The potential benefits of moving applications and data into the cloud are well known, but there is also an elephant in the room: When you move to the cloud you enter a huge legal gray area, a minefield with privacy and legal implications not fully understood by anybody.
That's the view of Debra Logan, a Gartner Research vice president. She said one of the fundamental problems companies face when they put data in the cloud is they may have no control over where the data ends up being stored, and laws and regulations concerning data are different in the United States, the United Kingdom, Europe, and the rest of the world. "A key question then is what relevant laws and statutes do companies need to be mindful of?" Logan said at the Gartner Information Security Summit held in London in mid-September.
"This is not an area you can go to your legal department and get advice about. But storing data in the cloud does not alter your legal obligation to retain, manage and produce it. It's your data, and you are still responsible for it."
On the face of it, the fact that data stored in the cloud could end up on a disk in another country with different laws doesn't sound like it should necessarily be a problem if it wasn't for one small fact: There's significant cross-border legal conflict between countries that have a legal system based on Common Law the United States, the United Kingdom, Canada, and other most other Commonwealth countries and what we'll call non-Common Law countries, which effectively means European countries and most of the rest of the world.
Litigants in Common Law countries can force discovery of information, while in non-Common Law countries, there is a tendency toward privacy protection and non-disclosure of personally identifiable information flowing from instruments, such as the European Convention on Human Rights and the EU Directive on Data Protection. Depending on which jurisdiction your data is in, Logan said any of the following may apply during legal action:
- You must disclose information relevant to the case
- You must disclose even information that can lead to relevant information
- There is no formal discovery process
- You must not disclose information
Clearly, a problem arises when, say, a court in the United States requires you to produce certain data, but a blocking statute in France prevents you from producing that data. But how likely is it that the U.S. courts will require you to produce data from overseas? In general, Logan said the U.S. court will look at five factors:
- Importance to the litigation of the documents requested
- Degree of specificity
- Whether information originated in the United States
- Whether alternative means are available
- Whether noncompliance undermines important country interests
If you do opt for the cloud and are required to produce data by the U.S. courts, you could be faced with a choice between disclosing information to U.S. authorities that you shouldn't under European (or other) law and getting fined there, or not disclosing information to the U.S. authorities and facing sanctions here.
On a business level you are faced with choosing between possible significant cost savings from cloud computing accompanied by various legal uncertainty risks on the one hand, or legal certainty accompanied by higher costs on the other. There's no doubt that if corporate lawyers had their way, all your data would reside in the United States, in your own corporate data center, whereas from a pure cost perspective, that data should probably be moved to the cloud. "You need to do a risk assessment," Logan advised.
When there is little chance of litigation, cost can come first, but if you are expecting an investigation or review, you'll probably want to keep you data close by.
In practice, then, what can you do to start to overcome these problems and mitigate the risks if you are looking to move applications and data into the cloud? Logan has four take-away recommendations:
- Raise awareness of cross-border issues with legal and compliance officers, understanding that you may know more about it than they do.
- Do not allow cost considerations to trump legal ones.
- Take outside legal advice if necessary.
- Make suppliers prove contractually that they understand cross-border issues.
She also pointed out that one way to minimize disclosure problems with data is to make sure you delete what you no longer need. Information retention expertise is therefore likely to be a key differentiator among cloud storage providers. And for companies at particularly high risk of encountering disclosure problems multinational companies and those in highly regulated sectors, for example she suggests private cloud computing. Although it does not offer the same potential cost savings as true cloud computing, it may be the logical step.
These issues are still young as far as the law is concerned it's almost universally true that the law moves more slowly than technology and frameworks for cross border discovery conflicts are still under development. For the moment it's wise to bare in mind that along with the cost benefits of cloud computing come legal uncertainties, and with that, inevitably, comes business risk.
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.