My friends and colleagues will tell you that I can get really boring about the different cultural and ethical stances that Europe and the USA take on data protection – a free-for-all in the USA, regulated (or not) by market forces; and a heavily regulated legal environment in Europe. For once, both regions’ legal system reflect the mood of the people. In the USA people seem happy (or are just resigned to the fact) that their personal data will be collected, bought and sold by unscrupulous web sites. In Europe, people expect their data to be held in confidence and abusing that trust can be a criminal offence. At Really Simple Systems we occasionally get calls from US customers asking us if we will sell the data that they enter into their CRM system. We don’t say we don’t do this on our site because – well, it is simply unimaginable that we would. Over here, anyway.
But last week I came across another twist in the data protection saga. We had a customer checking that their data was not stored in the US, not because of data compliance issues (they were not in the EC) but because their own customers would be unhappy if their personal (and financial) details would be stored in the US. Every since the USA passed the Patriot Act any government agency can demand to see any data stored on a computer in the US, or any computer anywhere in the world owned by a US organisation, and they can demand this without the inconvenience of a court order.
It is a well known fact that any law intended to be used for one purpose ends up being used for many other purposes not intended when the law was passed. The UK’s Anti-Terrorist laws being one example, having been (ab)used to eject hecklers from political conferences (the Labour Party) and threaten friendly countries (Iceland) who might not compensate UK savers in their failed banks.
So it is with the Patriot Act, and the concern of this customer’s customers was that agencies like the IRS might use such data to try and extend their tax reach beyond the shores of the USA.
If you think they are paranoid, coincidentally ZDNet posted a blog on the same theme this very day.