and
no enforcement power stemming from that jurisdiction. This situation
precludes a U.S. court from ordering the disclosure of the records.
However, it should be noted that government actors have powers beyond
those conferred by the judiciary. Non-judicial enforcement measures can
include prohibitions on asset transfer, suspension or denial of a permit to
engage in a particular business activity, and removal from a list of entities
eligible to bid on government contracts. U.S. actors could also gain access
through more informal means such as information sharing agreements
between law enforcement. Presumably the U.S. government could employ
measures of this type if they were deemed necessary.

        V. The Indymedia case

        On October 7, 2004 over 20 websites administered by the
Independent Media Center, or Indymedia,52 were taken offline when two of
its servers were seized.53

      Indymedia had established a contractual relationship with Rackspace
Managed Hosting, a San Antonio-based Internet hosting company. The
servers were physically located in Rackspace’s office in London. On
October 7, 2004 Rackspace informed Indymedia that Rackspace had
received a U.S. ‘commissioner's subpoena’ from a 'requesting agency'.
Though Rackspace refused to provide a copy of the subpoena on advice of
counsel, on October 8 Rackspace released a statement.

   'Indymedia' (IMC) describes itself as “a network of individuals, independent and
alternative media activists and organisations, offering grassroots, non-corporate, non-
commercial coverage of important social and political issues.” See
   This was a result of the seizing of two servers, named 'Ahimsa1' and 'Ahimsa2', that
served content of a number of media 'collectives' serving Ambazonia, Uruguay, Andorra,
Poland, Western Massachusetts, Nice, Nantes, Lilles, Marseille (all France), Euskal Herria
(Basque Country), Liege, East and West Vlaanderen, Antwerpen (all Belgium), Belgrade,
Portugal, Prague, Galiza, Italy, Brazil, UK, part of the Germany site, and the global
Indymedia Radio site.

      “In the present matter regarding Indymedia, Rackspace
      Managed Hosting, a U.S. based company with offices in
      London, is acting in compliance with a court order pursuant to a
      Mutual Legal Assistance Treaty (MLAT), which establishes
      procedures for countries to assist each other in investigations
      such as international terrorism, kidnapping and money
      laundering. Rackspace responded to a Commissioner’s
      subpoena, duly issued under Title 28, United States Code,
      Section 1782 in an investigation that did not arise in the United
      States. Rackspace is acting as a good corporate citizen and is
      cooperating with international law enforcement authorities. The
      court prohibits Rackspace from commenting further on this

A 'commissioners subpeona' under Title 28 USC section 1782 enables a
Court to authorise an individual, usually an assistant U.S. attorney, to issue
subpeonas in order to assist foreign and international tribunals.

        According to reports from AFP, an FBI spokesperson stated that the
subpoena was “on behalf of a third country”, but the FBI spokesperson later
said that FBI wasn't involved. Indymedia and the associated news coverage
spent the next few days trying to find out who that 'third country' was. On
October 12 a Swiss federal prosecutor admitted that while he was
investigating a case involving Indymedia, he had not asked for a seizure.
There were some reports that the Italians were seeking the servers but there
was no explanation as to why.

      The greatest confusion arose when it became a political issue in the
UK. On a number of occasions MPs asked the Government in Parliament
what had happened. When asked which UK law enforcement agency was
involved in the seizure that had after all taken place in London, the Home
Office Minister responded on October 18:

      “I can confirm that no UK law enforcement agencies were
      involved in the matter referred to in the question posed by the
      hon. Member for Sheffield, Hallam.”55

On October 27 the Government was asked which foreign governments
requested the seizure of the servers. The Government responded that no one
had asked for anything, and on November 2nd it was confirmed that not
even the Americans had made representation in the case. Though in a letter
response to a question from one MP, a Home Office Minister stated that

   October 9, 2004, audio available at
   Hansard, October 20, 2004

      “Unfortunately, I am not in a position to comment on this
      particular matter, but I can provide general information. It is
      standard Home Office policy neither to confirm nor deny the
      existence or receipt of a mutual legal assistance request.
      However, where the UK has received a valid request, we will
      seek to execute it within the framework of our domestic law.
      This will include being provided with sufficient evidence to
      justify the actions sought.”56

        The Home Secretary himself admitted on the 28th of October that
the Home Office had not even received a prior notification of the seizure. In
a letter in response to a Parliamentary question, the Home Secretary stated

      “While I cannot comment in detail on the reasons behind the US
      action I hope that I can clarify the situation for him. Rackspace,
      which is based in the USA, sought to comply with a US court
      order simply by ordering their United Kingdom subsidiary to
      access the servers, which they duly did. There was no UK
      involvement in this process.

