With Cloud based services becoming commoditised, will the smaller players will be able to compete against the likes of Salesforce.com, ProofPoint, Microsoft’s Azure, Office365 and Amazon’s EC2 ?

Last week, we saw the launch of a new and powerful IaaS service (vCloud) from Foreshore (Jersey).  Why would you choose to host your Cloud based services with a supplier who will undoubtedly charge more than a big player such as Microsoft?  It may seem a bizarre question, so here are my thoughts on things to consider before shipping your data to a different location in order to reduce (immediate) costs.

What’s a jurisdiction?

• A jurisdiction is more than just a location. For example, knowing that your Internet transaction processing system is hosted in the USA isn’t enough – you need to know which state(s) it is in and understand the legal and tax implications of those states.
• You need to look at the legal and tax implications of all the relevant jurisdictions, including where you and your business are located, where the hosted servers physically are (including any disaster recovery facility) and also where your hosting provider’s headquarters are.

Client perception

• Where do your clients think their data physically is?
• Do your clients actually care where their data is ? For example, a Trust client may take a keen interest in data jurisdiction, whereas a client of an online shop probably takes no interest as long as their data is secure and their goods are delivered.
• How would your clients react if their data was hosted in a different location to where they thought it was?

Client agreements

• Do any of your client agreements specify the physical location or jurisdiction of their data?
• If you haven’t repapered clients recently and sought their agreement to the changes (if required), you may be bound by legacy client agreements.
• If you have ‘click-wrap’ agreements, this may be easy for you. In other words, if you have the ability to change your agreements and simply republish online for them to become effective.

Legal and regulatory

• Have you ensured that the jurisdiction you are considering for hosting has data protection, regulatory and legal standards at least as high as your current location? For example, would you want to be associated with a non-white listed OECD country by hosting your data there?
• For example, Singapore does not have one unified data protection law. Instead, it is subject to over 140 disparate and  sector epecific statutes that regulate the use and disclosure of personal data.
• Some jurisdictions could have more stringent laws than your current jurisdiction. For example, Germany currently has some of the most onerous data protection laws in Europe. This may place more demands on your organisation.
• How will you maintain compliance across multiple jurisdictions? For example, the storage and processing of payment card data.
• If the relationship between you and the hosting provider turns sour, are you comfortable with the legal process in their jurisdiction? You may need to use it.
• Does your regulatory regime require you to physically inspect the data centre used?
• Microsoft, being a USA company, have confirmed that their European data centres are subject to the USA Patriot act. Are you comfortable with this?

Tax

• Have you taken taxation advice about the jurisdictions, to determine if you will need to pay tax there? You need to think about where you are, where your company’s operations are, where your clicnts are and where you are hosting.
• If you host a transactional website in the USA, it can create a taxable presence for USA federal income tax purposes. Just storing data would not usually be deemed to be conducting business for USA tax purposes, however the activity can be treated as the conduct of business if the non-USA person stores data for the account of others or allows clients or other third parties access to the data. Click here to read an interesting document regarding the USA tax implications - it’s written for Australians but the principle is the same.
• If you are considering hosting in the USA, don’t forget that the USA has fifty states (hence it’s name!), each with it’s own laws and taxation regime. Make sure you know which state(s) your data will be in and how that state’s laws and taxation will impact you. Click here to read about the Amazon challenge on a new California tax as an example.
• If you host a transactional website in Singapore, you could be liable for Singapore tax if it is deemed that your Singapore presence is deemed a permanent establishment – ie you have a fixed place of business in Singapore and you carry-out your business activities wholly or partly through that place. You can start to see that a hosted Internet transaction website could be deemed as taxable in a jurisdiction other than where you may be located. Click here to read an interesting document regarding Singapore tax implications – it’s written for Australians but the principle is the same.
• Is there a double taxation agreement in place between your business jurisdiction and the hosting jurisdiction? You don’t want to pay tax twice !

