republished from law.com
Data storage is increasingly becoming cheaper beyond human intervention. With the recent IPO of the online storage provider, Box, and the threat of cyber security attacks, a question that must be posed is what data auditing requirements, privacy and legal jurisdictions apply when ownership and legal issues come into question. If you’re a company with data in the cloud, then you’re subject both to the laws of the nation hosting the server and to each user’s own local laws regarding how that data should be protected, leading to a potential conflict of laws over data sovereignty. Companies are faced with this complexity when they are contemplating moving to cloud services but some of these questions, while debated, have never been truly answered by the courts. With the increasing usage of the cloud, it seems as though court cases regarding data sovereignty in the “digital age” will soon be in the forefront.
Ownership of your data is a key question to be asked when you start to dig into the reality of cloud computing. While you may be contracting with a certain provider, that provider may or may not own the data center where information is stored. For example, the relationship between Netflix and Amazon has been one of co-opetition. While Netflix and Amazon Prime are competitors, both services use AWS to store data. Although you may be using Netflix, you will need to understand AWS services’ storage structure as well. (Side note: you should know Amazon’s structure, as it owns 30% of the cloud computing market.)
The law doesn’t really address the question of where your data is, which in turn causes confusion as to what can be done with your data. From a security and privacy point of view, data sovereignty has been a pervasive issue since the introduction of the Homeland Security Act in the United States of America (USA). Essentially under this Act, USA based companies are required to give intelligence and policing agencies access to customer information/data when requested, regardless of where the information is actually located. With data being stored all over the world, such legal hurdles become a confusing mix of legal obligations and audit requirements.
So how do you claim ownership of your data when you don’t know who owns the physical storage? As far back as 1979, the U.S. Supreme Court in its decision Smith v. Maryland held that “a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties.” Much has changed since the 1970s. Today, being engaged in the world involves using the Internet, mobile phones, apps, cloud-based services, GPS, and other technologies that leave enormous amounts of information in the hands of third parties. Once it leaves your device then publication rights don’t protect your data, since you are giving companies the permission to do with your data as it sees fit. This clash of jurisdictions and ownership could result in very real problems of data sovereignty or different rules governing the same data.
While the law may be clear when it comes to the relevant laws and regulations in the specific country where a company is based and the country(ies) where it stores its data, courts are still in flux as to what should happen with data that is either in transit or stored on servers in far away places. While the Supreme Court still has not addressed privacy during data transit as much as some legal analysts believe, it’s becoming clear that digital is different in the eyes of the law as well.
There is a fair amount of legal precedence when it comes to data in transit as can be seen by the recent ruling of Riley v. California, a decision where the Supreme Court invalidated warrantless searches and US v. Jones, another landmark Supreme Court decision in 2012 that ended warrantless use of GPS devices to track criminal suspects’ cars. A case to watch that will test the territoriality of data is Microsoft v. US as it has important implications of law enforcement’s access to data located outside the United States. This case law is but only the beginning in what will be many court cases that try to resolve blurred legal lines.
The migration over to cloud services offers many benefits in terms of flexibility and economies of scale. The advantages come with the security and legal concerns such as whether more sensitive documents are being kept locally for security, which laws apply to jurisdictions hosting their offshore data, and whether they should maintain their own data sovereignty management regime. Meanwhile, continuing diplomatic efforts between nations are necessary to ensure that there is agreement between them, and with business, on how to manage data traffic so as to comply with guidelines such as ITAR (International Traffic in Arms Regulations), the Stored Communications Act (SCA) PCI DSS, HITECH & HIPAA, CJIS, and Gramm-Leach-Bliley. The idea of ownership, data migration and location of your data will be ongoing concerns. What will be even more important is what these three subjects will reveal or conceal about the user or organization that owns the data.