ra2 studio - Fotolia
The Cloud Security Alliance said cloud data privacy and data sovereignty will be key issues for enterprises in both the U.S. and abroad in 2015 and cited Microsoft's ongoing battle with the U.S. government over emails contained in an offshore data center as prime example of the battles that lie ahead.
Jim Reavis, co-founder and CEO of the CSA, a nonprofit advocating for cloud security best practices and education, said cloud data sovereignty is "probably the No. 1 issue" for European enterprises using or planning to use cloud services. Specifically, Reavis highlighted a recent search warrant from U.S. authorities ordering Microsoft to hand over customer emails stored at data center in Dublin, Ireland, as a major area of concern.
Microsoft earlier this month announced its refusal to comply with a search warrant issued as part of a U.S. Department of Justice drug case, arguing that its data center is outside of the DOJ's jurisdiction. While a federal court judge earlier this year ordered Microsoft to hand over the emails, the software giant has appealed the ruling.
Dozens of other technology firms, including rivals Amazon Inc. and Apple Inc., as well as media companies and trade associations, recently filed amicus briefs in support of Microsoft. Last week, the Irish government and European Parliament joined the wave of support for Microsoft with additional amicus briefs urging the U.S. government to use established methods, such as existing international treaties, to obtain the emails stored in Ireland.
"The right of individuals to the protection of their personal data is an essential foundation for modern society and the growing digital economy," said Dara Murphy, Ireland's minister of data protection, in a press statement last week. "We must ensure that individuals and organizations can have confidence in the rules and processes that have been put in place to safeguard privacy."
Reavis called the Microsoft case "one of the biggest issues we've seen" in recent years for cloud security and cloud adoption in general. He noted that cloud data privacy and data sovereignty were leading topics of discussion at the CSA's EMEA Congress in Rome last month; in fact, the event marked the CSA's release of the final draft of its Privacy Level Agreement for Europe v2, which includes a section on responding to and managing law enforcement requests.
Cloud data privacy trepidation in Europe
Reavis said many European enterprises at the event expressed concern about the Microsoft case.
"One of the themes from the EMEA Congress was that those companies doing a lot of business in the cloud were watching the Microsoft case very closely and waiting to see if Microsoft has the ability to win this case," Reavis said.
According to Reavis, representatives from several European enterprises who attended the CSA event said they planned to put cloud projects with U.S. providers on hold until the case is resolved, which makes cloud data privacy a major concern for U.S. companies as well.
"Their opinion of Microsoft and whether they want to do business with them in the cloud is directly correlated to how hard the company fights the DOJ in this case," Reavis said.
U.S. companies closely watching cloud data privacy battle
For some U.S. technology companies, Reavis said, cloud data privacy will be a bigger security issue than malware or hacking because they're fearful of losing cloud business overseas. In that respect, he expects more tech firms to take an active role in how data privacy and sovereignty are defined both with industry standards and legislative efforts.
"Concern about hacks and malware are always going to be there, but they're like a hurricane -- you don't know exactly when they're going to happen," Reavis said. "But data sovereignty and privacy in the cloud are issues that enterprises can work on and have some measure of influence on."
The Microsoft case is currently in the U.S. Circuit Court of Appeals, and a decision on the appeal is expected sometime next year.
Find out why cloud security experts are pushing for global data privacy standards