Published: 2 February 2015
I was asked a question about data sovereignty at the Christchurch Microsoft Infrastructure User Group recently. With your Cloud data typically being located overseas, who does rule your data?
What’s Data Sovereignty?
Data sovereignty is the idea that information which has been converted and stored in digital form is subject to the laws of the country in which it is located.
This is a question that comes up from time to time and is often used as an argument for not storing data in the cloud. It raises a few interesting questions which I will try to answer in this post.
Cloud services come in all sorts of shapes and sizes. In many cases it is integrated into the tools and technologies we use and so it isn’t always obvious to the average human where things are stored.
For example, we recently worked with a client who had reservations about storing documents in a cloud service but were quite happy to use Drop Box. I am sure they aren’t alone in their understanding of the cloud.
In the context of this post I will assume “the Cloud” is an online service that stores your data offshore. Some examples of Clouds include Microsoft Office 365, Google Drive, Drop Box, Amazon Web Services and iCloud.
Where exactly is “the cloud”?
In many cases Cloud service providers host data in multiple locations often in different countries. Some services allow you to specify the location depending on your requirements.
Major cloud providers including Microsoft, Google and Amazon host all data off-shore. Microsoft Office 365 has many data centre choices depending on your location. Currently Singapore and the West Coast of the USA are the closest to New Zealand, with an Australian geo-location due to come online in early to mid 2015.
Is all data treated equally?
Most countries have laws, regulations and guidelines that govern the storage of electronic records (documents and data). Here are some of the things New Zealanders should consider when using cloud services.
- The Privacy Commission has Cloud Computing guidelines for New Zealand businesshttps://privacy.org.nz/news-and-publications/guidance-resources/using-the-cloud/cloud-computing-checklist-for-small-business/
- Financial data can be stored offshore if the service provider is registered with the IRD.http://www.ird.govt.nz/technical-tax/general-articles/third-party-providers-e-records.html
- Health data with patient identifiable information must be kept in country. New Zealand Standards for Cloud Computing and Health data http://ithealthboard.health.nz/standards/use-cloud-computing-managing-health-information
- Government Agencies and providers of services to those agencies are governed by the New Zealand Information Security Manual http://www.gcsb.govt.nz/news/the-nz-information-security-manual
New Zealand Government agencies and departments are also subject to the Public Records Act. We recommend talking to a records management specialist if your organisation is subject to this Act.
Whose law applies?
If data in the cloud is stored in various countries, whose law applies? This is a tricky question because it is a moving target from a legal perspective. In general you should expect that the laws of the country where the data is hosted will apply in conjunction with local legislation.
Recently, the US Department of Justice attempted to seize email messages stored in Microsoft Office 365, hosted in Ireland as evidence in a drug investigation.
At the time of writing these emails had not been released but you can see the complexity of the legal situation. The Wall Street Journal has a blog explaining the case in detailhttp://blogs.wsj.com/digits/2014/12/24/ireland-tells-u-s-to-use-treaty-in-microsoft-email-case/.
Another risk is the time it takes to regain access to your data if you are blocked for any reason. The legal process to regain access could be lengthy, even if you are in the right. This can also be true for data hosted in country. The Mega Upload case is an example where servers were seized by law enforcement resulting in end users losing access to data.
Standards and Compliance
The Cloud market place is a rapidly evolving environment. It is important to take a close look at the terms and conditions of the services you are using before taking the plunge.
Major providers such as Amazon, Google and Microsoft have well developed agreements and comply with global standards.
Not all cloud providers have the same privacy and data security standards. You should carefully review the terms and conditions as part of your selection process.
The cloud represents a major opportunity to drive efficiencies, extend capability and reduce costs and so it should be considered as part of your IT strategy.
Our advice is to include the data sovereignty question as part of your evaluation process. You should consider any regulations that may apply, relevant laws and compliance with industry standards. We recommend checking where your data will be stored as part of this process.
The pace of change is very rapid with new capabilities arriving constantly. Make sure your IT strategy and policies are keeping up. Your strategy must empower your business while preventing the arrival of cloud by stealth.