The cloud is growing at a phenomenal rate. Management loves the cloud due to its reduced CapEx. IT loves the cloud because its elasticity and agility, while users love it because their apps and data are always there in standardized format. The cloud is pure simplicity.
Except when it comes to issues such as data sovereignty. The cloud is a borderless nebulous entity in which location is legacy that can make things messy really quick in a physical world that is distinguished by governing borders. For example, a Japanese company has an office in the United States and uses Microsoft Azure as their cloud provider which stores their files in a datacenter in Ireland. What countries have governing power over that data? This haziness can open a nebulous debate, and where there is vagueness and a lack of clarity, the courts will eventually become involved.
Which they have been for the past three years in a case involving Microsoft and the U.S. government in what is known as the “Microsoft Ireland”case. The legal saga began in December of 2013 when a district judge in New York issued a warrant ordering Microsoft to produce all emails and other data pertaining to an email account used by a suspect in a criminal narcotics case who resided within the United States. As it turns out, most of the data for this account was stored in in a datacenter in Dublin Ireland. Microsoft willingly turned over any data stored on servers in the U.S. but refused to produce anything further on the grounds that the government’s warrant did not apply to Ireland.
Microsoft’s argument was simple. If the data resided in the form of a written document that was stored in a desk drawer of an office located in Ireland, the Irish government would have to be asked for their cooperation in order to retrieve it. In this case, Microsoft was directly summoned by the U.S. government, bypassing Irish authorities and governance. Part of the legal argument against their argument is that the files can be retrieved just as easily from the U.S. as they can within Ireland. It goes without saying that Ireland got involved within the case, eventually filing a friend-of-the-court brief supporting Microsoft’s position.
The lower courts ruled against Microsoft but on July 14, 2016, the U.S Court of Appeals for the Second Circuit overruled in favor of Microsoft, citing that a warrant is a legal motion particular to the United States and cannot be enforced outside of its borders. As a result, Microsoft has no obligation to disclose the email content in question.
Privacy advocates praise the recent ruling, but the issue of data sovereignty is not going away. Take the recent occurrence of Brexit in which Great Britain will now no longer fall under the sovereignty umbrella of the European Union. Since many cloud providers have a single datacenter assigned to the European region, this will undoubtedly create problems.
Many major countries are currently enacting legislation that at a minimum, a copy of all data must reside within the country of residency. Others may require that all data be retained within national borders. A chief concern amongst companies today that are utilizing the cloud is the issue of a foreign country’s rights of seizure for data that resides within a datacenter within its borders. The solution for that justifiable concern is in the meantime is to ensure that your data is encrypted.