An article in Gigaom lists some of the geographical issues you might want to consideration when choosing a Cloud service provider. The focus of the article is on technical issues – latency and redundancy – and how locating data centers in different countries might affect the significance of those issues.
What about data location and the law?
Although it’s not really called one, there is a reference in the article to one legal issue. Specifically, the article states:
Data protection: Different types of data have different locality requirements, e.g. requiring personal data to remain within the EU.
That is true. Bringing your data across a border might be a privacy law problem.
But there are others of course. Export control regulation is a particularly important example. (We touched on this in a post here at Big Data and the Law when we talked about the guy who made guns by printing them.)
Export Control – the Basics
The essential thing is that, under U.S. law, some data can’t be exported from the U.S. without the permission of the U.S. government. U.S. law also provides that some data can’t be moved outside the U.S. at all, and pretty nothing can be moved to certain countries.
Certainly not all data gives you an export control problem, and not all export destinations give you an export control problem. You’re probably OK moving your data to Canada. (That’s probably – not definitely. See disclaimer of legal advice.) Don’t plan to send anything to North Korea though.
The application of U.S. export control is complicated in some cases and a little counter-intuitive in some cases as well. For example, sometimes you can have a U.S. export control problem with data you bring into the country and then move it out again. That’s right. You can receive data from someone who is outside the U.S. and not be permitted to send the same data back to the same person you got it from. This has been an issue with encryption technology.
While we’re at it, you should know that under export control law location isn’t just a question of geography. Location also means a place where certain people have access to your data. Even if your data is located in a nice secure facility in the United States, you have a potential problem if people who are not U.S. citizens can access your data in that nice secure facility in the United States.
Export Control and the Cloud
There are two basic facts you need to know to determine whether, in your case, moving your data to the Cloud is a problem under U.S. export control regulations. What is the data that you’re putting in the Cloud and where is the data is going to be stored?
Easier said than known.
Your first problem is – how do you know where your data is going? Unless you get a commitment from the service provider to keep your data in the countries you designate you don’t know. Vendors have their reasons for choosing where they locate their data centers and those reasons might not be consistent with your expectations or assumptions.
You also have the problem of change.
For starters, in all likelihood the substance of your data will change. Today’s data might not present you with an export control problem but tomorrow’s data might be a different matter entirely. Yet another reason for good data management practices.
Your data might get moved – or replicated to systems in other data centers, that might be for disaster recovery purposes, archiving or other reasons. Those new places might be in places the law doesn’t want that data to be – and don’t forget the thing about who has access to your data.
Export Control – the Risks
A number of different things can happen to you if you violate U.S. export control law. You can be fined. You can be barred from doing business with the U.S. government. And you can be sent to prison. Here’s an example of a criminal prosecution from the U.S. Department of Justice March, 2014 Summary of Major U.S. Export Enforcement, Economic Espionage, Trade Secret and Embargo-Related Criminal Cases:
Hwa obtained contracts to supply circuit boards to the U.S. Navy, by falsely claiming the boards would be manufactured in the United States. Instead, Hwa illegally sent restricted information to a company in Taiwan for the boards to be manufactured there.
Export Control in Other Countries
Finally, don’t assume that the United States is the only country with export control law. Among others, the Federal Republic of Germany does. You can find some information about that here in the 2013 Brief Outline on Export Controls prepared by the Bundesamt für Wirtschaft und Ausfuhrkontrolle. Note this snippet from that document:
The provision of software and technology in the companies’ intranets or in the internet is also subject to licensing if the access to software and technology is possible from third states. Please note that a licensing requirement does not presuppose that the access took place or not.
Very much like U.S. export control law.
You can find links to the export control laws of other countries here at the U.S. Department of State website.