Cloud computing is the practice of enlisting a “cloud provider” to deliver data, applications and storage to users through the internet, which allows each user to share the computing resource and forego some on-premise technology. Cloud computing is generally categorized into three buckets. The cloud provider may:
- Host applications, thereby eliminating the need to install and run applications on users’ own computers or data centers (known as Software-as-a-Service, or SaaS).
- Host the hardware and software on its own infrastructure, thereby eliminating the need to install in-house hardware and software needed to develop or run a new application (known as Platform-as-a-Service or PaaS).
- Provide virtualized computing resources, thereby eliminating the need to install and run hardware, software, servers, storage or other infrastructure in the user’s own facility (known as Infrastructure-as-a-Service or IaaS).
Knowing Where Your Data is Stored is Mission-Critical
Don’t let the term “cloud” fool you into thinking that the information is not in a specific location. It is, and it’s important to know the exact geographic location of the server where your data will be stored, including any back-up locations.
First, your legal obligations relating to the information can completely change according to the geographic location of where your information is stored. For example, if the cloud provider sends your organization’s personally identifiable information (PII) to a server in the European Union, you will be subject to the ultra-strict privacy rules of the General Data Protection Regulation (GDPR), set to take effect in May 2018.
Second, your information may not be as secure if the privacy and security laws in the server’s location are not as protective as in the United States. Servers in India, for example, are subject to India’s Information Technology Act , which allows the Indian government to intercept and demand decryption of information with serious fines and/or imprisonment for non-compliance.
Third, with some countries’ data localization laws, you may be required to store certain information within a specific country, and you may be prevented from exporting it out of that country. Russia’s localization law, for example, requires a multinational organization to host data concerning Russian citizens only on a server in Russia, which may mean creating a new data center in Russia.
Depending on the type of information you are sharing, you may also have to comply with U.S. export control regulations. This is an especially important contract consideration for information relating to items classified as “dual use,” or technology with encryption functionalities that are subject to Export Administration Regulations. Storage of such information outside the United States may lead to serious sanctions if required licenses are not obtained.
Finally, in the event of a data breach, U.S. and foreign law enforcement agencies have broad rights to obtain subpoenas to information stored in the cloud. However, rules surrounding a data breach vary from country to country and even state to state — some states, for example, exempt organizations from disclosing a data breach if the data is encrypted, and the encryption key was not exposed.
While cloud computing offers many benefits to organizations, it also introduces its own legal obligations and risks, many of which are tied closely to the geographic location of the stored data. As such, organizations must work proactively to understand the particular data privacy regulations applicable to their cloud computing arrangement. This due diligence will help organizations determine if they should engage with a cloud vendor or continue to store their data on-site.