September 18, 2014

Fact or Fiction? U.S. Government Surveillance in a Post-Snowden World

Bret Cohen Hogan Lovells US LLP

2

The “Snowden effect”

www.hoganlovells.com

U.S. cloud perception post-Snowden

• July 2013 survey of non-U.S. Cloud Security

Alliance members

– 66% either cancelled a project with or reported that they

were less likely to use U.S.-based cloud providers

• May 2014 survey of European IT professionals

– 51% do not trust U.S.-based clouds (13% unsure)

– 47% believe data is more secure in EU-based clouds

– 59% do not believe EU governments conduct surveillance

to the same extent as the U.S.

3

www.hoganlovells.com

Bottom-line cost estimates

• Information Technology & Innovation Foundation:

– “The U.S. cloud computing industry stands to lose $22 to

$35 billion over the next three years” (Aug. 2013)

• Forrester Research

– “We think [ITIF’s] estimate is too low and could be as high

as $180 billion or a 25% hit to overall IT service provider

revenues in that same timeframe.” (Aug. 2013)

4

www.hoganlovells.com

Overheard from a non-U.S. provider

“[The] Service is based and operated by companies in

the European Union – offering European customers

full compliance with EU data protection laws and a

safe haven from the reaches of the US Patriot Act.”

5

http://www.anniemayhem.com/blog pics/BigMouth.jpg

www.hoganlovells.com

Overheard from a non-U.S. provider

“EU customers can now benefit from the savings and

flexibility enabled by cloud-based database services

safe in the knowledge that they will not fall under the

jurisdiction of the Patriot Act. Under the Patriot Act

data from EU users of US-owned cloud-based

services can currently be shared with US law

enforcement agencies without the need to tell the

user.”

6

http://www.anniemayhem.com/blog pics/BigMouth.jpg

www.hoganlovells.com

Overheard from a non-U.S. provider

“The Americans say that no matter what happens I’ll

release the data to the government if I’m forced to do

so, from anywhere in the world. Certain German

companies don’t want others to access their systems.

That’s why we’re well-positioned if we can say we’re a

European provider in a European legal sphere and no

American can get to them.”

7

http://www.anniemayhem.com/blog pics/BigMouth.jpg

8

The Facts: What exactly can the U.S. government do?

www.hoganlovells.com

How can the U.S. obtain customer data?

9

www.hoganlovells.com

I noticed you didn’t mention the Patriot Act.

So why do I keep hearing about it?

Uniting and Strengthening

America by Providing

Appropriate Tools Required to

Intercept and Obstruct

Terrorism Act

10

www.hoganlovells.com

What are the concerns of non-U.S. companies?

11

12

Can a company with U.S. ties

guarantee that the U.S. government

won’t access non-U.S. customer

data?

13

So, customer data must be less

safe from government access in the

U.S., right?

www.hoganlovells.com

“A Global Reality”

14

• All provide authority to

compel disclosure of

customer data

• In almost all instances,

government can compel

remote disclosure

• Outside of the U.S.,

most countries permit

voluntary disclosure

• MLATs mitigate issue of

foreign access

www.hoganlovells.com

“A Sober Look”

• The U.S. imposes at

least as much, if not

more, due process in

national security

investigations

• Other countries protect

economic interests

• Many programs are run

by national security

establishment, not

subject to court review

15

16

How, then, should companies with

U.S. ties respond to concerns from

non-U.S. customers?

www.hoganlovells.com

How to respond to concerns

• Dispel misconceptions about the Patriot Act

17

• Compare laws to those outside of the U.S.

– The U.S. absolutely prohibits voluntary disclosure of

data customers store in the cloud

– Providers outside of the U.S. with U.S. ties can’t

guarantee that their data won’t be accessed, either

– Most countries permit the same level of surveillance and

access, some with greater authority than the U.S.

• Release a transparency report detailing the number

of government requests

www.hoganlovells.com

Questions?

18

Bret Cohen | bret.cohen@hoganlovells.com

www.hldataprotection.com

Detailed outline

included with

handouts

www.hoganlovells.com

Hogan Lovells has offices in:

Alicante

Amsterdam

Baltimore

Beijing

Brussels

Budapest*

Caracas

Colorado Springs

Denver

Dubai

Dusseldorf

Frankfurt

Hamburg

Hanoi

Ho Chi Minh City

Hong Kong

Houston

Jakarta*

Jeddah*

Johannesburg

London

Los Angeles

Luxembourg

Madrid

Miami

Milan

Moscow

Munich

New York

Northern Virginia

Paris

Philadelphia

Prague

Rio de Janeiro

Riyadh*

Rome

San Francisco

São Paulo

Shanghai

Silicon Valley

Singapore

Tokyo

Ulaanbaatar

Warsaw

Washington DC

Zagreb*

"Hogan Lovells" or the "firm" is an international legal practice that includes Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses.

The word "partner" is used to describe a partner or member of Hogan Lovells International LLP, Hogan Lovells US LLP or any of their affiliated entities or any employee or consultant with equivalent standing. Certain individuals, who are

designated as partners, but who are not members of Hogan Lovells International LLP, do not hold qualifications equivalent to members.

For more information about Hogan Lovells, the partners and their qualifications, see www.hoganlovells.com.

Where case studies are included, results achieved do not guarantee similar outcomes for other clients. Attorney Advertising.

© Hogan Lovells 2014. All rights reserved.

*Associated offices