Data privacy is an issue that has only recently come to the forefront for many U.S. organizations and their counsel. Despite this generalization, there are some U.S. lawyers who have been specializing in this area for years. One of foremost experts in this field is Christopher Wolf, a partner with the international law firm of Hogan Lovells. Chris, who leads Hogan Lovells’ Privacy and Information Management practice group, has focused the last 15 years of his practice on data privacy issues. He also recently co-authored an industry leading white paper on the data privacy implications of the 2001 USA PATRIOT Act (Patriot Act). I recently had a chance to visit with Chris at the Privacy-Protected Data Conference about his practice and his work on the Patriot Act white paper.
- What made you transition into data privacy after 20 years as a litigation attorney?
I had the good fortune of handling a pro bono privacy litigation in the late 90s that opened the door to the world of privacy law for me. I represented a gay sailor who was threatened with discharge under the Navy’s Don’t Ask Don’t Tell Policy when a Navy investigator used false pretenses to illegally obtain personal information about the sailor from his Internet Service Provider. I was successful in obtaining an injunction against his discharge and a ruling that the Navy violated the Electronic Communications Privacy Act. News of that case led to a paying client hiring me for privacy work. And I was hooked! I then created the first Practising Law Institute treatise on Privacy Law, and got involved in public policy discussions about privacy. Through my law practice and think tank, The Future of Privacy Forum, I have tried to advance the causes of responsible and transparent data practices that respect individual privacy and comply with the law.
- What drove you to develop the Patriot Act white paper?
We had observed a trend of misinformation being propagated out of some countries, most notably in Europe, that invoked the Patriot Act as a kind of shorthand to imply that the U.S. government is alone in permitting governmental access to data stored in the cloud for law enforcement or national security purposes. This misinformation had become so ingrained that it often was parroted without any basis and cited to support the offering of “national clouds” as a “safer” alternative to U.S.-based cloud service providers, who were painted as indiscriminately handing cloud data over to the U.S. government. Our white paper examined the laws of ten major countries, including the United States, to demonstrate that these concerns were without basis.
- Vis-à-vis the laws of other nations such as Germany, Canada and others identified in the white paper, does the Patriot Act provide the U.S. government with greater access to data stored with cloud service providers?
When we compared the investigative methods available in the U.S. to each of the other nine jurisdictions we examined, we learned two important things. First, every jurisdiction vested authority in the government to require a cloud service provider to disclose customer data, with almost all granting the ability to request data stored on foreign servers under the service provider’s control. Second, in jurisdictions outside the U.S., there is a real potential of data relating to a person stored in the cloud being disclosed to governmental authorities voluntarily, without legal process and protections (the only exception being Japan which, like the U.S., requires the government to use legal process to obtain data from cloud service providers). Ultimately, we concluded that people are misleading themselves if they believe that restricting cloud service providers to one jurisdiction better insulates data from governmental access.
- What are some of the other prevailing myths regarding the powers granted to the U.S. Government by the Patriot Act?
Notice that in my previous response, I didn’t reference the Patriot Act. That is because most of the investigatory methods in the Patriot Act were available long before it was enacted, and the laws governing governmental access to data primarily are located in other U.S. laws. It is more accurate to say that the Patriot Act did not create broad new investigatory powers but, rather, expanded existing investigative methods. And despite this expansion, the U.S. government’s exercise of its authority under the Patriot Act is still limited by constitutional and statutory controls. For example, in the past few years there have been some successful court challenges to the U.S. government’s use of the Patriot Act when the government has overstepped its bounds.
- Are you planning a sequel or other follow up materials to the white paper?
We are currently considering similar projects to dispel similar misinformation, such as by discussing the ability of non-U.S. citizens to contest the U.S. government’s collection and use of their data, and by demonstrating that it is lawful and safe for European companies to transfer data to U.S.-based cloud providers that are certified to the U.S.-EU Safe Harbor. Stay tuned.
- Putting more of a human face on your work, what has been one of the most meaningful aspects of your practice?
It always has been important to me to have a steady pro bono docket. Currently, I am national chair of the Civil Rights Committee of the Anti-Defamation League. In addition, it is gratifying to work in the area of privacy and information management law where clients really do want to do the right thing when it comes to protection information, and I enjoy helping them do that!
Thank you, Chris. We wish you the best in your practice.