Legal Battles Over Local Data: Why Your Cloud Location Matters

Image

March 1, 2023

cloud hosting spans the globe

Placing data in the cloud comes with a set of concerns — accessibility (will my information always be available if the cloud has technical problems?) and security (how safe is my data when I can’t control the security measures?) chief among them. Of these, security has long been the primary concern for technology decision makers considering the cloud.

Recent surveys reveal that while security remains top of mind, the location of data is rising in prominence as a barrier or concern for cloud adoption. These concerns stem in part from the difficulty of visibility into data transit and storage. Customers might want to know where exactly their data is residing so they can retrieve it quickly — and also for legal implications, which we’ll get into momentarily.

With many clouds, because of the way cloud storage works, data might be spread over several servers or storage arrays, and even between multiple data center facilities. This makes it hard for even the provider to identify exactly where data is stored.

But while transparent cloud service providers might be forthcoming with their infrastructure design details and maintain their security through a strong web of compliance standards and data security best practices, there remain legal entanglements to the storage of data in the cloud.

 

The Government is Even Less Transparent than CSPs

Cloud service providers (CSPs) are often companies that are notorious for their secrecy. Amazon, Google, and Microsoft do not want to reveal how their technology works for good reason: they want to maintain their market share and technological advantages. They’re beginning to see that some customers demand transparency, however, and in fact Google, Facebook, and others have posted detailed technical explanations of their in-house developments for hosting and data center design.

One player is not so forthcoming. The federal government wants access to data to help in ongoing investigations (and potentially for general surveillance, but we won’t go down a particularly political rabbit hole in this blog). State and local government organizations may also need access to cloud data. And if your company is embroiled in a legal issue, the courts may request access to information stored in the cloud.

Of course, things get difficult here for reasons we have already explained. If even the CSP doesn’t know where data is stored, who has jurisdiction over it? If the CSP is storing information in an offshore data center, does the United States government have the legal right to access it? What other laws from other countries might apply to your information?

Different countries have different data protection laws; each with their own set of requirements and prohibited behavior. Some may practice unfettered surveillance over data stored within their borders. In the United States, you may not even know if your information has been accessed by a government entity.