Globalisation is now an accepted fact of life. Nobody these days is surprised to see Coca Cola on sale in Chengdu or a Big Mac in Moscow. However suddenly, with the emergence of cloud technology and the growing trend for storing enterprise data in the cloud, globalisation has hit a major snag.
Latest figures show that over 90% of businesses worldwide have adopted some form of cloud technology. Data volumes are exploding. According to IDC, the amount of data on the planet is set to grow tenfold by 2020. This has huge cost and storage implications, especially for small and mid-range organisations. So it’s easy to see why outsourcing data – or indeed the provision and management of entire infrastructures – is becoming so popular.
Besides, the financial benefits of the cloud service model outweigh the costs. This is partly because the cloud enables the inexpensive provision of resources on a pay-as-you-use basis. But also, it enables businesses to scale up and down as necessary, putting an end to over-provisioning, leading to excess depreciation.
Yet, this data is subject not only to the laws of the nation where it originated, but also to the nation hosting the server and to local laws. The whole question of data sovereignty is becoming a virtual battleground.
The cloud is such a relatively new development that it’s uncharted territory as far as the law is concerned. But the concept of data sovereignty is becoming entwined with the wider topic of data protection legislation which applies to all data, whether in or out of the cloud.
Draft EU regulations on this issue are currently being finalised. These are designed to protect personal data and so will apply to any business or other organisation holding customer and/or personnel information.
But whatever the nature of data, the law is clear; the data ‘controller’ is responsible. The controller is the organisation that has collected and processed the data, the data owner in other words. Simply transferring this data to a cloud environment does not offload this responsibility. This has significant implications for businesses and other organisations outsourcing the storage and management of this data.
For example, many data centres run by the major cloud providers are in the US – and the US Patriot Act, passed by George Bush in 2001 post 9/11 is a much-quote reason for caution. In short, this gives the US government the power to force US companies to reveal data on request.
Whether or not UK firms should be concerned is a matter of opinion. However, recent cases where US firms have been asked to hand over data stored in their European datacentres (for example Microsoft in Ireland) have caused considerable unease. At the launch of Microsoft Office 365 in Europe in 2011, the managing director of Microsoft UK even went as far as admitting that he could not guarantee that data stored in its European data centres would not end up in the hands of the US government.
There is also a concern that rigorous data protection regulations such as those laid down in Germany will eventually lead to individual nations insisting that data originating within their borders should stay in the country. This could present a particular challenge because of the technical and cost implications of moving from one cloud provider to another.
Organisations are often eager to get into a cloud ‘relationship’ but few like to think what is going to happen at its end. But a cloud provider might hand back data in an unworkable format at the end of the contract and be uncooperative about helping their former customer to migrate. Consequently, any future regulations of this kind could cause undue chaos and cost.
It’s clear that the ongoing migration to the cloud is inevitable and this is creating a growing sense of urgency about the need to address the thorny data sovereignty issue. Many are covering themselves by choosing a provider which guarantees that data will stay in the UK – preferably one with more than one centre in the country to ensure back-up.
But companies considering outsourcing their data should exercise caution when drawing up contracts, particularly bearing in mind that they will ultimately remain responsible for it wherever it is held. Tensions can arise when an organisation signs up for standard terms which in fact exclude all liabilities. For example, one major US cloud provider has a clause in its agreement which denies liability for any loss, leakage, corruption or damage to data. The data ‘controller’ or owner is still responsible, but is now in a vulnerable position as, in reality, they have no control at all.
Although a year or two is a long time in technology, it hasn’t been long enough for all these issues surrounding the cloud to be worked out. Outsourcing data and functions such as infrastructure management to a cloud provider can provide multiple benefits and make the difference between mere survival and proactive growth to a business. However, for this to happen it is vital that the relationship between provider and customer is one of trust and cooperation.