      I am confident that any action taken by the US authorities in this
      case would be in accordance with US law. I also understand
      from the Indymedia website that their hardware has now been
      returned. In the circumstances, I do not believe it is appropriate
      for an investigation to take place.”57

The fact that the British authorities were not involved in a seizure on British
territory was quite surprising to everyone involved.

        Eventually it was discovered that an Italian prosecutor in Bologna
had requested server-log information through a mutual-legal assistance
treaty with the U.S., but did not seek the seizure of the servers themselves.
It was only when legal action was pursued in the U.S. by the Electronic
Frontier Foundation (EFF), a U.S.-based non-governmental organization,
that the situation became clearer. In its motion, EFF argued that Indymedia
and the general public were left with no knowledge of the reasons or nature
of the seizure.

      “Citing a gag order, Rackspace has not revealed the contents of
      the seizure order, the requesting agency, or even confirmed the
      identity of the court that issued it. Apparently requested by an

   Letter from Caroline Flint to Glenda Jackson MP, available at
   Letter from David Blunkett to Michael Howard, November 8, 2004, available at

       unidentified foreign government, the secret order was served to
       San Antonio-based Rackspace Managed Hosting, which hosts
       IndyMedia's servers.”58

The U.S. government fought to keep information about the seizure sealed.
First the Government argued that neither EFF nor Indymedia have standing
to make the request:

       “The parties to the instant action are the requesting foreign
       country, the United States government, and the party on whom
       the subpoena was served, Rackspace”.59

The Government also argued that pursuant to article 8 of the treaty between
the U.S. and the 'requesting country' entitled “protecting confidentiality and
restricting use of evidence and information” and states. :

       “2. If deemed necessary, the Requesting State may request that
       the application for assistance, the contents of the request and its
       supporting documents, and the granting of such assistance be
       kept confidential”. [italics ours]

The U.S. Government stated that since such a request had been made to the
U.S., the unsealing of the documents would violate the treaty, and under
Article VI of the Constitution, treaties shall be the supreme law of the land
to which judges of every state shall be bound. Finally the Government
argued that the documents “pertained to an on-going criminal terrorism
investigation” and the unsealing would “seriously jeopardize the
investigation”. “The non-disclosure is necessitated by a compelling
government interest.”

        On the issue as to whether there is a compelling need due to the 'on-
going criminal terrorist' investigation, the EFF argued that despite the
reference to terrorism, the Government failed to assert a national security
interest in non-disclosure. And anyways, EFF notes, it is well established
that “important First Amendment values” cannot be overcome by “a mere
assertion of ‘national security’.” The EFF also pointed out that as it became
clearer that the request was for assistance in an Italian criminal matter, and
that the order was unrelated to any federal investigation, and that even Italy
has spoken about the case to the media where the prosecutor was quoted as
saying that she sought the logs investigating a specific case involving
   EFF, Press Release: EFF Challenges Secret Court Order: Motion Demands Information
About the Seizure of Indymedia's Servers
   Don J. Calvert the Assistant United States Attorney to the United States District Court of
Western District of Texas, San Antonio Division, In re Commissioner's Subpeona to
Rackspace managed hosting, Government's Response to Motion to Unseal, available at

Romano Prodi, the then-President of the European Commission, EFF
concluded that the Government's argument was falling apart. Confidentiality
was therefore unnecessary.

        On July 20, 2005 the court granted the EFF's motion and ordered
most of the documents to be unsealed but with redaction.60 The
documentation was released on August 1, 2005, eight months after the
servers had been seized.61

       Only once the court case concluded could we identify what had gone
wrong. The original Commissioner's subpoena to Rackspace from the U.S.
Government demanded only for “log files in relation to the creation and
updating of the web spaces corresponding to” particular URLs.62 Rackspace
reported that it had received a federal order to provide hardware, but the
court documents are conflicting on this matter.

      Rackspace is left in the situation where it is complying with U.S. law
and yet possibly breaking UK law, and this is entirely legal because
Rackspace, a U.S. company, elected to do business in the UK.

