Skip the navigation

Cloud adviser: Where's your data?

Be sure your contract specifies where your data can be located and obligates the cloud provider to tell you when the data has been disclosed to a third party.

By Thomas J. Trappler
December 13, 2011 10:43 AM ET

Computerworld - With cloud computing, technology has advanced more quickly than the law's ability to effectively address its implications.

Consider the U.S. Patriot Act. It was recently revealed that U.S.-based cloud providers may have to comply with Patriot Act requests for data that's located in a provider's European data centers, even though this conflicts with the European Union's 1995 Data Protection Directive.

In response to that conflict, the European Commission recently announced that it plans to propose reforms to the EU directive by the end of January 2012.

Of course, cloud computing was not even a buzzword when the directive was first formulated in 1995. But all of this serves as a good reminder to ensure that your cloud-computing contract effectively addresses issues associated with data location and legal requests for data access.

Data location

When you use a cloud computing provider, your data travels over the Internet to and from one or more externally managed data centers. It may be in, or processed by, data centers in multiple locations around the world.

A variety of legal issues can arise when a customer's data resides in a cloud provider's data center in a different country than the one in which either the customer or the customer's clients reside. Different countries, and in some cases even different states, provinces or municipalities, have different laws pertaining to data.

A key question about cloud computing remains unresolved: Which law applies to my organization's data in the cloud: The law where I'm located, the law where my data's located, or the law where the data subject is located? International consensus on this issue has not yet been achieved.

Most contracts specify the governing law under which any disputes would be resolved, as well as the location of the court where such disputes would be heard. With cloud computing, applicable laws governing your data could include the laws where your organization is headquartered, where your cloud provider is headquartered, where your cloud provider's data centers are located, where the subjects of the data reside, and potentially the laws of the countries that your data passes through on its way to, from and among the cloud provider's data centers.

For these reasons it's essential for a cloud-computing contract to identify the geographic region within which the data centers hosting your data, and potentially the headquarters of the cloud provider, may be located, and to address the cloud provider's obligations to keep your data in those regions. Otherwise, the overlaps and potential conflicts between the possible governing laws could make legal and data access compliance impossible.

Legal requests for data access

Our Commenting Policies
Consumerization of IT: Be in the know
consumer tech

Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!