Our Director of Public Sector, Eamonn Sheehy, discusses the issues of data sovereignty for government cloud environments, in the first of a 3-part blog series on data protection for the public sector.
As governments in the CARICOM countries begin to consider deploying applications and storing potentially sensitive data in public cloud infrastructure, they need to be mindful of data sovereignty and privacy, and the potential legal implications of the loss of such sovereignty or privacy. This risk is considerably magnified if they are considering to host applications and data in public clouds outside of their jurisdiction, or with global cloud providers with no presence in the Caribbean or Latin America.
Global players, such as Google, Microsoft or Amazon, typically store both their applications and data across many different data centres in several jurisdictions. This makes the issue of determining jurisdictional sovereignty very complex. For example, if a Caribbean government hosts data in a public cloud environment with data being located on servers in several external jurisdictions, which jurisdiction has sovereignty over the data? Is it the jurisdiction where the government is located, or the jurisdiction where the servers are located?
For many “developed” countries, where cloud infrastructure and services are more predominant, the challenge of data sovereignty is rarely an issue as their cloud provider most likely has a physical cloud infrastructure presence in their country. Countries, as in the case of European Union member countries, can insist sensitive data reside only on cloud infrastructure located within their jurisdiction. This helps to mitigate the risk of data sovereignty and helps organizations maintain control of where their data resides. However, this is not always true and does not always guarantee control over the data.
According to Kristina Irion, Senior Researcher at the Institute for Information Law (IViR) at the University of Amsterdam, an additional legal factor should be considered whereby “certain countries’ legislation has extra-territorial reach and it suffices that the cloud service provider is under an obligation to turn over data in its custody.”
The following case study provides examples of the potential legal complexities facing both governments and commercial operators from the Caribbean who outsource data hosting beyond their country or jurisdiction:
Joe Kozlowicz, writing on the Green House Data website stated that: “in late 2013, the Department of Justice sued Microsoft for access to customer emails stored in a Dublin data [centre] facility. Microsoft’s argument was that because the information was stored abroad, it was outside United States legal jurisdictions. Microsoft lost and subsequently appealed, winning the appeal in mid-2016. This latest ruling comes from the DOJ appealing that overturning of its original ruling, arguing that data storage is arbitrary. Because the appeals court ended in a deadlock, it is likely to reach the Supreme Court, assuming the DOJ once again appeals.”
The European Union’s Cybercrime Convention Committee discussion paper on cybercrime recognized that independence of data location is a key characteristic of cloud computing, and therefore “it is often not obvious for criminal justice authorities in which jurisdiction the data is stored and/or which legal regime applies to data.” A service provider may have its headquarters in one jurisdiction and apply the legal regime of a second jurisdiction while the data is stored in a third jurisdiction. Data may be mirrored in several or move between jurisdictions. If the location of data determines the jurisdiction, it is conceivable that a cloud service provider systematically moves data to prevent criminal justice access.
According to a 2016 report by the United Nations Commission for Trade and Development (UNCTAD), “increased reliance on cloud-computing solutions also [raises] questions about what jurisdictions apply in specific cases. Such lack of clarity creates uncertainty for consumers and businesses, limits the scope for cross-border exchange and stifles growth.”
The UNCTAD report goes on to state that “the issue of cloud computing and cross-border data transfers is closely linked to the issue of surveillance since cloud services provided by private sector organizations [has] become a mechanism for accessing personal data by national security agencies.”
It is clear and not surprising the issues of data location, jurisdictional control and data sovereignty have emerged with the growth of cloud service deployments and are key fundamental policy considerations for both governments and commercial operators.
How Government Can Combat Data Sovereignty Issues
CARICOM Governments can minimize the risks of data sovereignty loss by clearly understanding where their cloud-based applications and information reside. This involves asking the right questions and partnering with a cloud services provider who can guarantee data will remain within a given jurisdiction. As with any project, a risk assessment needs to be conducted to help identify any potential vulnerabilities. The risk and the consequences of outcomes need to be fully understood prior to finalizing a decision on the approach to be adopted.
Working with local or regional commercial cloud service providers which are owned and operate only within a specific national or common regional jurisdictional environment can help considerably in mitigating the risk or loss of data sovereignty.
In the case of CARICOM, the implementation of a common legal framework for data privacy which encompasses the use of a regional cloud computing environment, as part of the development of a single ICT space, could go a long way towards mitigating the risk to data sovereignty. This in turn could bolster confidence in the use of commercial cloud solutions, operating within that legal framework, which can bring significant cost savings and service improvements to governments in their pursuit of digital transformation.
For more information on how Cloud Carib can help your organization achieve data sovereignty, please contact us.