CIOCOO
Resources for CIO and COO professionals

Clouds and data jurisdiction

May 15th 2010 in cloud computing, legal, outsource, regulation

That shiny new cloud is just so tempting. At just the click of a button, you can move your corporate data to it and enjoy the financial and operational benefits. But wait – before moving any data to the cloud, make sure you fully understand the legal and regulatory implications of doing it, especially the jurisdiction where your data is to be located.

If, up-to now, your data has all been hosted by your company in the same jurisdiction and all your users are in that jurisdiction, then you probably haven’t had to think about this before. Read on ….

The issue of data jurisdiction has always been with us – it’s not a new ’cloud’ thing. However, with cloud services excitement reaching fever-pitch, it’s a good opportunity to discuss it again.

What’s the difference between a jurisdiction and a country ?

I know it sounds like the start of a nerdy joke, however …. a jurisdiction refers to a bounded space that is subject to its own laws and regulation. In some instances a jurisdiction is a country. For example:

  • The USA is a country, but its different states have their own laws, which means the USA has multiple jurisdictions (albeit also with USA-wide laws and regulation).
  • England is a country and a jurisdiction. Its laws and regulations covers its entirety.
  • Jersey in the Channel Islands is not a country but has its own laws and regulations, so is a jurisdiction. Before you ask, Jersey is neither a country, or part of England !

Image of Jurisdiction and the Internet: Regulatory Competence over Online Activity

Why should I care where my data is ?

If you have a responsibility for IT or hold a senior position in your organisation, you have a responsibility to ensure that your data is stored in a jurisdiction that has data protection laws at least as strong as your current jurisdiction. I used the term ‘data protection’ in lower-case deliberately, as I refer to the wider laws and regulation that govern the protection and access to data in a jurisdiction. This includes the jurisdictions actual Data Protection law.

Here are a few examples of why you need to care where your data is hosted:

  • For non-Americans who host their data in the USA, they must be aware of the USA Patriot Act. This law presents two issues regarding data stored in the USA.
    • Firstly, USA law enforcement agencies can access your hosted data in the USA if they consider it ‘relevant’ to their investigations. This is much easier to meet than the usual ‘probable cause’ test.
    • Secondly, if your hosted data in the USA is accessed by the USA law enforcement agencies, the data holder (the cloud service provider based in the USA) is not permitted to tell the non-USA data owner (that’s you) that their data has been accessed, even if the cloud service supplier is contractually bound to advise them.
  • Law protection authorities in many locations (as mentioned above for the USA) can seize your data with the relevant orders. For example, suppose your cloud service provider hosted a business that wasn’t as law abiding as your company. If the local law protection authorities raid the cloud service provider and take all the equipment – they are unlikely to be interested in the fact that other clients are using that equipment – they want to ‘catch their man’.
  • If, during an investigation, a law enforcement agency seized a server in their jurisdiction, but it contained data about your clients in a different jurisdiction, would this infringe your clients data protection rights and would you be breaking the Data Protection law for locating the cloud service there ?
  • Some regulatory authorities take the view that they either regulate or have a responsibility for businesses whose data is stored in their jurisdiction.
  • Some jurisdictions consider the tax on a transaction to be borne in the jurisdiction that the transaction was made. For some automated transactions, such as online gaming, this is often where the processing is performed. Therefore, beware of the location where your processing and data is based. This is why some companies are attracted to particular jurisdictions for transaction-based tax reasons.

.

How do I know where my cloud data is ?

There is only one sure way – ask the cloud service provider.

With commodity cloud service providers, you will have a non-negotiable clickwrap contract. All you can do with this is read it and accept or reject it – there is no negotiation.

Some commodity cloud service providers are not so forthcoming about their locations, but many are open with you about their jurisdictions. For example, Amazon’s ECC is available in USA East (Northern Virginia), USA West (Northern California), European Union (Ireland), and Asia Pacific (Singapore). Mimecast, as another example offers its clients a choice of jurisdictions.

If you can’t determine which jurisdiction(s) your data will be hosted in, you have to work on the assumption that your data is hosted ‘somewhere’. That makes the decision to use the cloud computing service more difficult, as you don’t know where you data will be located and which laws and regulations will apply.

Here are a few things not to do, in order to try and find the cloud providers jurisdiction(s):

  • Don’t try to use traceroute to pin the website to an IP address and location. Most large cloud service providers have data centres in different locations and countries and dynamically move processing and content between them to optimise performance and network utilisation.
  • Don’t assume that your data is at the cloud service providers office address or even in that jurisdiction.
  • Don’t assume the data is stored in the location denoted by the URL address. E.g., a website suffix of .com doesn’t mean the cloud service is located in the USA.
  • Unless specified, don’t assume the cloud service provider only uses their infrastructure. Some host their infrastructure on an underlying provider.

