Recently, I was featured on Forbes, discussing a topic that is top of mind for companies operating in the cloud and across geographical boundaries – namely, conflicting laws and regulations with regards to data access, sharing and location.
Here is the issue, in brief:
- European law imposes strict sanctions against data breaches and requires notifications to be sent if any data is shared with a third party
- U.S. law requires U.S. companies and their subsidiaries to hand over data at the U.S. government’s request, regardless if the company is located in the States, but forbids such data sharing to be revealed to a third party
- Therefore, a U.S. cloud provider controlling data in Europe must comply with EU data protection and notification laws, but is also subject to the U.S. Patriot Act requirements, which directly conflicts with EU law
So, is it inevitable that in such a situation one law or the other will be broken?
Outlined below are the various implications of location and control based on the information provided above. A check mark means the company could be subject to U.S. data requests or access, whereas the X means the company is not subject to any U.S. data requests or access other than requests made in the usual manner through local jurisdiction legal channels.
|Company Type||U.S. Location||European Location|
|Subsidiary of U.S. company|
From this, we can see that, within Europe, only using a non-U.S. company with a European data location ensures compliance with EU data protection and handling laws while the other instances are still in a sticky situation.
The CloudSigma Approach to Your Data
As a European company, CloudSigma has been dealing with the issues of data protection and the need for strict data location control and transparency from the very beginning. Our European cloud is operated and controlled by a Swiss AG, which is not subject to direct or indirect U.S. control. This allows us to comply with European data laws without issue and give assurances to our customers that using our cloud won't expose them to European legal issues.
Our U.S. cloud location was added in isolation, allowing customers to choose whether or not to place data in the U.S. without concern for any implications for access to their data located in our other location, in Switzerland. The U.S. cloud is owned and operated by a separate U.S. company.
Additionally, we've taken the approach with our cloud to keep customer data in the location they want. For example, if a customer places its data within our Swiss cloud, we don't copy their records or data outside of that location. Many customers want additional copies of their data, so we make it easy for them to move that data to other cloud locations. The action is explicit from the customer rather than implicit; we keep our customer in control of where their data is.
Finally, our system grants sole root/administrative access to our customers, so we do not have routine access inside customer cloud servers. This approach is distinct from many other public clouds where cloud servers can contain a 'false bottom' where true root/administrative access is actually retained by the cloud vendor, not the customer.
Having such an open, transparent approach is a sure way to avoid any legal implications of using a cloud provider based in another country. Not only does it ensure regulations are adhered to, but it keeps users in complete control of their data and access. As a public cloud provider, such laws, regulations and restrictions are important to consider from every angle, so that customers can feel confident using IaaS services without concern of legal ramifications.
My complete article from Forbes may be read here. What do you think; is this issue going to present a barrier to cloud adoption or will cloud providers have to find a way to comply with both sets of regulations?