Global cloud providers face a challenge technology can't fix

Global cloud providers face a challenge technology can't fix

New Zealand provider Catalyst has commissioned legal advice on the jurisdiction of data held in the cloud

Don Christie (Catalyst) - Photo: Kristina D.C. Hoeppner

Don Christie (Catalyst) - Photo: Kristina D.C. Hoeppner

Exactly who has legal jurisdiction over data held by international cloud services providers is complicated, unclear and untested and that poses a threat to data privacy, a new briefing says.

The briefing, produced by New Zealand cloud provider Catalyst Cloud, states that under US law, the US Government can require individuals and organisations to provide it with data they own or can access.

"There is uncertainty around the scope of this power, the extent to which it applies to data processed or held outside of the United States, and to data held by non-US individuals and organisations," the briefing, titled Data protection in the United States, states.

The problem for cloud and US companies is that they can't opt out of the jurisdiction of both the place where their data centres reside or the country in which they are based, says Catalyst managing director Don Christie.

There is also no technology fix for the problem.

"These are not technical problems and cannot be fixed with technology," Catalyst Cloud manager Bruno Lago added. "Cloud providers have amazing security controls and enable customers to do incredible things to secure their data.

"But, if legislation allows all these controls to be bypassed by a court order, they can all be rendered ineffective."

New Zealand's Privacy Commissioner John Edwards appears to be well aware of the issue. He recently made a voluntary submission in a long-running US case between Microsoft and the US Government over access to data held in Ireland. The case is to be heard before the US Supreme Court next year.

The new briefing outlines aspects of the legal context and case studies to illustrate how US laws are applied in practice.

It concludes that individuals and organisations concerned with the protection of their personal data from unjustified interference by the US Government can mitigate these concerns by hosting their data outside of the United States, with a non-US hosting provider.

Mainly analysing the implications of the Patriot Act and the Foreign Intelligence Surveillance Act, the briefing also cites other laws such as the Stored Communications Act and rule 41 of the Federal Rules of Criminal Procedure which could enable access to data held on US-owned cloud services even if stored outside the US.

Christie says there is not nearly enough good advice and due diligence about the topic.

"The GCIO in particular is taking an approach that 'Cloud First' subsumes all other concerns," he says. "I do wonder how their lack of concern will play out with the new government."

Meanwhile, Lago believes the law related to privacy and data sovereignty is still in flux.

"We wanted to understand if the Department of Justice or intelligence agencies from the United States could force a cloud provider to disclose customer data hosted in other jurisdictions, without collaboration with their local government," he says.

As a result, there are loopholes or ways to interpret these different Acts that potentially allows for data to be disclosed under the premise that a cloud provider has its headquarters in the US.

"The fact that some of these requests violate their terms of service, or completely bypass local privacy legislation is quite concerning," Lago adds.

"Until legislation catches up with the reality of digital services, I'd recommend organisations that have strong data sovereignty or data privacy concerns to keep their data onshore with local providers."

Christie says users should ask first whether public cloud is the answer because it may not always be the cheapest or best option. Then they need to explore whether a New Zealand option is fit for purpose.

"That way your customer and citizen data comes under New Zealand control," he adds. "There is no need to do anything else.

"If you do go further then you should have a duty to the people whose data you collect to follow the NZ Cloud Code of Practice."

Signatories of the code, such as Catalyst, have to disclose: the country the company providing the service is registered in; the governing law of the contract with the cloud customer; the jurisdiction where the data is stored, and; whether you are fully able to comply, or not, with the NZ Privacy Act.

However, for global cloud providers, signing up to myriad different local codes is not really an option.

"As a global provider of public cloud services it is not feasible for Microsoft to become a signatory to the NZ Cloud Computing Code of Practice," a Microsoft spokesperson told Reseller News in August.

"Even if it were, due to the existing privacy, security and compliance frameworks Microsoft already adheres to on a global basis, we do not believe becoming a signatory to the code would add any benefit to our customers."

In 2016, Microsoft president and chief legal officer Brad Smith testified that tech companies were increasingly ‘whipsawed’ in legal conflicts in which local authorities are seeking unilateral and extraterritorial warrants over data stored in the cloud.

Amazon Web Services did not respond to a request for comment.

From a local perspective, Christie says Datacom, Revera, Catalyst and other NZ-owned and based cloud providers have a compelling story to tell.

"We form a competitive market place that differentiates on capability, price, technology, intimacy and much more," he adds.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags CloudSaaSMicrosoftGoogleamazonazureAWSCatalyst ITCatalyst Cloud



Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Reseller News has honoured the leading female front runners of the New Zealand ICT industry at the 2019 Women in ICT Awards (WIICTA) in Auckland. The awards recognised standout individuals across six categories, spanning Entrepreneur, Rising Star, Shining Star, Community, Technical and Achievement. Photos by Gino Demeer.

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA
Reseller News kicks off awards season in 2019 with Judges' Lunch

Reseller News kicks off awards season in 2019 with Judges' Lunch

The 2019 Reseller News Innovation Awards has kicked off with the Judges Lunch in Auckland with 70 judges in the voting panel. The awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors. Photos by Christine Wong.

Reseller News kicks off awards season in 2019 with Judges' Lunch
Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomed 2018 inductees - Chris Simpson, Kendra Ross and Phill Patton - to the third running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem. Photos by Gino Demeer.

Reseller News welcomes industry figures for 2019 Hall of Fame lunch
Show Comments