We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

Business Report

Transcending Borders but Not Laws

As cloud computing spreads data around the globe, a haze of legal and privacy questions follows.

There’s a problem facing cloud computing that doesn’t have an easy solution yet.

Although it is often not obvious where data is actually residing when it’s uploaded to a cloud service such as Web-based e-mail, the location does matter. And depending on the legal jurisdiction where the data is stored, it could be exposed to government scrutiny or to unexpected regulations. “When data is physically located within a country, that country has the practical ability to force access to that data by various means,” says Katitza Rodriguez, international rights director for the Electronic Frontier Foundation, a tech-focused civil-rights organization.

This story is part of our November/December 2011 Issue
See the rest of the issue

That is cause for worry in Canada and some European countries, where activists fear that strict local privacy rules may not apply if citizens’ data is stored on servers in the United States. The powers of U.S. law enforcement to snoop on e-mail and other records were expanded by the USA Patriot Act, passed shortly after the September 11 terrorist attacks. The Canadian province of British Columbia responded with a 2004 law requiring public bodies to ensure that citizens’ personal information, such as health records, be “stored only in Canada and accessed only in Canada.”

The spread of restrictive data laws could make it more difficult for overseas companies and government agencies to use commercial cloud providers, the largest of which are based in the United States. Indeed, the U.S. Department of Commerce considers legal obstacles to “transborder data flows” a brewing threat to free trade. It has formed a committee with Mexico and Canada to make sure privacy laws don’t stand in the way.

The jurisdictional issue is already having effects. Francis deSouza, group president for enterprise products and services at Symantec, says his company has negotiated with a Swiss financial institution about running the bank’s e-mail servers and other software. In principle, they could be hosted in an existing Symantec data center anywhere. But because Swiss bank secrecy laws don’t apply outside the country, deSouza says, doing business will mean building a new data center in Switzerland.

Yet storing data outside the U.S. may not be enough to shield it from American law enforcement. Microsoft and Google inflamed anxieties in Europe this summer when they confirmed that even data stored outside the United States—including in European data centers—could be subject to lawful U.S. government requests (not to mention those of other nations). All this is making the cloud a difficult place to hide, particularly when it comes to sensitive data. Last year, for instance, Amazon booted the whistleblower organization WikiLeaks off its cloud servers amid complaints from Washington that WikiLeaks was storing stolen classified documents on the machines.

Another potential headache: some countries require data to be logged for a certain amount of time, while others require that data be deleted after a certain time. As a result, companies like Facebook that store data in multiple places may face conflicting mandates, says Daniel Garrie, general counsel for the Focused Solution Resource Delivery Group, which advises companies on cloud computing contracts. 

AI is here. Will you lead or follow? Countdown to EmTech Digital 2019 has begun.

Register now
Next in this Business Report
Business in the Cloud

Treating computing as a utility, like electricity, is an old idea. But now it makes financial sense—a historic shift that explains why cloud computing is reshaping the economics of IT. Even startup companies and consumers now can access massive amounts of computing power. The cloud is also raising new questions about privacy and security.

Want more award-winning journalism? Subscribe to Print + All Access Digital.
  • Print + All Access Digital {! insider.prices.print_digital !}*

    {! insider.display.menuOptionsLabel !}

    The best of MIT Technology Review in print and online, plus unlimited access to our online archive, an ad-free web experience, discounts to MIT Technology Review events, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    6 bi-monthly issues of print + digital magazine

    10% discount to MIT Technology Review events

    Access to entire PDF magazine archive dating back to 1899

    Ad-free website experience

    The Download: newsletter delivered daily

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.