3desc - Fotolia

Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Is data sovereignty affected by my cloud provider’s location?

If your cloud provider stores your data outside of your country, does it mean you still need to follow local laws?

Much has been made of data sovereignty, who has jurisdiction over data stored by a cloud service provider. Many countries dictate that specific types of data must not leave the geographical boundaries of that country and are subject to that country's laws regarding governance.

Sounds pretty simple, right? If data lives in a specific country, then it is subject to that country's laws. But the matter isn’t simple at all. Data sovereignty was highlighted last year when U.S. federal courts determined that customer email data stored in a Microsoft data center located in Ireland is subject to U.S. law and must be turned over to authorities under subpoena.

The logic behind the decision is pretty simple -- since the data could be managed and accessed within the U.S., and Microsoft employees did not need to go to Ireland to get it, it is indeed subject to U.S. laws.

But the issue is not settled yet. Microsoft has not turned over the data and is appealing the ruling. Microsoft is claiming data sovereignty -- that the data is subject to the laws of the country where it is stored. Tech heavyweights like Cisco, eBay, Hewlett-Packard, Salesforce and Verizon have filed briefs in support of Microsoft’s position. And all the companies are pointing out that this U.S. ruling is in direct conflict with some European laws regarding restricting flow of data across geographic boundaries.

Time will tell where we land; however, if the U.S. courts uphold the ruling, cloud service providers could be in a significant quandary -- break European laws to comply with U.S. law, or break U.S. law to comply with European laws.

For now, it is important to understand that the laws regarding jurisdictional oversight of cloud data are not yet settled, and that your data may be subject to multiple (and conflicting) laws. If you have concerns over this, you have two options:

  • Store data on-site in the country where you are doing business and forego the cloud completely.
  • Look for a zero-knowledge solution in which the cloud service provider has no insight into the data at all, as customers manage the keys to their data.

It’s wise to ask about metadata encryption and handling, since many service providers that encrypt data and allow for customer-managed keys still hold keys to metadata to facilitate operations like sharing and management.

Next Steps

Customers claim Amazon data sovereignty assurances are muddled

Cloud Security Alliance says cloud privacy is a top issue for 2015

This was last published in March 2015

Dig Deeper on Public Cloud Storage

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Are concerns regarding data sovereignty making you second-guess your use of cloud storage?
Cancel
Yep. The short answer to this question is, "Yes, but we don't know how yet, and it depends who's asking." Some of the legal cases that have come up around this are pretty darn scary in the unwarranted access some governments claim to have.

The problem is, there's not really a "Supreme Court of the World" to determine this. There's the Hague, but not all countries follow it.
Cancel

-ADS BY GOOGLE

SearchStorage

SearchSolidStateStorage

SearchAWS

SearchDisasterRecovery

SearchDataBackup

SearchSMBStorage

Close