By David Terrar, CEO of D2C Limited, Co-founder of Cloud Advocates
With all of the discussion around the 10 year anniversary of the September 11 (9/11) attacks, one of the consequences of that event highlights the cultural divide between the USA and Europe on data protection. It's important because when you are carrying out your due diligence in buying any Cloud software, platform or infrastructure service you should be checking how and where the provider will be storing your data, and how you will comply with legislation like the Data Protection Act.
Here in the UK, if your systems handle personal information about individuals, you have a number of legal obligations to protect that information under the Data Protection Act 1998. That UK law was enacted to fall in line with the European Directive of 1995 which required EU Member States to protect people's fundamental rights and freedoms. In particular it protects their right to privacy including how that personal data is processed. With a Cloud service you have to ask the question - where is my data? That becomes important when you check the Information Commissioner's website which tells you:
"You may transfer personal data to countries within the European Economic Area on the same basis as you may transfer it within the UK. However, you may only send it to a country or territory outside the European Economic Area if that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to processing personal data."
So in the EU we're all about regulation and compliance protecting the rights of the individual. In the USA things are different. The attitude to data is more governed by market forces along with the heightened attention on security issues rising out of those attacks 10 years ago. They've resulted in "The Patriot Act" or to give its full title "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001". It dramatically reduced restrictions on the various US law enforcement agencies in their ability to search telephone, e-mail communications, medical, financial, and other records including foreign intelligence gathering within the United States. It expands the Secretary of the Treasury’s authority to regulate financial transactions, particularly those involving foreign individuals and entities and broadened the discretion of law enforcement and immigration authorities. The result is that any data stored in the US can be handed over to the US government without so much as a court order. But what about US companies operating over here?
"There is already enough confusion over whether UK companies are complying with EC data laws by storing their data on servers in the USA, even with companies who say that they comply with "Safe Harbor", an unregulated and fairly meaningless cop-out. But does the Patriot Act make Safe Harbor totally redundant? Nobody knows for sure, but it is safe to assume that US authorities won't be shy in assuming that the Patriot Act overrules any EC law."
The Safe Harbor John mentions is a framework under which US companies can self-certify that they comply with the obligations under EU data protection regulations. The framework allows for the sharing of data between the EU and self-certified US companies under certain restrictions, such as the promise of reasonable data security and informing the EU of the request for access to the data in question.
John's fears have been corroborated by two major US corporations. Back in June at the Office 365 launch, Gordon Frazer, managing director of Microsoft UK, gave the first admission that data stored in their Cloud, regardless of where it is in the world, is not protected from the Patriot Act. Earlier this month Google also confirmed to Germany's WirtschaftsWoche that their servers in Europe have no protection from it.
This highlights the need for Cloud providers to be transparent about the supply chain that underpins their service. As a buyer you need to go in with your eyes open and check how and where your data is stored, consider the data protection implications and decide your own position on The Patriot Act. This is a big topic that, up to now, hasn't got the attention it deserves.
David Terrar is a consultant and software developer who specialises in the use of Cloud applications and social media in business. He is a co founder of Cloud Advocates, an association of consultants who aim to demystify the Cloud and provide pragmatic help and advice for businesses, organizations and accounting practices. To find out more, visit cloudadvocates.com
Join us on