Where is my data stored when I use a Cloud service? This is a frequent question, but it should be even more important for companies and developers in Europe. Why? First the legislation that protects personal data is dramatically different in the United States, not mentioning other regions where it is almost inexistent. Second because with data replication it is easy to lose track of datacenters used to manage the storage and, in an era where information is the most important asset of a company, at least you what to know the actual location of you data.
In the center of this issue is the very known USA Patriot Act 2001, that gives over-broad powers for US law enforcement authorities to subpoena business records from companies connected with the US, regardless of location or jurisdiction. And the cloud computing sector is particularly vulnerable to these subjects.
Europe has fought long for the difference in data protection, approving EU Data Protection Directive that makes companies legally responsible for the security and privacy of any personal data used in their IT systems. And this is a very serious question for European legislators, that have enforced the rules and fined severely the non-compliant, although lately some of US legislation is being adopted in European Union, especially as a mean to combat terrorism and cyberattacks.
When operating in Europe, and in European countries, you have to obey local legislation, and this means that data storage and access has to follow European laws. And there are even different “flavors” in data protection laws all through Europe, because each member state has the liberty to adopt the Directives in their own pace (with a time limit) and with some adjustments.
The concerns about Patriot Act have already been put forward by many specialists, and even Governments like Netherlands, where the Security and Justice Minister, proposed changes to procurement requirements to state that a supplier is under no circumstances allowed to transfer governmental data to any foreign legal body – thereby implicitly excluding US companies from tenders.
As we are stressing the difference of a pan-european cloud it is important to know that in data protections local clouds do it better, and keep you safe from the Patriot Act. We have to follow the European laws, but some global Clouds (or American ones) do not have the same rules, especially if their data centers are located outside the European Union, in India or in some obscure country where it is cheaper to operate.
When you decide what cloud service you want to use, be sure you ask for this important question: Where is my data located (for real)?