3desc - Fotolia

Is data sovereignty affected by my cloud provider’s location?

If your cloud provider stores your data outside of your country, does it mean you still need to follow local laws?

Much has been made of data sovereignty, who has jurisdiction over data stored by a cloud service provider. Many countries dictate that specific types of data must not leave the geographical boundaries of that country and are subject to that country's laws regarding governance.

Sounds pretty simple, right? If data lives in a specific country, then it is subject to that country's laws. But the matter isn’t simple at all. Data sovereignty was highlighted last year when U.S. federal courts determined that customer email data stored in a Microsoft data center located in Ireland is subject to U.S. law and must be turned over to authorities under subpoena.

The logic behind the decision is pretty simple -- since the data could be managed and accessed within the U.S., and Microsoft employees did not need to go to Ireland to get it, it is indeed subject to U.S. laws.

But the issue is not settled yet. Microsoft has not turned over the data and is appealing the ruling. Microsoft is claiming data sovereignty -- that the data is subject to the laws of the country where it is stored. Tech heavyweights like Cisco, eBay, Hewlett-Packard, Salesforce and Verizon have filed briefs in support of Microsoft’s position. And all the companies are pointing out that this U.S. ruling is in direct conflict with some European laws regarding restricting flow of data across geographic boundaries.

Time will tell where we land; however, if the U.S. courts uphold the ruling, cloud service providers could be in a significant quandary -- break European laws to comply with U.S. law, or break U.S. law to comply with European laws.

For now, it is important to understand that the laws regarding jurisdictional oversight of cloud data are not yet settled, and that your data may be subject to multiple (and conflicting) laws. If you have concerns over this, you have two options:

  • Store data on-site in the country where you are doing business and forego the cloud completely.
  • Look for a zero-knowledge solution in which the cloud service provider has no insight into the data at all, as customers manage the keys to their data.

It’s wise to ask about metadata encryption and handling, since many service providers that encrypt data and allow for customer-managed keys still hold keys to metadata to facilitate operations like sharing and management.

Next Steps

Customers claim Amazon data sovereignty assurances are muddled

Cloud Security Alliance says cloud privacy is a top issue for 2015

Dig Deeper on Public cloud storage