US Government Agencies Will Soon Be Able To Access Foreign Medical Dossiers Due To Patriot Act
from the radical-transparency dept
That turns out to be a problem in the Netherlands, because the company that has developed the EPD and will be hosting the patients' data on its cloud computing systems is the US-based CSC. The Dutch government and the organization responsible for implementing the EPD are convinced there is no problem, because there are clear contracts which have assigned Dutch jurisdiction, and fortunately the Dutch have stringent data protection laws that will protect patients' sensitive data. Because that's what data protection laws do, right?
False! At least with regard to information law, researchers from Amsterdam University warn that this analysis is way too simplistic. According to the scholars, it is quite possible the US government agencies can circumvent data protection laws and could easily request access to medical information of every single person in the Netherlands. The study doesn't just cover the Netherlands (though it is especially timely for that), but rather looks at how these risks may apply more globally. Here are just a few of the findings that should raise eyebrows across the globe:
"When using a cloud service provider that is subject to U.S. jurisdiction, data may be requested directly from the company in question in the United States. […] From a legal point of view, access to such information cannot be denied and cloud service providers can give no guarantees in this respect. […] The possibility that foreign governments request information is a risk that cannot be eliminated by contractual guarantees. Nor do Dutch privacy laws offer any safeguards in this respect. […] It is a persistent misconception that U.S. jurisdiction does not apply if the data government requests for information do not apply to Dutch users of the cloud. […] legal protection under specific U.S. laws applies primarily to U.S. citizens and residents. […] Given the nature of intelligence work, it is not possible to gain insight into actual requests for information by the U.S. authorities […] Cloud providers will typically not be able to disclose whether such requests are made"If the above doesn't yet lead to a new international outrage against the US Patriot Act, then the following sentence on the extra-territorial effects of the Patriot Act should at least send shivers down the spines of sovereignty-loving non-US government officials:
"The transition to cloud computing will, in principle, result in a lower degree of autonomy [...]"