Data Residency and Legal Questions About the Cloud

With the official Microsoft Office 365 launch last week, and all its related build-up and hoopla, I've been speaking with a lot of cloud vendors lately. Naturally, everyone wants to share what they can do to help customers who plan to adopt Microsoft's cloud-based collaborations suite that features Exchange Online, SharePoint Online, and Office Web Apps, among other features. However, one topic that continues to surface around cloud solutions such as Office 365 is growing legislation that mandates where data can be stored.

Perhaps the best-known example of this type of requirement comes from Canada where, in reaction to the US Patriot Act, Canadian companies are forbidden to use cloud services that store data on US soil. Basically, Canada and other governments that enact such legislation are trying to protect their citizens by ensuring that data about their citizens is stored where that particular government body has legal control over what happens to the data. So, the Canadian government doesn't want its citizens' data to be seized as a result of provisions of the Patriot Act if it happens to reside in a data center in the United States.

I spoke specifically about this issue of data residency with Martin Tuip, an Exchange and messaging expert with information management services company, Iron Mountain. "Countries will adopt these laws and regulations to protect their citizens," Tuip said. "Certain types of data must be stored where governments have legal jurisdiction over it, which technically means within its borders." Tuip pointed out European legislation as well as recent laws passed in US states such as Massachusetts and Nevada as the possible start of a trend down this more restrictive road.

cloudcomp_0The question that arises, if this trend continues, is what effect will it have on adoption of cloud computing overall, and specifically on adoption of hosted messaging and collaboration services which rely on storing personal data? Rami Habal, director of product marketing for email security vendor Proofpoint, said, "Data residency, the issue around where I store my data, is extremely important, especially for multinationals with geographically disbursed offices in different jurisdictions." Habal was quick to point out that Proofpoint customers are able to choose the specific data center where their data is stored; many other cloud vendors have told me the same thing (although I haven't heard this said about Office 365).

But what if the vendor doesn't have a data center in the correct political geography? "I think encryption technology will play a part of that, and encryption architecture," Habal said. "If the customer has the key, and the data is stored encrypted, even outside the country in question, is that good enough? Will those types of issues start challenging people's notions of data residency as well?" In fact, encryption is already recognized in the case of the Nevada law:

A data collector doing business in this State . . . shall not:
(a) Transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission; or
(b) Move any data storage device containing personal information beyond the logical or physical controls of the data collector or its data storage contractor unless the data collector uses encryption to ensure the security of the information.
(http://www.paulmudgett.com/resources/Nevada_Data_Security_Law.pdf)

So, if encryption is considered "good enough" to allow data storage outside geographic boundaries, perhaps companies have nothing to worry about if they want to move to cloud computing. However, what about where encryption isn't specified as acceptable? And what about the passage of future laws that could change or reverse practices companies depend on today? No one wants to implement a major business system such as hosted messaging only to find out six months later that their government has just enacted legislation that will require them to change back to an on-premises system.

Nick Mehta, CEO for LiveOffice, told me about one way the US federal government is trying to avoid just such a situation from occurring. Under the direction of federal CIO Vivek Kundra, TechAmerica Foundation has formed the Commission on the Leadership Opportunity in US Deployment of the Cloud (CLOUD 2). The commission consists of thought leaders from business, government, and academia, with the intent to help shape US policy concerning the cloud. "The goal was to make American government policy friendly to cloud computing adoption," said Mehta, who's a member of the commission. "It's very possible for the government to come up with rules that actually make it hard to go to the cloud. But the government is actively thinking about how to make it easy to go to the cloud."

I'm probably as suspicious and untrusting of government in general as anyone—apart, maybe, from Agent Mulder—but I think this sounds like a good step. It remains to be seen what specific recommendations CLOUD 2 will come up with, and whether the administration will follow them. This group also doesn't directly address any group other than the federal government, although if the results are positive and meaningful, perhaps other government bodies might look into adopting them as well.

In addition, showing a commitment to cloud computing, Kundra (who recently announced that he'd be leaving his post as federal CIO in August) instituted a policy known as "cloud first" whereby government agencies are required to investigate the feasibility of cloud deployments of any new technology deployments and are also being asked, as part of a general cost-cutting measure, to move some current systems to cloud models if appropriate. "I think that the fact that they're doing that is going to be a pretty good leading indicator for the rest of the industry," Mehta said. "Because if the federal government can do it, I think a lot of regular businesses can do it as well."

Although problems related to data residency aren't going to disappear overnight, at least they're being addressed. These issues will only become greater as we create more data, which therefore requires more storage. As Tuip said, "It has become so socially unacceptable that digital data gets lost. We cry foul. But it's going to be inevitable. It's human nature. And yet we rely on technology that's not foolproof." Of course, losing data—and cloud systems' ability to preserve viable data over long periods of time, as also required by certain compliance regulations—moves into another discussion altogether, which perhaps I'll save for another time.

In the meantime, let me know what you think about data residency restrictions, cloud computing, and the possibilities of your organization moving messaging to the cloud.

Follow B. K. Winstead on Twitter at @bkwins
Follow Windows IT Pro on Twitter at @windowsitpro


Related Reading:

Discuss this Blog Entry 4

Anonymous
on Jul 8, 2011
The part about Canada is wrong. There is no law saying we can't have data outside the country. There is a lot of confusion around it though.
Anonymous
on Jul 8, 2011
In the UK its an offence to withold encryption keys from the authourities so perhaps that could be creating another problem rather than remove one.
Anonymous
on Jul 8, 2011
I tried very hard 2 years ago to find a hosting company in Canada that also had its servers physically in Canada. I was able to find only one and now, they've decided to close down their Canadian data centres and migrate all their customers to a data centre in Boston. I did not try to find a Canadian host again because of the difficulty I had before. Do you have any suggestions of companys that have their servers here in Canada and that can provide web hosting at a reasonable price?
on Jul 18, 2011
Yes, it does appear I was repeating information about Canadian regulations that I'd read and been told numerous times, but in fact does not appear to be the whole truth--that is, there is no Canadian regulation forbidding Canadian businesses from storing data in US data centers. Canada does have stiff privacy laws related to electronic data, which has led to uncertainty about whether companies can or should be concerned about using data centers that could be subject to provisions of the USA Patriot Act; however, provided companies are aware of the requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) and follow them, they shouldn't have problems using data centers outside Canadian borders. Keep in mind that certain business segments and government entities could have stricter requirements when it comes to hosted data. As for the question about Canadian-based hosters, I'm not familiar with any that I could recommend. However, if the only reason for looking for such a hoster is the legal question of data residency, it could be that's not an issue after all. I'm not a legal expert, of course, but you should certainly consult the appropriate legal guides for your area. B. K. Winstead Windows IT Pro

Please or Register to post comments.

What's Exchange and Outlook Blog?

Exchanging ideas, news, and reviews about Microsoft Exchange and Outlook, and the wider fields of messaging, mobility, and unified communications.

Blog Archive

Sponsored Introduction Continue on to (or wait seconds) ×