Data Jurisdiction in the Cloud: The Patriot Act Fear Factor
Cloud computing has gained popularity over the years and is now fast approaching a global scale as hedge funds around the world leverage this innovative technology to help improve efficiency and cut costs. However, cloud computing raises unique data regulation and jurisdiction considerations as cloud environments span multiple geographic locations and data is not tied to one physical location. In today’s article we will look at data regulation and jurisdiction considerations for UK companies utilising US headquartered cloud providers.
Many cloud service providers are increasingly serving customers outside their home markets and using service delivery models that require the transmission of data across borders, which has led to a great deal of fear about the rights of access under the USA PATRIOT Act and the geographical extension of those.
Beyond the US, in December 2011 the European Commission published results of its cloud computing consultation, which showed a lack of understanding about the EU legal framework that cloud computing should be implemented within. It also signaled that there is still a widespread need for clarification on rights, responsibilities, data protection and liability in the cloud, especially in cross-border situations.
The US Fear Factor
The fear surrounding the USA PATRIOT Act is not only that the US government can access the data within its territory but also that it can retrieve data from outside of their jurisdiction. Former Microsoft UK managing director, Gordon Frazer, said that he could not guarantee data stored on Microsoft servers, wherever located, would not end up in the hands of the US government, because Microsoft, a company based in the United States, is subject to US laws, including the USA PATRIOT Act.
However, attorneys are now speaking out that this fear is misguided and overblown. According to a presentation by Andrew Lipman, senior partner with Bingham, there is a relatively low risk to cloud service users that the US government would choose to use the USA PATRIOT Act to obtain records sought for an investigation. He presented that the USA PATRIOT Act does not provide unfettered access to data and is actually a cumbersome process for the FBI, which makes the likelihood of this happening statistically fairly modest.
According to attorneys interviewed by Law360.com, “the intensive focus on the Patriot Act may be misplaced, however, as many governments, including those in Europe, have similar laws allowing the seizure of data for the purpose of fighting terrorism and other crimes.”
Adhering to UK Data Protection Act
A likely more important consideration for a UK company is to ensure that a cloud provider adheres to The Data Protection Act 1998 (the Act), which is a “United Kingdom Act of Parliament which defines UK law on the processing of data on identifiable living people.” Firms considering deploying cloud computing will need to ensure that the cloud computing services comply with the Act.
Most cloud computing relationships are complex and involve the transfer of data across multiple jurisdictions. In order to benefit from optimised use of infrastructure and resources, cloud computing assumes that data will be moved geographically. Therefore it would be rare to see a contract for cloud computing where the customer is guaranteed that their data would not be transferred outside a specified country or region.
Under the Act, transfers of personal data outside the European Economic Area (the EEA) are prohibited, unless adequate protection is shown – the EEA includes all countries in the European Union, together with Iceland, Liechtenstein and Norway. Therefore, where a cloud computing service is provided within the EEA there will be no issue. Equally, if the service is provided within the approved jurisdictions only, there will be no data protection issue (i.e. within Argentina, Guernsey, Isle of Man, Jersey and Switzerland together with Canada and the USA in certain circumstances).
However these scenarios are unlikely. In reality, the customer will need to address a situation where the personal data may be sent to any number of servers in any number of jurisdictions worldwide.
Hedge funds should consider consulting a legal counsel in their home country, in any jurisdiction where their data may be stored, and in any jurisdiction where their cloud service provider does business and closely review the cloud services contracts. Also, be sure to confirm that a private cloud provider is accredited with a safe harbour agreement.
Final Thought & Product Plug
“Companies should not allow one law to drive them away from an otherwise attractive U.S.-based cloud service provider. Companies need to consider other factors, such as the security of the provider's services, or potential production issues arising from discovery,” said attorneys interviewed by Law360.com.
And on that note…Eze Castle Integration’s Eze Private Cloud supports clients across the United States and England. We regularly work with clients to ensure their data is protected in a manner that meets local regulations. Learn more about our Eze Private Cloud services HERE.