Opinion: Data sovereignty raised in Microsoft's selection of Revera

As some jurisdictions want to enforce their laws in other countries, it makes sense to limit the data held in offshore datacentres, argues Randal Jackson

Microsoft’s recent selection of Revera as a cloud provider combines Revera’s private cloud and Microsoft’s public cloud offerings.

Revera general manager Robin Cockayne points out that the service is geared to organisations seeking a sovereign-safe cloud computing environment.

Data sovereignty and extraterritorial jurisdiction are important issues. All multinationals must comply with the laws of the countries in which they operate. That’s not contentious. However, some jurisdictions – notably the US – want to enforce their laws in other countries in which a company may operate, or extraterritorial jurisdiction in other words.

In the past, courts around the world typically interpreted laws with the implied limitation that the law applied only within the territorial limit of the jurisdiction that passed it. There were some explicit exceptions to this, and some international treaties that provided for extraterritorial jurisdiction.

In more recent times, claims of extraterritorial jurisdiction have increasingly played a role in prosecuting alleged commercial crimes. This dates back to the “United States v Alcoa” case in 1945, where the “effects doctrine” was introduced. US courts declared that they could exercise jurisdiction over non-US nationals and their activities outside of the US if an economic effect was felt in the US.

The US Patriot Act greatly expands the ability of US courts to grant “sneak and peak” warrants, where search warrants can be granted for officials to search secretly without informing the person or organisation being searched. The Act specifically allows business records of innocent third parties to be searched to assist in investigations.

US courts are specifically enabled by the Patriot Act to issue warrants in secret and outside of their normal geographic jurisdiction. In some cases, agencies are able to “self certify” and basically rubber stamp warrants themselves.

US authorities thus have the ability to oblige US-based companies, including foreign companies with a US presence, to provide them with any business records to which they have access – including data they hold on behalf of customers – without telling the customer.

These records need not be held in the US and need not belong to a US organisation; if a US-domiciled company has access to them, it can be compelled to turn them over.

Consider a New Zealand company which has outsourced its IT functions to a US-based company. The NZ company has an employee “of interest” to the US authorities. On this basis, the US service provider might be obliged to hand over copies, say, of the NZ company’s emails without advising the NZ company.

Under the Patriot Act, data gathered for one purpose can now be handed over to other US agencies investigating other alleged offences, such as economic or commercial crimes. Audits by the US Inspector General have found that the FBI has frequently abused these powers to go on extensive “fishing trips” for purposes far removed from the original intent of the Patriot Act.

Multinational IT vendors acknowledge the issue. According to Microsoft: “Providers can be caught in the impossible position when governments impose conflicting legal obligations and asset competing claims of jurisdiction over user data held by these providers.

“Divergent rules on data privacy, data retention, law enforcement access to user data and other issues can lead to ambiguity and significant legal challenges.” (Source: Privacy in the Cloud Computing Era, a Microsoft Perspective, November 2009.)

In these circumstances, it makes sense to minimise exposure by limiting data held in offshore datacentres beyond the reach of New Zealand law.

Join the Computerworld New Zealand newsletter!

Error: Please check your email address.