This blog post is for informational and educational purposes only. Any legal information provided in this post should not be relied upon as legal advice. It is not intended to create, and does not create, an attorney-client relationship and readers should not act upon the information presented without first seeking legal counsel.
Edward Snowden has unleashed a torrent of activity in the name of data security and privacy protection. Some of that activity has resulted in the creation of jobs, especially in the field of encryption technology (the better to foil the NSA, the theory goes) and stimulation of local economies through the construction of local data centers in Europe. Alas, Virginia, there is no magic bullet for privacy in housing data within one country because data, it has been said, wants to be free. To mix metaphors, it will seek its own level. To put it bluntly, data localization, as housing data within one’s own country is called, is an expensive fantasy that won’t move the privacy ball very far.
The Wall Street Journal reported on February 23, 2015 that Apple has agreed to build two data centers, one in Denmark and one in Ireland, at a cost of approximately two billion dollars. Construction of data centers means creation of many jobs and a good jolt to the local economies of the places where the centers are built, which would be a very good thing for Ireland (data center construction has been a “tent pole” for the Irish economy for some time).The data centers could also go a long way to salving bad feelings across the pond with regard to Apple’s activities that have rubbed regulators the wrong way. Indeed, the sidebar to the Wall Street Journal article is entitled “Apple’s Pitch to European Lawmakers Drips in Honey.”
Apple, then, appears to follow other web technology companies such as Google, Amazon and Microsoft in catering to European fears of U.S. access to personal data by attempting to implement “data localization;” that is, assuring users that their data will be stored on servers within one’s home country. Russia has proposed a bill with this requirement and similar proposals have been advanced within the European Union.
What the construction of these expensive data centers will not do, though, is preserve privacy much better than current cloud hosting providers based in the U.S. do presently. And it will raise complexities that will no doubt stimulate the economy of a sector that has been lagging lately: the legal profession. Data can be forwarded, replicated, retweeted, reposted or otherwise transmitted with the click of a mouse to almost any location in the world. Social media platforms rely on the free flow of data and, as a result, encourage users to send all manner of personal (and, often, company) data across borders. Hosting data on servers within the user’s home country, then, accomplishes little, but the complexities of data localization are Byzantine.
Whose law applies to the data hosted in the home country once it is sent beyond that country’s borders? If the home country’s law won’t apply, was the construction of a data localization center just a very expensive marketing device aimed at attracting European and Asian (and, perhaps Canadian) users concerned about U.S. governmental surveillance? Indeed, at some point, the data will end up in the U.S. vulnerable, if Mr. Snowden is to be believed, to NSA international surveillance just as it was before the data localization centers were built.
When one digs down and comes to the conclusion that a data localization strategy is a false premise as a privacy safeguard the logical follow-up question, in the face of tightening privacy restrictions in Europe and elsewhere, is how can a user rely upon any cloud hosting service to maintain his or her privacy? Cloud hosting providers are well aware of the trends in the EU and elsewhere, and many have taken technical and administrative steps to maximize security and privacy protection. A comprehensive review of the Master Services Agreement or Service Level agreement of the provider should indicate compliance with required data security and privacy levels, and most provide addenda with regard to compliance with security and privacy levels in the EU and elsewhere to comply with local laws and regulations. Mid-sized and larger cloud hosting services providers retain third-parties to audit administrative (data protection policy and procedure), physical (locks, keys and facility surveillance) and technical safeguards for security and privacy. A prospective customer can, and should request reports of those audits.
Security and privacy, then, can be assured to the extent reasonably practicable the old fashioned way: by due diligence into the cloud hosting provider.
By Kenneth N Rashbaum Esq.