What nationality is your data?
It might sound like a funny question, but in these days of multinational companies, data in the cloud, software as a service, and worldwide replication, it’s deadly serious.
It’s particularly becoming an issue for companies outside the U.S. that are concerned about their data “entering” the U.S., and consequently becoming subject to laws that would enable the U.S. government to seize the data — perhaps without the parent company even knowing about it.
This has become an issue with data providers such as Dropbox, which revealed earlier this year that it would release data to U.S. authorities if required to, as well as with Microsoft’s cloud-based Office 365 — to the extent that the issue could affect the product’s success outside the U.S., according to Computerweekly:
Microsoft, like other cloud providers, will need to clarify data sovereignty issues, if Office Live is to be taken seriously. While it does have a datacentre in Dublin – so it can guarantee data resides in the EU – Microsoft is headquartered in the US and will be subject to US legislation, such as Homeland Security, as well as UK and EU law. It is far from clear how government legislation will affect data in the cloud. But this will be an issue enterprises will need to address if they are to take Office 365 seriously.
The issue is also arising in Australia, which is developing its own government cloud computing initiative, provided by Hewlett-Packard, but is concerned about the ramifications of data leaving the country — for availability reasons as well as security.
Moreover, by giving the U.S. government access to company data, a company could potentially be violating its own country’s laws. According to The Register:
Buyers of off-the-peg cloud contracts could unwittingly be putting themselves in breach of UK data protections laws, says Kathryn Wynn, an associate at the law firm Pinsent Masons. Many service providers have standard terms that specify compliance with US laws, for example, which could put the customer in breach of the UK’s Data Protection Act.
The Data Protection Act forbids sensitive data from being stored offshore. Companies in the European Union should make sure that their data providers have “safe harbor” agreements, the Register said.
It’s not just the U.S., either. Other examples of different countries’ restrictions on data include France, which used to disallow encryption unless the government was given the key, and Germany, which has even stricter privacy regulations than does the E.U. Countries and companies will need to work together to negotiate these differences.