Can the Cloud Catalyze Change in International Data Laws?


Despite imagery of the cloud as global collection of servers in the sky, among which data and applications move freely, the truth is that cloud computing is far more down to earth and far more localized. As a new GigaOM Pro report explains (sub. req’d), most cloud providers house services in only a few geographically distributed data centers, and national or continental data storage regulations can limit how -– and if -– organizations move their operations to the cloud. A question that could affect the ultimate scope of cloud adoption is whether legislation can be passed that takes into account the economic and technological realities of a cloud-based world.

As the report makes clear, European data protection laws are particularly tough, making it difficult for Europeans to use cloud services, which are largely U.S.-based. In the meantime, different data retention times in different EU countries make intra-continental cloud use a challenge (presently, for example, Amazon Web Service has an Availability Zone in Ireland, only, and Microsoft will offer Azure zones in Ireland and the Netherlands). European organizations considering cloud computing need to figure out whether the data involved limits their choice in cloud providers or precludes the move entirely.

The good news for supporters of a truly global cloud is that efforts are underway that could change the way governments view cloud data. Microsoft, for example, has been actively lobbying the United States to pass laws protecting sensitive data in the cloud, and lobbying the EU to relax its data transportation laws. Certainly, strict laws in the U.S. would make it much easier to convince Europe to loosen up. On the compliance front, security guru Christopher Hoff is pushing the A6 audit, which is designed specifically for cloud environments and could assuage governments concerned about differing security protocols among different providers. And as the report notes, there are technological advances that could enable the application of different security policies depending on geographical location.

It’s possible, of course, that no new laws ever get passed, rendering certain applications and data unfit for the cloud. But in light of the love shown for cloud computing by governments on both sides of the pond, I’m betting on progress sooner rather than later.

Image courtesy of Flickr user jivedanson.


Aidan Finn

The efforts of American cloud operators to locate data centres in Europe makes little difference legally. As far as the Patriot Act is concerned, location is irrelevant. They are American data centres, whether they be in Dublin, Ireland or in Illinois, USA.

There are certain local laws that will preclude certain types of data being stored in those data centres. It makes me laugh sometimes; two customers were at a launch event for one of these services last week to show off their wares. Their data, strictly speaking, was being illegally stored. Their selction of storing in this country only made no difference. The data centre is American owned and subjec to the Patriot Act. Push the salesmen for said data centre hard enough and they will admit that.

Sajai Krishnan, CEO, ParaScale

From a cloud storage vendor perspective, I am not sure the regulation will move quick enough or far enough. And from the EU perspective one can see some of the logic as to why a country may want to enforce its own privacy laws (what happens if data is another country and a subpoena results in your data getting pulled because it happened to be on the same physical server as some other “target data”). IMHO, vendors just need to be able to tag data, and respect where and how it can flow in a global cloud. There are other operatinoal and efficiency reasons too for this sort geo-tagging. Watch this space in the near future :-)

Paul Miller


that’s certainly a valid point on existing provisions for transfer of data outside the EU. The original piece, to which Derrick refers, does talk about Safe Harbor provisions, for example.

I’m not sure that Derrick’s points necessarily contradict your “A UK citizen will expect their data to be stored in accordance with UK laws, regardless of where it is physically held.” Harriet Pearson, Chief Privacy Officer at IBM, makes a broadly similar case in the longer piece, suggesting that the laws of the data owner could apply, regardless of where any server is physically located.

Picking up on Derrick’s point about Government interest, it was certainly refreshing to see the UK Government this week suggest that public sector data associated with the new Government Cloud might be stored or processed overseas. With appropriate protections and legal agreements in place, Nevada is no riskier than Swindon.

Ross Hall

The EU data protection laws already allow for data to be transferred outside of the EU into other territories.

Microsoft’s position makes little sense. A UK citizen will expect their data to be stored in accordance with UK laws, regardless of where it is physically held. And a UK business will expect appropriate protection too.

If I do something wrong my customer has 3 years to bring a case against me – I don’t want that vital cloud held data to be deleted after a year! And if I’m selling certain financial instruments I’ll need it stored forever.

Privacy laws are there for a reason – if Microsoft etc want to play in the EU they’re going to need to play by our laws.

Comments are closed.