Information Governance: The Big Elephant in the European Cloud

Are U.S. public cloud providers European data-centers able to keep your data safe?

On a recent return trip from overseas, I was waiting in the U.S. Immigration line, part of the airport’s preclearance facilities where U.S. Immigration agents do the full check before you get on the flight, rather than doing all the checks when you land. As the agent was checking my passport, and giving me that look that you know Immigration agents are trained for years on, it got me wondering about legal jurisdictions; what if, after passing through this immigration check while waiting in the boarding area, someone committed a crime, who arrests them? Someone from the U.S.? Someone from the host country? What does this have to do with content in the public cloud?

One of the big challenges in information governance, for our non-U.S. based clients, is legal jurisdiction, especially in regards to the U.S. Patriot Act. Most foreign countries have existing information management regulations that require various types of information (financial, personal, confidential, privileged, etc.) to be secured and stored in data centers located on their sovereign soil to protect information from the legal reach of foreign entities, particularly being subject to the U.S. Patriot Act.

With the many technology shifts impacting and keeping enterprise IT swamped these days; cloud, mobile, CoIT and others, items like governance seem to get lost a bit in the chaos. For most U.S., public cloud-based providers, their initial response is to open data centers in countries where sovereign soil regulations exist, therefore the data remains in the originating country and the complexity brought on by the U.S. Patriot Act is circumvented. Information and files can now be freely exchanged and shared within the borders of the host country, out of the way of the prying eyes of foreign entities.  At least in theory that sounds right… errrr, but well, not really, and that’s the big elephant in the room that non U.S. based companies are awakening to.

According to a recent article in Forbes, the premise U.S. based, public cloud providers are going by is startlingly false. Data centers owned by U.S. companies on foreign soil are NOT exempt from the U.S. Patriot Act.  The U.S. Patriot Act is designed to explicitly extend to all data held by U.S. companies and their non-U.S. based subsidiaries. What this means is, any data held in any U.S. public cloud service provider’s subsidiary is still accessible by U.S. Government agencies under the U.S. Patriot Act, a violation of many countries’ governing information management regulations.

With more and more enterprise data and customer records moving into the public cloud (intentionally or not) enterprises need to dig a bit deeper to understand if they are inadvertently violating regulations within their home country. At Accellion, we recommend to our non U.S. customers that they either deploy an on-premise, private cloud, file sharing solution, or consider using a hosted data center, owned and managed by an operator in their country with a virtual Accellion implementation (VMWare, Hyper-V, Xen Server). In that way, non U.S. enterprises can be confident that their data is meeting the strictest guidelines of their country’s information management regulations – your protected data stays your protected data, out of reach of foreign entities’ legal jurisdiction.

Oh, and for those of you reading to know what happens if you get arrested at the airport after pre-clearance,  it’s the hosting country’s laws that are enforced. The U.S. has no legal jurisdiction and U.S. Immigration agents can’t arrest you, though they can prevent you from boarding a flight back to the U.S.   Safe travels!

About Dave Packer

Dave Packer has written 1 post in this blog.

Related posts:

  1. In the Cloud, Outside the Cloud…Securing Your Information
  2. iCloud, you Cloud, we all can Cloud. Let’s minimize data security risks, too.
  3. Cloud Killer – Qu’est-ce Que C’est
  4. Join Accellion® In the Cloud Sweepstakes
  5. Agility in the Cloud – I want my file transfer and I want it now.

This entry was posted on Monday, October 8th, 2012 at 10:32 am and is filed under Accellion. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “Information Governance: The Big Elephant in the European Cloud”

  1. Ian Davin says:
    October 10, 2012 at 4:35 am

    Dave, you raise an interesting point that I am starting to hear about a lot from UK based customers – they are really worried about the extent to which the US government can access their Data and as the majority of cloud companies seem to come from the US this is going to hamper cloud adoption, not just for secure file exchange but for any service. What happens if the US company, registers a company in another country, eg a limited company in the UK, what jurisdiction does this fall under then?

  2. Ryan Swindall says:
    October 11, 2012 at 10:25 am

    Hi Ian, thank you for posting your question. A limited company registered
    by a U.S. company would still be a subsidiary with primary ownership from a
    U.S. company. Given that’s the case, this should still fall under the same
    guidelines and be subject to the U.S. Patriot act based on all I have read
    on this topic. The only way to side-step it from what I’ve gathered so
    far is to have the data-center itself owned and operated by a European
    company (non-U.S. owned) and then running the U.S. based company’s cloud
    infrastructure and software from within that data-center, this could exist
    through partnership/alliance type arrangements.

Leave a Reply