Exactly who has legal jurisdiction over data held by international cloud services providers is complicated, unclear and untested and that poses a threat to data privacy, a new briefing says.
The briefing, produced by New Zealand cloud provider Catalyst Cloud, states that under US law, the US Government can require individuals and organisations to provide it with data they own or can access.
"There is uncertainty around the scope of this power, the extent to which it applies to data processed or held outside of the United States, and to data held by non-US individuals and organisations," the briefing, titled Data protection in the United States, states.
The problem for cloud and US companies is that they can't opt out of the jurisdiction of both the place where their data centres reside or the country in which they are based, says Catalyst managing director Don Christie.
There is also no technology fix for the problem.
"These are not technical problems and cannot be fixed with technology," Catalyst Cloud manager Bruno Lago added. "Cloud providers have amazing security controls and enable customers to do incredible things to secure their data.
"But, if legislation allows all these controls to be bypassed by a court order, they can all be rendered ineffective."
New Zealand's Privacy Commissioner John Edwards appears to be well aware of the issue. He recently made a voluntary submission in a long-running US case between Microsoft and the US Government over access to data held in Ireland. The case is to be heard before the US Supreme Court next year.
The new briefing outlines aspects of the legal context and case studies to illustrate how US laws are applied in practice.
It concludes that individuals and organisations concerned with the protection of their personal data from unjustified interference by the US Government can mitigate these concerns by hosting their data outside of the United States, with a non-US hosting provider.
Mainly analysing the implications of the Patriot Act and the Foreign Intelligence Surveillance Act, the briefing also cites other laws such as the Stored Communications Act and rule 41 of the Federal Rules of Criminal Procedure which could enable access to data held on US-owned cloud services even if stored outside the US.
Christie says there is not nearly enough good advice and due diligence about the topic.
"The GCIO in particular is taking an approach that 'Cloud First' subsumes all other concerns," he says. "I do wonder how their lack of concern will play out with the new government."
Meanwhile, Lago believes the law related to privacy and data sovereignty is still in flux.
"We wanted to understand if the Department of Justice or intelligence agencies from the United States could force a cloud provider to disclose customer data hosted in other jurisdictions, without collaboration with their local government," he says.
As a result, there are loopholes or ways to interpret these different Acts that potentially allows for data to be disclosed under the premise that a cloud provider has its headquarters in the US.
"The fact that some of these requests violate their terms of service, or completely bypass local privacy legislation is quite concerning," Lago adds.
"Until legislation catches up with the reality of digital services, I'd recommend organisations that have strong data sovereignty or data privacy concerns to keep their data onshore with local providers."
Christie says users should ask first whether public cloud is the answer because it may not always be the cheapest or best option. Then they need to explore whether a New Zealand option is fit for purpose.
"That way your customer and citizen data comes under New Zealand control," he adds. "There is no need to do anything else.
"If you do go further then you should have a duty to the people whose data you collect to follow the NZ Cloud Code of Practice."
Signatories of the code, such as Catalyst, have to disclose: the country the company providing the service is registered in; the governing law of the contract with the cloud customer; the jurisdiction where the data is stored, and; whether you are fully able to comply, or not, with the NZ Privacy Act.
However, for global cloud providers, signing up to myriad different local codes is not really an option.
"As a global provider of public cloud services it is not feasible for Microsoft to become a signatory to the NZ Cloud Computing Code of Practice," a Microsoft spokesperson told Reseller News in August.
"Even if it were, due to the existing privacy, security and compliance frameworks Microsoft already adheres to on a global basis, we do not believe becoming a signatory to the code would add any benefit to our customers."
In 2016, Microsoft president and chief legal officer Brad Smith testified that tech companies were increasingly ‘whipsawed’ in legal conflicts in which local authorities are seeking unilateral and extraterritorial warrants over data stored in the cloud.
Amazon Web Services did not respond to a request for comment.
From a local perspective, Christie says Datacom, Revera, Catalyst and other NZ-owned and based cloud providers have a compelling story to tell.
"We form a competitive market place that differentiates on capability, price, technology, intimacy and much more," he adds.