If you’ve worked in IT with a government organisation you’ll know the term “data sovereignty”. For those who haven’t had the pleasure the term refers to the laws that apply to data in the location that it’s stored in. When dealing with government entities this means that service providers have to make guarantees that the data won’t leave the Australian shores. Because, if it did, then the data wouldn’t be subject to Australian law any more and whatever government got a hold of it would be outside Australia’s jurisdiction. This has been the major limiting factor in the Australian Government’s adoption of cloud services as, until just recently, the major providers didn’t have an Australian presence. However even that might not suffice soon as the US government is attempting to break the idea of data sovereignty by requiring companies to disclose data that’s not within their jurisdiction.
This issue has arisen out of a long running court case that the US government has had against Microsoft. Essentially authorities in the USA want access to information that is stored on Microsoft servers in Dublin, Ireland. Their argument is that since Microsoft is in control of the servers they’re on the hook to provide the data. Microsoft’s argument has been that the US government should make that request from authorities within that jurisdiction. Indeed senior legal counsel from the Irish Supreme Court has said that such a request could be made under the Mutual Legal Assistance Treaty. This hasn’t satisfied the US authorities who believe that since the company is based in the USA all the data they control should be made available to them under their legal jurisdiction.
Putting aside the privacy concerns for the moment (and believe me there are many) if the US courts compel Microsoft to provide data from outside their jurisdiction then the notion of data sovereignty on any cloud service becomes null and void. No longer will anyone be able to assume that their data is subject to the laws of the country it resides in which raises a whole host of legal issues. Do companies that make use of locally provided but not locally owned services need to comply with US data retention laws like SOX? Are these requests for data going to be held to the same level of evidence requirements that other countries have? What’s stopping the US government from compelling US based companies from requesting other government’s data on these services? I could go on but it all comes down to the issue of the US government completely overstepping its jurisdiction.
For someone like me, who works primarily in the large government IT space, the attack feels even more personal. I’ve been a champion of cloud services for years and it’s only been recently that I’ve been able to make use of the public cloud with my clients. Should the US government continue with (and win) this case the ramifications will be instantaneous: all the government services running on cloud services will be in-housed as soon as possible. That’s not to mention the potential effects it could have on how international companies like mine will interact with government. Suddenly we wouldn’t be able to work with any client related data except when we’re on site, a tremendous blow to the way we do business.
The US government needs to realise just how damaging something like this could be both to their reputation internationally and the business that US based companies do elsewhere. Data sovereignty laws exist for a reason and breaking them just because your law enforcement agency doesn’t want to go through the proper channels isn’t a good enough excuse. If they continue down this path the IT industry will suffer immensely as a result and for nothing more than some saved paperwork and inflated egos.
Grow up, USA. Seriously.
