It might seem like a silly question. The cloud is…the cloud. The data could be anywhere. That’s the whole point -- the cloud adds value by, among other things, putting the data in various places so it isn’t as vulnerable and is accessible anywhere.
But increasingly, the physical location of the infrastructure housing data in the public cloud is becoming an issue, particularly regarding government having access to your data -- perhaps even without a warrant. This is especially true if you’re a multi-national corporation. It's called data sovereignty.
Thanks to laws such as the so-called PATRIOT Act in the U.S., the U.S. government is maintaining that it has the right -- under the aegis of national security -- to look at data in the public cloud that resides on infrastructure stored within the U.S.
Consequently, a number of companies have started writing clauses into their contracts with cloud providers that their data cannot be stored in infrastructure on U.S. soil, because they are concerned about this. Alternatively, some multinational companies that want their data stored worldwide are setting up their own private data centers -- which adds complexity and defeats the purpose of having the cloud in the first place.
Even figuring out which countries’ laws should apply can be complex. “When the customer is a private sector company, the transition to cloud storage and processing services creates difficult jurisdictional issues,” writes Michael Chertoff of Chertoff Group. “Whose law is to be applied? The law of the country where the customer created the data? The law of the country (or several countries) where the server(s) are maintained? Or the law of the home country where the data storage provider is headquartered? Or all of the above?”
One might argue, well, unless they’ve got something to hide, what’s the problem? But even a company that does everything aboveboard might not want a foreign government poking its nose into its business. Moreover, American access to some European data may violate European data privacy laws.
In addition, some other countries, such as Australia, have their own laws regarding the ability to search data on regional infrastructure, and some are saying that those laws can be even more draconian than those of the U.S.
With the possible exception of Iceland, which said it specifically would help store data safely for journalists such as Wikileaks, we haven’t seen a data “Switzerland,” which refuses to provide personal information to anyone, spring up. It seems a logical next step.” (And who knows – Switzerland itself may become the “data Switzerland.”) There are also various efforts underway to define data centers in some legal way that will reduce this problem. In the meantime, though, it’s an issue to be aware of.
Of course, in an age of terrorism, we want to make sure our citizens stay safe. But as Ben Franklin would say, those who give up liberty for security deserve neither. If every company feels the need to Balkanize its data to protect it from foreign governments, we will miss out on much of the synergy and innovation that has made the Internet so valuable.
