UK public data under threat from US Patriot Act

The USA’s controversial Patriot Act has just got, well, a lot more controversial. A recent study by The University of Amsterdam says US government agencies can secretly request US-based cloud storage companies to hand over data they have on foreign citizens. 


Now this is very interesting for Brits, as the UK government recently launched the latest iteration of its Go-Cloud portal, which is designed to speed-up and facilitate the adoption of cloud services throughout government institutions. Go-Cloud’s ‘Cloud Store’ lists all the government approved vendors who offer SaaS and cloud-storage to everyone from local councils to the Ministry of Defence. You can head over here and check it out for yourself.

After a quick search I managed to find a few US-based companies offering cloud storage solutions to UK institutions. These included big names such as Verizon and Dell, as well as lesser known US-companies with UK branches, such as Sunguard Availability Services. Both Amazon and Google will be included as service providers in the next phase of Go-Cloud, although interestingly they were denied entry into the programme last month.

It’s also worth mentioning this press release, which details how Stratford-on-Avon council has archived over 12 million emails with US company Metalogix, and that US start-up CipherCloud is currently working with an unnamed central government department. Perhaps more worrying is PayPal’s role delivering a “secure online identity registration service” for the Department of Work and Pensions…

Real threat

The University of Amsterdam study says this information request can be made even if the service provider is subsidiary of a US company. As TechDirt points out, the revelation has caused a big stir in The Netherlands, where the Dutch Electronic Patient Database is implemented next month. The EPD database is run by a US-based company called CSC, causing Dutch citizens to worry over whether US agencies can now access their medical records.

The Dutch government and CSC are convinced there isn’t a problem, telling activists there’s stringent data protection laws that guard patient data. But the researchers say that the threat is genuine and has global ramifications. Here’s a quote, summarised by TechDirt, from the paper.

“When using a cloud service provider that is subject to U.S. jurisdiction, data may be requested directly from the company in question in the United States. […] From a legal point of view, access to such information cannot be denied and cloud service providers can give no guarantees in this respect. […] The possibility that foreign governments request information is a risk that cannot be eliminated by contractual guarantees. Nor do Dutch privacy laws offer any safeguards in this respect. […] It is a persistent misconception that U.S. jurisdiction does not apply if the data government requests for information do not apply to Dutch users of the cloud. […] legal protection under specific U.S. laws applies primarily to U.S. citizens and residents. […] Given the nature of intelligence work, it is not possible to gain insight into actual requests for information by the U.S. authorities […] Cloud providers will typically not be able to disclose whether such requests are made”

Perhaps the UK government has different safeguards than the Dutch government, or perhaps it’s taken precautions not to entrust any really sensitive data to US companies. But nevertheless, as with SOPA, it appears that US legislation is once again having big ramifications for the rest of the world….

Comments icon
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to
Tags: Privacy

Most people don't need a commercial VPN to work from home securely

Posted on April 7, 2020 by Nick Pestell

Many small businesses and their employees are concerned about the security of their data whilst working from home during the coronavirus pandemic. We see a lot of confusion surrounding this topic, even from fairly technical folk and there is unfortunately a lot of misinformation being spread by commercial VPN providers themselves.

You can't always get what you want: the eternal conflict between lawful access and privacy

Posted on April 19, 2018 by mirimir

In late March, the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) took effect. And predictably, the US Supreme Court just dismissed United States v. Microsoft Corp. In that case, Microsoft was fighting a subpoena for data stored in an Irish data center.

Protect yourself today and get peace of mind

Shut out hackers, identity thieves and the global government surveillance apparatus — every time you go online.