The USA Patriot Act impacts U.S. companies by facilitating government access to certain information and surveillance technologies to combat terrorism and criminal activity. This means that U.S. companies are required to disclose information or provide surveillance technologies when requested to do so by government authorities. This has privacy and customer data protection implications and may result in legal or financial consequences for companies.
In many countries there are similar laws, for example, in the United Kingdom: The Regulation of Investigatory Powers Act (RIPA), in France: The French Intelligence Law, in Germany: BND-Gesetz (BNDG), in Russia: The Federal Law on Operational-Investigative Activity and so on.
A Swiss financial services provider must ensure that the service provider it uses, which stores client data, complies with the local requirements of the Banking Act (BankG) and FINMA supervisory law. To ensure that client data is adequately protected, the provider must be able to demonstrate that it:
- Has the necessary information security, including measures to prevent data loss, theft and manipulation.
- Comply with applicable data protection laws, including the Swiss Federal Data Protection Act (FADP) and the European General Data Protection Regulation (GDPR).
- Has procedures in place to ensure the integrity and availability of electronic customer data.
A privacy policy does not provide protection from government authorities; it is only a legal contract between the company and its customers that sets forth the company's obligations regarding the handling of customer data. A privacy policy does not guarantee that a company will protect its customer data from access by government authorities.
Here are some known cases, in this context, which came to the public.
- Microsoft Azure - Microsoft has fought government requests in the past to provide data related to the Patriot Act. In 2013, Microsoft successfully fought a government request to release email data from a data center in Ireland.
- Google Cloud - Google has fought government requests in the past to provide data related to the Patriot Act. A well-known example is a 2013 case in which Google fought a government request to provide data about an international search query.
- Dropbox - Dropbox has fought government requests in the past to provide data related to the Patriot Act. A well-known example is a 2014 case in which Dropbox fought a government request to provide data from a customer.
- Apple - Encryption dispute between the FBI and Apple. In 2015 and 2016, Apple Inc. obtained and denied or appealed at least 11 orders from United States district courts under the All Writs Act.
It is important to note that these are only cases that have become public because companies have resisted government requests. However, when companies cooperate with government agencies, this information is usually not released to the public at all.
If a government agency requests data from a company, the company may be required to provide that data, even if it comes from a customer in another country, such as Switzerland.
In summary, the use of foreign cloud and data storage providers by Swiss financial services providers poses risks with respect to data protection. The USA Patriot Act and similar laws gives government agencies broad powers to access data from foreign companies, which calls into question the privacy statements of such providers. Therefore, it is important for Swiss financial service providers to minimize the risk in terms of data protection and use Swiss providers. A Swiss solution offers the advantage of higher data protection and better legal certainty when dealing with sensitive data.