iRooms from Imprima


The devil's in the data (location)


Companies of all sizes are being challenged as never before to keep a tight rein on their data. The risk of high profile information losses – some 78 per cent of businesses have experienced some form of data breach within the last two years – is a risk which reaches well beyond the remit of the IT-department and into almost every other business division, and with potentially serious consequences for the board.

International trade brings with it the need for and importance of sharing confidential business data frequently across borders. The pace of technology growth to facilitate this transfer has far outstripped many people’s ability to keep up – from quick and relatively low security offerings such as DropBox and Google Drive through to sophisticated and highly protected platforms such as Virtual Data Rooms and collaboration platforms that host vast and highly sensitive amounts of Corporate information – including that involved in due diligence for M&A transactions.

With the UK currently ranking fifth in the world on the list of most targeted countries for data theft, it’s clear that this is an issue the business world needs to manage effectively - with haste.

Those with a keen eye on data and the implications on how and where it’s stored and shared will know that moving it to "The Cloud" is not without its problems. The often confusing legal framework surrounding the US Patriot Act which became law in 2001 and the more stringent EU Data protection laws have left many unsure of how to proceed when choosing a vendor.

The two main factors to take into consideration when determining the legal jurisdiction of data storage are 1) the physical location of the data and 2) the company location of the data storage provider to help determine the laws governing the access to the data. This is especially important as the dominance of US registered cloud service providers subject to the U.S Patriot Act operating within Europe increases. The combination of these two factors reveals the legal framework that any data is subject to, making it imperative to study data protection implications before moving to the cloud.

Requests from the U.S. government to release data stored on European based servers of U.S. companies have been on the increase and with recent headlines on the legal woes of Microsoft being ordered by a judge to hand over data on its Dublin server despite the location of the server being outside of direct U.S. jurisdiction, have been well documented.

A lack of transparency and awareness have been blamed which comes partly from the U.S. Patriot Act, requiring U.S. companies and their subsidiaries to comply with U.S. government data requests regardless of location. A U.S. data company hosting data within Europe additionally has further legal obligations - as it would also need to comply with EU data protection and notification laws.

This uncertainty over data security is something that European owned companies, in contrast, do have in place. The Data Protection Directive introduced by the EU, alongside recommendations from the Organisation for Economic Cooperation and Development, established a comprehensive data protection law for all member states. This law ensures that any client with data physically stored within the confines of the EU through an EU-controlled company is protected.

This makes the EU a preferable jurisdiction for European-based companies with private records, an initiative some feel should be replicated in the US. It is worth noting, however, that there are exceptions to this rule - EU companies with cloud-based storage (outside of EU servers), or US companies with data held in the EU are not bound by the Data Protection Directive.

As the cost saving benefits of cloud storage becomes increasingly more attractive to businesses, the need for companies to be more transparent with their data storage and more importantly the laws that govern them is even more paramount. So when it comes to the cloud, the mantra of "location, location location" is true.

see article >