Information Management In Public Services

UK and US cloud providers weigh potential impact of Rule 41

David Bicknell Published 01 December 2016

US legislation coming into force today potentially gives US justice authorities access to UK citizen data held in US corporations’ UK-based data centres – but remit and potential impact of rule is unclear


UK and US cloud companies, privacy campaigners and government departments are taking stock of controversial US legislation which came into effect today.

The application by US law enforcement authorities of an expanded search power, dubbed “Rule 41”, was said to have implications for data stored in data-centres that are subject to US law, including those based in the UK. However, US sources have now been suggesting that Rule 41's remit does not extend outside the US to, for example, UK data held in US cloud companies' UK based data centres.

The rule is intended to make it easier for US authorities, in particular the Federal Bureau of Investigations (FBI) to carry out complex IT and data investigations. Previously, the US government could only carry out a search of computers located in the district where a federal judge granted the warrant. That might be only a few counties in a given state in the US.

Now, it has been suggested, as all the major public cloud providers are US headquartered, they are subject to US law, and therefore by implication, Rule 41. So data that may be stored in their data-centres, whether or not the facilities are located in the UK or elsewhere in the world, would be subject to Rule 41, meaning that, with the correct warrants in place, US judges could authorise legal access to any data that British citizens and organisations choose to store using these services.

However, by the end of the day, some US sources were indicating that Rule 41 would not apply outside the borders of the US and so UK data held by US cloud companies would not be accessible.

Rule 41 reportedly came about came about as part of a regular review in the US of criminal procedure by a number of federal judges. After weighing up the rule’s measures and remit and a introducing a subsequent public comment period, the judges submitted a rule change to the US Supreme Court, which then approved the rule that came into effect today, December 1.

Although US lawmakers have tried to put a stop to the Rule 41 powers until the US Congress has had a chance to study it in more detail, they were unable to pass a Bill that would have delayed Rule 41 coming into effect.

The introduction of Rule 41 is being blamed on a perfect storm of issues, leading to the legislation ‘flying under the radar’. There was an assumption that the Bill would be stopped in the US legislature, while the attention of UK data specialists and privacy campaigners has been on other proposed legislation, such as the EU General Data Protection Regulation (GDPR) and here in the UK, the Digital Economy Bill.

The fear is, given the policy leanings of the incoming Trump administration, overturning the remit of Rule 41 will be difficult for US lawmakers to achieve.  With the Trump administration not coming into effect until after the Presidential Inauguration on January 20th, it is likely to be at least February or beyond before the bill’s remit can properly be addressed,

Opponents of Rule 41 have argued that its remit is not so much a so-called ‘housekeeping measure’ that can be addressed by a judicial conference, but more a fundamental change to how US forces conduct search and seizure. That includes the ability to access data held in data centres that are subject to US law, including, potentially, data-centres owned by US cloud providers. The data, in theory, could relate to or be held in, for example, UK citizens' tax returns, police records or other individuals' data. However, there currently remains a lack of clarity as to whether this could be the case.

UK cloud companies are likely to argue that data held in their UK data-centres is subject only to UK law, and so a US Rule 41 would not apply. However, sources were indicating by the end of December 1, the first day the Rule came into force, that it may not actually be applicable to US cloud providers based in the UK either.

UKCloud, for example, said as it is registered in the UK, it holds all of its data in the UK and is subject only to UK law. It argues that that protects its customers – “which are exclusively public sector organisations, many of which are storing data about British residents” – from the jurisdiction of foreign courts and regulations.

Related articles:

FBI's New Hacking Powers Take Effect This Week

Rule 41 - FBI gets expanded power to hack any computer in the world

With Rule 41, little-known committee proposes to grant new hacking powers to the government

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.