US companies are effectively barred from providing IT services to the Dutch government over fears relating to the Patriot Act, the country’s Minister of Security and Justice has said.
The Patriot Act, passed after the terrorist attacks in September 2001 and renewed earlier this year, asserts that any data stored by a US company can be accessed by the country’s security forces if they believe it relates to a national security investigation.
In theory, this contravenes the EU’s Data Protection Directive, which asserts that organisations cannot allow a third party to access an individual’s data without their permission.
In a written answer to a parliamentary question, minister Ivo Opstelten asserted that any contract with a US cloud provider would have to include terms restricting the provider from moving the data outside of EU. “This basically means that companies from the United States are excluded in such bids and contracts,” Opstelten wrote.
He added that he could not rule out the possibility that Dutch government data is already stored with or managed by US companies.
There is much confusion over the Patriot Act and how it applies to IT services, as the supposed conflict between the Act and Data Protection Directive has not been tested in court. The EU’s proposed amendments to the Directive, currently under consultation, include a proposal to improve current international data handling rules, although it is not clear what that might involve.
A recent article by New York magazine claimed that the power to search suspects without warning, as granted by the Patriot Act, was used in 1,618 drugs-related investigations between 2006 and 2009, and in just 15 terror-related cases.