This tip is a part of the SearchCloudSecurity.com mini learning guide series, Cloud computing legal issues: Developing cloud computing contracts.
In a cloud computing environment, data and applications are hosted "in the cloud.” What that cloud is made of, and where its components are located, matters. However, ask a cloud service vendor where your data will be stored or processed, the typical answers will likely range from "well… hum ... in the cloud" to "we have servers everywhere, data moves around constantly" or "we cannot tell you for security reasons."
As the custodian of confidential and valuable data -- personal or company information -- you need to know where data will be located at all times. In the cloud environment, location matters, especially from a legal standpoint.
In the legal world, location is most frequently associated with jurisdiction. The concept of “jurisdiction” is associated with the power of a judge or government entity to assert authority over the persons or things involved in an action, and to make a decision about a specific issue or sets of facts.
Jurisdiction is not necessarily exclusive. Several countries or courts may have concurrent jurisdiction over a matter. Indeed, litigants frequently argue about who has jurisdiction over their dispute. In the cloud environment, where a piece of equipment is located may have significant consequences on the ability of a court or other government authority to assert jurisdiction over that piece of equipment, and, in the case of a server, over the data contained in that server.
If the cloud that hosts your data has servers in a foreign country, the laws of that foreign country may govern your data when stored in that server. As a result, many important foreign laws may govern your data (in addition to those of the United States). Consider the following cloud computing legal issues that stem from data location.
Cloud computing legal issues: Data protection laws
Assume that Cloud X Service provides hosting, email and collaboration solutions to Acme, a U.S. company with no operations abroad. Assume also that the Cloud X network includes servers located in a data center in the United Kingdom. Thus, Acme as Cloud X’s customer ends up using data or servers that are in the U.K.
The Data Protection Act (1998) governs the protection of personal information that is processed in the U.K. Of course, the Data Protection Act applies to companies that do business in the U.K. However, that is not the extent of its reach. Under Section 5(1)(b) of the act,, the law also applies to a data controller that is not established in the U.K. or in any other European Economic Area state (EEA includes the European Union plus Lichtenstein, Norway, Iceland) but that “uses equipment in the United Kingdom for processing the data otherwise than for the purposes of transit through the United Kingdom.”
This means that if a foreign company uses equipment that is located in the U.K. to process personal data, the processing of the data must comply with the U.K. Data Protection Law, even if the company is not established, or does not do business in the U.K.. The same provision can be found in the data protection laws of the 30 EEA member states and other countries.
When a cloud service provider elects to install servers in the EEA or other countries with a similar data protection law, all data that is processed, stored or maintained on these servers are subject to the data protection laws of the country where the servers are located. These laws have extensive requirements, restrictions and prohibitions on what may or may not be done with personal data. They may require registrations with the country’s Data Protection Supervisory Authority; they may prohibit certain transfers of these data, and much more. Failure to comply may have serious consequences.
Cloud computing legal issues: government surveillance
In addition to foreign data protection laws, consider the possibility that a third party or a foreign government might want to have access to a cloud service server that holds your data. In principle, access by a third party, even a government, is restricted, and even the police or secret service may not have access to premises or equipment without appropriate authorization -- in the form of a search warrant or court order -- before being allowed to search a computer.
However, this is not the case everywhere. For example, if your data is stored on a server that is located in India, the server will be subject to the laws of India. India’s Information Technology Act of 2000 (as amended in 2009) governs many aspects of the protection and use of computers, networks, etc. Section 69 of India’s IT Act allows the Central Government to issue directions for the interception, monitoring and decryption of messages from any computer and other communication device for security reasons, for public order, to prevent the commission of any cognizable offense or to investigate any offense. Section 69B(1) grants the Central Government the power to authorize any agency of the government to monitor and collect traffic data or information generated, transmitted, received or stored on any computer. In both cases, there is no requirement for a court order or other permission, and no limitation to these powers.
What information may be retained and preserved may also be dictated by the Indian government. Section 67C of the Information Technology Act requires companies to preserve and retain such information as may be specified, and for such duration, and in such manner and format as the central government may prescribe.
Thus, while the cloud may take advantage of the friendly business environment in a country, it may also subject equipment and data stored in this equipment to the monitoring and surveillance of the government in that country.
When negotiating your contract for cloud services, decide if knowing where your data is located is important to you. If it is, then try to limit the geographic area where your data will be stored or processed. The City of Los Angeles was able to obtain some restrictions in its contract with Computer Sciences Corp. and Google Inc. for email and other services. Some of the data will be stored only in the continental U.S.. See, Appendix J.1, Section 1.7 of the Professional Services Contract between Google and the City of Los Angeles, which provides:
1.7 Data Transfer. Google agrees to store and process Customer's email and Google Message Discovery (GMD) data only in the continental United States. As soon as it shall become commercially feasible, Google shall store and process all other Customer Data, from any other Google Apps applications, only in the continental United States. Google shall make commercially reasonable efforts to advise Customer when such data storage capability is made available. Notwithstanding the foregoing, Google may store and process Login Data in any country in which Google or its agents maintain facilities.
Cloud service providers want the freedom to move data to different servers for load balancing or to take advantage of the lower cost of utilities or personnel in different geographies. However, by doing so, they may inadvertently expose their customers’ data to the laws of countries other than those where the customer opted to operate.
It may be that, in the future, countries that wish to attract foreign investments and data centers will carve out a niche from their data protection laws. However, currently, the black letter law in many countries may subject cloud users to the data protection requirements and other laws of the country where the servers are located.
About the author:
Francoise Gilbert is the managing director of the IT Law Group and serves as the general counsel of the Cloud Security Alliance. She focuses on information privacy and security, cloud computing, and data governance. She has been named one of the country’s top privacy advisors in a recent survey and has been recognized by Chambers USA and Best Lawyers in America as a leading lawyer in the field of information privacy and security. .Gilbert is the author and editor of the two-volume treatise Global Privacy & Security Law, which analyzes the data protection laws of 60-plus countries on all continents. She serves on the board of directors of the International Technology Law Association and on the Technical Board of Advisors of the ALI-ABA.