.

Can I host my cloud data outside my jurisdiction ?

As you will have gathered by now, it’s not a straight forward ‘yes’ or ‘no’ answer. It depends on your location, the cloud service providers data location(s), the laws and regulations in those locations and any client contracts/agreements you may have.

  • Make sure the new jurisdiction has data protection laws at least as strong as your current jurisdiction. This refers to the wider laws and regulation that govern the protection and access to data in the jurisdiction, including the jurisdictions actual Data Protection law.
  • If transaction processing will happen in another jurisdiction, make sure that your taxation position isn’t impacted.
  • If you are a licensed or regulated services provider, make sure that your current jurisdiction’s regulator is happy with your chosen data location.
  • If you are a licensed or regulated services provider, make sure that you won’t be subject to the regulator in the new jurisdiction and that you won’t be required to have additional license(s) to operate from that location.
  • Make sure there is nothing in your terms and conditions or client agreement/contract that would prohibit you moving data to a different jurisdiction. For example, banks that acquire clients from another bank can find that the client agreements are old and commit to the client’s data being in a particular jurisdiction.
  • Don’t forget to find out where the cloud suppliers contingency site is and if they use backup media and where that is stored. If these are in different jurisdictions, you need to be aware.

.

Possible solutions

The obvious solution

The obvious solution is to use either a ‘private cloud’ or a ‘public cloud’ in which the supplier guarantees the location of your data.

Jurisdictional cloud computing services tend to be more expensive but are gaining popularity, for example, the OneSource service from Jersey Telecom and Virtustream.

More complex solutions

Clients of cloud computing infrastructure services tend to encrypt the data held at the hosting provider. This means that the cloud services provider is a custodian of the data and has no part in its use. Whilst encryption is easy to implement for  infrastructure level services such as IaaS, PaaS and DaaS, it is more difficult at the software provision level (SaaS).

Another solution is to use ‘hybrid cloud’. This extends the cloud into the infrastructure in your premises. The cloud service provider would install a server in your premises which keeps sensitive data in your jurisdiction and under your control. The sensitive data is still stored in the cloud service, but in a tokenised form.

An example of this is PerspecSys who have implemented such a solution with Salesforce.

Image of Island Enclaves: Offshoring Strategies, Creative Governance, and Subnational Island Jurisdictions

Also read ….

And finally ….

If you have read this far and are still looking for the answer as to whether you can move your data to a cloud, you will have gathered that it’s not straight-forward to answer. It depends on your location, the cloud service providers data location(s), the laws and regulations in those locations and any client contracts/agreements you may have.

Please note, I am not qualified in legal or tax. These are guidelines based on my personal experience.  If in doubt, get professional legal advice. Data jurisdiction, taxation, law and governance is a complex matter. A relatively small amount spent on good legal advice will be much less than a lawsuit later-on.


5 comments to...
“Clouds and data jurisdiction”
Avatar
Ronnie
wrote on May 15th, 2010

Nice article, hope to see more like this.

Thanks – Ronnie


Avatar
forex robot
wrote on May 16th, 2010

Great information! I’ve been looking for something like this for a while now. Thanks!


Avatar
Monty Nettleingham
wrote on May 16th, 2010

Thanks for writing about this. There’s a lot of good tech information on the internet. You’ve got a lot of that info here on your site. I’m impressed – I try to keep a couple blogs pretty live, but it’s a struggle sometimes. You’ve done a great job with this one. How do you do it?


Avatar
Tweets that mention Clouds and data jurisdiction « CIOCOO -- Topsy.com
wrote on May 18th, 2010

[...] This post was mentioned on Twitter by l. l said: Great blog- about #cloud http://ht.ly/1MBba [...]


Avatar
CIOCOO » Blog Archive » Cloud-Based Backup Services
wrote on September 4th, 2010

[...] You must take as much care with the location of your backup data as you do if selecting a service provider for Cloud hosting. Read this article for more information on data jurisdiction. [...]




required



required - won't be displayed


Your Comment:

How do you dispose of old equipment – do you give it to staff or charity ? If so, beware of the risks involved. A recent story of client data found on a used photocopier is a scary reminder. How do you make sure your equipment doesn’t contain valuable company data when it leaves your premises ?

Previous Entry

There are many many articles written extolling the benefits of ‘cloud technology’. However, most of these are written by a supplier or specialised consultant – meaning they aren’t independent. Here are some real-life benefits of using the technology and some advice.

Next Entry

Recommended reading
Image of Cloud Computing, A Practical Approach