And finally ….

The message here is that all that glitters is not necessarily the most appropriate for you and your business. An apparently low cost solution may not be the best solution for your business. If all you need is e-mail and Microsoft Office type functionality, then Office 365 could be good for you and your organisation. If you need transaction processing capability, look before you leap to an apparently lower cost supplier and different jurisdiction.

Also read this

• Clouds and data jurisdiction
• Cloud service provider due-diligence
• Real-life advice for adopting private Cloud technology

That shiny new cloud is just so tempting. At just the click of a button, you can move your corporate data to it and enjoy the financial and operational benefits. But wait – before moving any data to the cloud, make sure you fully understand the legal and regulatory implications of doing it, especially the jurisdiction where your data is to be located.

The issue of data jurisdiction has always been with us – it’s not a new ‘cloud’ thing. However, with cloud services excitement reaching fever-pitch, it’s a good opportunity to discuss it again.

If, up-to now, your data has all been hosted by your company in the same jurisdiction and all your users are in that jurisdiction, then you probably haven’t had to think about this before. Read on ….

.

What’s the difference between a jurisdiction and a country ?

I know it sounds like the start of a nerdy joke, however …. a jurisdiction refers to a bounded space that is subject to its own laws and regulation. In some instances a jurisdiction is a country. For example:

• The USA is a country, but its different states have their own laws, which means the USA has multiple jurisdictions (albeit also with USA-wide laws and regulation).
• England is a country and a jurisdiction. Its laws and regulations covers its entirety.
• Jersey in the Channel Islands is not a country but has its own laws and regulations, so is a jurisdiction. Before you ask, Jersey is neither a country, or part of England !

.

Why should I care where my data is ?

If you have a responsibility for IT or hold a senior position in your organisation, you have a responsibility to ensure that your data is stored in a jurisdiction that has data protection laws at least as strong as your current jurisdiction. I used the term ‘data protection’ in lower-case deliberately, as I refer to the wider laws and regulation that govern the protection and access to data in a jurisdiction. This includes the jurisdictions actual Data Protection law.

Here are a few examples of why you need to care where your data is hosted:

• For non-Americans who host their data in the USA, they must be aware of the USA Patriot Act. This law presents two issues regarding data stored in the USA.
  • Firstly, USA law enforcement agencies can access your hosted data in the USA if they consider it ‘relevant’ to their investigations. This is much easier to meet than the usual ‘probable cause’ test.
  • Secondly, if your hosted data in the USA is accessed by the USA law enforcement agencies, the data holder (the cloud service provider based in the USA) is not permitted to tell the non-USA data owner (that’s you) that their data has been accessed, even if the cloud service supplier is contractually bound to advise them.
• Law protection authorities in many locations (as mentioned above for the USA) can seize your data with the relevant orders. For example, suppose your cloud service provider hosted a business that wasn’t as law abiding as your company. If the local law protection authorities raid the cloud service provider and take all the equipment – they are unlikely to be interested in the fact that other clients are using that equipment – they want to ‘catch their man’.
• If, during an investigation, a law enforcement agency seized a server in their jurisdiction, but it contained data about your clients in a different jurisdiction, would this infringe your clients data protection rights and would you be breaking the Data Protection law for locating the cloud service there ?
• Some regulatory authorities take the view that they either regulate or have a responsibility for businesses whose data is stored in their jurisdiction.
• Some jurisdictions consider the tax on a transaction to be borne in the jurisdiction that the transaction was made. For some automated transactions, such as online gaming, this is often where the processing is performed. Therefore, beware of the location where your processing and data is based. This is why some companies are attracted to particular jurisdictions for transaction-based tax reasons.

.

How do I know where my cloud data is ?

There is only one sure way – ask the cloud service provider.

With commodity cloud service providers, you will have a non-negotiable clickwrap contract. All you can do with this is read it and accept or reject it – there is no negotiation.

