Are U.S. public cloud providers European data-centers able to keep your data safe?
On a recent return trip from overseas, I was waiting in the U.S. Immigration line, part of the airport's preclearance facilities where U.S. Immigration agents do the full check before you get on the flight, rather than doing all the checks when you land. As the agent was checking my passport, and giving me that look that you know Immigration agents are trained for years on, it got me wondering about legal jurisdictions; what if, after passing through this immigration check while waiting in the boarding area, someone committed a crime, who arrests them? Someone from the U.S.? Someone from the host country? What does this have to do with content in the public cloud?
One of the big challenges in information governance, for our non-U.S. based clients, is legal jurisdiction, especially in regards to the U.S. Patriot Act. Most foreign countries have existing information management regulations that require various types of information (financial, personal, confidential, privileged, etc.) to be secured and stored in data centers located on their sovereign soil to protect information from the legal reach of foreign entities, particularly being subject to the U.S. Patriot Act.
With the many technology shifts impacting and keeping enterprise IT swamped these days; cloud, mobile, CoIT and others, items like governance seem to get lost a bit in the chaos. For most U.S., public cloud-based providers, their initial response is to open data centers in countries where sovereign soil regulations exist, therefore the data remains in the originating country and the complexity brought on by the U.S. Patriot Act is circumvented. Information and files can now be freely exchanged and shared within the borders of the host country, out of the way of the prying eyes of foreign entities. At least in theory that sounds right… errrr, but well, not really, and that's the big elephant in the room that non U.S. based companies are awakening to.
According to a recent article in Forbes, the premise U.S. based, public cloud providers are going by is startlingly false. Data centers owned by U.S. companies on foreign soil are NOT exempt from the U.S. Patriot Act. The U.S. Patriot Act is designed to explicitly extend to all data held by U.S. companies and their non-U.S. based subsidiaries. What this means is, any data held in any U.S. public cloud service provider's subsidiary is still accessible by U.S. Government agencies under the U.S. Patriot Act, a violation of many countries’ governing information management regulations.
With more and more enterprise data and customer records moving into the public cloud (intentionally or not) enterprises need to dig a bit deeper to understand if they are inadvertently violating regulations within their home country. At Accellion, we recommend to our non U.S. customers that they either deploy an on-premise, private cloud, file sharing solution, or consider using a hosted data center, owned and managed by an operator in their country with a virtual Accellion implementation (VMWare, Hyper-V, Xen Server). In that way, non U.S. enterprises can be confident that their data is meeting the strictest guidelines of their country’s information management regulations – your protected data stays your protected data, out of reach of foreign entities’ legal jurisdiction.
Oh, and for those of you reading to know what happens if you get arrested at the airport after pre-clearance, it's the hosting country's laws that are enforced. The U.S. has no legal jurisdiction and U.S. Immigration agents can't arrest you, though they can prevent you from boarding a flight back to the U.S. Safe travels!