an update to its venerated "Hype Cycle" cast a long shadow that hid a startling prediction: At least half of all organizations that host data on behalf of clients will change, or be forced to change, their privacy policies by the end of next year.Research firm Gartner's release earlier this week of
The increased awareness of security breaches among cloud providers, especially Amazon, is one reason. The rest, according to Gartner research director Carsten Casper, center around the changing legislative landscape, especially among multiple countries where the disparities between data protection laws appears only to be growing.
Cloud computing and privacy are at odds by nature. Privacy laws always apply to one country; the public cloud, in its ideal form, is not related to any country. However, many organizations would already benefit from, and are actually looking into other forms of, cloud computing (private cloud, virtual private cloud and jurisdictionally specific software as a service), which - from a privacy perspective - often resembles the traditional forms of outsourcing, hosting and offshoring.
Casper's use of the phrase "jurisdictionally specific" refers to the trend among cloud customers to request that their data only be housed in jurisdictions where law enforcement agencies would not be entitled to seek court-warranted access to them. The United States is one of those jurisdictions, and many of my cloud service provider sources tell me that Europe-based customers are especially afraid that databases and even virtual machine images crossing into American borders may be subject to "search and seizure" by the FBI and other agencies, by virtue of the Patriot Act.
That fact has U.S.-based CSPs scrambling. Recently, Amazon AWS' chief technology officer Werner Vogels told CIO Australia that his company's policy will be to inform customers whenever they receive a court warrant, giving them ample opportunity to seek an injunction.
Gartner's Casper is advising his firm's clients not to go so far as to demand that their data be stored in a particular country. Rather (without going so far as to name names), he suggests instead that they merely tell their service provider which countries they would prefer for their data to not be stored in:
Don't demand storage in a specific country for privacy purposes alone. There are other cases when sensitive company information should not leave the country (for example, if there are export control or national security concerns), but in most cases - and usually under conditions - in-country storage is not mandatory for privacy compliance. In some cases, it will be sufficient to ensure that personal data will not be stored in a specific country that is known for its privacy violations.
Has your business made recommendations or demands to your cloud service provider about the specific jurisdictions or territories where your data may be stored?