Some commodity cloud service providers are not so forthcoming about their locations, but many are open with you about their jurisdictions. For example, Amazon’s ECC is available in USA East (Northern Virginia), USA West (Northern California), European Union (Ireland), and Asia Pacific (Singapore). Mimecast, as another example offers its clients a choice of jurisdictions.

If you can’t determine which jurisdiction(s) your data will be hosted in, you have to work on the assumption that your data is hosted ‘somewhere’. That makes the decision to use the cloud computing service more difficult, as you don’t know where you data will be located and which laws and regulations will apply.

Here are a few things not to do, in order to try and find the cloud providers jurisdiction(s):

• Don’t try to use traceroute to pin the website to an IP address and location. Most large cloud service providers have data centres in different locations and countries and dynamically move processing and content between them to optimise performance and network utilisation.
• Don’t assume that your data is at the cloud service providers office address or even in that jurisdiction.
• Don’t assume the data is stored in the location denoted by the URL address. E.g., a website suffix of .com doesn’t mean the cloud service is located in the USA.
• Unless specified, don’t assume the cloud service provider only uses their infrastructure. Some host their infrastructure on an underlying provider.

.

Can I host my data outside my jurisdiction ?

As you will have gathered by now, it’s not a straight forward ‘yes’ or ‘no’ answer. It depends on your location, the cloud service providers data location(s), the laws and regulations in those locations and any client contracts/agreements you may have.

• Make sure the new jurisdiction has data protection laws at least as strong as your current jurisdiction. This refers to the wider laws and regulation that govern the protection and access to data in the jurisdiction, including the jurisdictions actual Data Protection law.
• If transaction processing will happen in another jurisdiction, make sure that your taxation position isn’t impacted.
• If you are a licensed or regulated services provider, make sure that your current jurisdiction’s regulator is happy with your chosen data location.
• If you are a licensed or regulated services provider, make sure that you won’t be subject to the regulator in the new jurisdiction and that you won’t be required to have additional license(s) to operate from that location.
• Make sure there is nothing in your terms and conditions or client agreement/contract that would prohibit you moving data to a different jurisdiction. For example, banks that acquire clients from another bank can find that the client agreements are old and commit to the client’s data being in a particular jurisdiction.
• Don’t forget to find out where the cloud suppliers contingency site is and if they use backup media and where that is stored. If these are in different jurisdictions, you need to be aware.

.

Possible solutions

The obvious solution

The obvious solution is to use either a ‘private cloud’ or a ‘public cloud’ in which the supplier guarantees the location of your data.

Jurisdictional cloud computing services tend to be more expensive but are gaining popularity, for example, the OneSource service from Jersey Telecom and Virtustream.

More complex solutions

Clients of cloud computing infrastructure services tend to encrypt the data held at the hosting provider. This means that the cloud services provider is a custodian of the data and has no part in its use. Whilst encryption is easy to implement for infrastructure level services such as IaaS, PaaS and DaaS, it is more difficult at the software provision level (SaaS).

Another solution is to use ‘hybrid cloud’. This extends the cloud into the infrastructure in your premises. The cloud service provider would install a server in your premises which keeps sensitive data in your jurisdiction and under your control. The sensitive data is still stored in the cloud service, but in a tokenised form.

An example of this is PerspecSys who have implemented such a solution with Salesforce.

.

Also read ….

• Cloud Computing – what is everyone so excited ?
• Cloud-based backup services

.

And finally ….

If you have read this far and are still looking for the answer as to whether you can move your data to a cloud, you will have gathered that it’s not straight-forward to answer. It depends on your location, the cloud service providers data location(s), the laws and regulations in those locations and any client contracts/agreements you may have.

Please note, I am not qualified in legal or tax. These are guidelines based on my personal experience. If in doubt, get professional legal advice. Data jurisdiction, taxation, law and governance is a complex matter. A relatively small amount spent on good legal advice will be much less than a lawsuit later-on.

.

.