     VI.     Conclusion

        In this memo we have simply endeavored to explain U.S. law on
access to personal data. This conclusion builds on those legal opinions and
offer suggestions for ameliorating the impact of U.S. law on British citizens.

       One option that remains open for consideration would be the
enactment of a specific blocking statute that bars any disclosure of private
information to U.S. law enforcement. In The Long Arm of the USA Patriot
Act: A Threat to Canadian Privacy, 63 Professor Michael Geist and Milana
Homsi engage in a useful discussion of blocking statutes generally and
suggest that a statute of this type may have some utility in protecting private
  United States District Court for the Western District of Texas, San Antonio Division, IN
RE: Request from Requesting State Pursuant to the Treaty Between the United States of
America and the Requesting State on Mutual Assistance in Criminal Matters in the Matter
of Romano Prodi, Order Granting in part Motion to Unseal, Orlando L. Garcia, US District
Judge, July 20, 2005,

   The request came from Minister of Grace and Justice of the Italian Government in
connection to an investigation by the Bologna Public Prosecutor's office (BPP) asking for
assistance in obtaining records of log files in to the creation and updating of the webspaces
of specific URLs during the period of the events of the case. The case involved a number of
attacks on European officials using explosives in delivery packages.

   Commissioners Subpoena, United States District Court Western District of Texas, to
Rackspace Managed Hosting, August 13, 2004, available at
   Submitted as part of the request for comment on the scope of the USA Patriot Act.

information from disclosure. While this is obviously an internal decision
that must be made by the British government and its citizens, even still most
of the benefit of blocking statutes in the context of the Patriot Act or other
law enforcement request would be illusory. As noted in section IV
subsection iii of this memo, courts utilize a five part balancing test to weigh
the effect of blocking statutes and the interests of each nation is one of the
most important prongs. Case law makes clear that when the national interest
is law enforcement, these interests almost always outweigh another
country’s desire to maintain the privacy of its records.64 Further the
government interest that is likely to be invoked in a Patriot Act context,
national security, is arguably even more important than a criminal
investigation because it involves broader security issues than those involved
in the apprehension of an individual criminal. Finally, blocking statutes do
nothing to limit the actions of an actor in the U.S. who may never enter the
UK or become subject to its jurisdiction.

        Another solution would be to bar the sharing of personal information
with corporations that are subject to U.S. jurisdiction. However, this
measure could be viewed as creating an obstacle to trade and services under
the rules of the World Trade Organization (WTO). This determination could
trigger the dispute resolution mechanisms under both of these agreements.
This type of rule would also be grossly impractical. The nature of the ties
between the United States and the UK make it likely that most or all
corporations in the UK have the level of contact with the U.S. that is
necessary to trigger jurisdiction.

        A further option would be for the government to maintain internal
control over personal information, thereby retaining control over it through
the status of the UK as a sovereign nation and hence immune from suit.
Whether the UK chooses to avail itself of this power is an internal matter.
But, of course, it also does nothing to protect the privacy of information held
by non-government actors.

        Each of these options have significant costs and seem likely to lead
to an ad hoc sharing of information based on the individual facts of each
situation. Instead, the best option seems to be the creation of a single
bilateral agreement to control the sharing of personal information between
the two nations. The UK Government demonstrated the priority it places on
protecting the privacy rights of its citizens. This protection should extend
beyond the border with an agreement that creates unified, systematic

         A bilateral agreement could recognize the heightened level of
protection that the British people expect for their personal data and require
that information on UK citizens be handled by a separate process with
     United States v. Field at 404; Bank of Nova Scotia I, at 1384; Vetco Inc, at 1281.

higher privacy protections. The process created under this agreement could
mirror the protections granted under European law and the current balancing
test for the subpoena of foreign records. Personal information could be
released only after a neutral magistrate has determined that there is probably
cause to believe they have a specific, demonstrated links to terrorism and
after other alternatives have been exhausted. Records should not implicate
the privacy rights of uninvolved third parties, should only be used for a
specific purpose and not retained any longer than necessary to achieve that
purpose. Further, once information is no longer useful, notice should be
given to the individual in question, describing the nature and use of the
information, and he or she should have an opportunity to contest the validity
and legality of this use.


Shared By: