Yesterday the Irish Times (no links from me to them because they hosted outside of Ireland after consulting a number of companies here in 2007) had an article that featured a government internal email from the Irish Department of Finance. It instructed the various departments and organisations within the government to be wary of using cloud services and it specifically mentioned Microsoft as an example. The reasons included security and Data Protection Act compliance.
The problem is the USA Patriot Act. Any American owned hosting service or data centre, no matter what country it is in, must comply with the Patriot Act. That gives the USA federal government the right to demand instant access to any data hosted by that service. It doesn’t matter if Amazon has a data centre in Ireland or if Microsoft has a data centre in Ireland or the Netherlands. They’re both American, they both must comply with the Patriot Act, and therefore any organisation storing sensitive or personal information should not be using those services, or services hosted on those platforms for storing that data.
An Irish owned SaaS application, with an Irish owned hosting company, in an Irish owned Data Centre are all fine for compliance in Ireland (substitute your own country where appropriate).
This goes beyond government. It also applies to private businesses. I recently saw two SaaS companies, one dealing in the HR business and the other in the insurance industry, launch their services based in one of those American data centres in Ireland. Strictly speaking, and it would appear in the opinion of the Irish government, both of those companies are non-compliant. They would also put their customer who would subscribe to their applications into non-compliance.
Is the scenario far fetched? Of course not. We know how intelligence agencies have misbehaved in the past. We also know that intelligence agencies have been used for corporate espionage.
Also, forget Safe Harbour. The Patriot Act and the interests of intelligence services always override it.
The solution is simple; find a locally owned SaaS company, locally owned hosting company, and/or locally owned data centre when you are dealing with sensitive information.
As the email from the Department of Finance said, consult legal advice when you are going online. Don’t take a chance, don’t believe a salesman (there is one company is quite slow to fess up when it comes to the Patriot Act and allows their customers to become non-compliance), and don’t put your customers at risk. Especially don’t believe the loud protests otherwise from the executives of a certain SaaS company that denies all of this (mainly because they did host in the USA and are vulnerable). If you get burned you’ll lose your business or career.
And don’t believe me. Consult a legal expert on the Data Protection Act and the online industry. Then make your decision before choosing a platform, hosting company, data centre or SaaS application.
Excellent article. I’m facing the same issues & challenges in assessing SaaS / Cloud storage options for Government (and private sector) clients in Canada.
As with any country, Canada has it’s own privacy and compliance laws (for data both on Government of Canada systems as well as highly regulated private sector firms such as finance, pharmaceutical, insurance, etc) and hosting data of that nature on a cloud subject to a foreign governments powers is a serious conundrum.
I didn’t know that it applied to US “owned” companies providing SaaS / cloud computing services – regardless of whether the data is actually stored on data centres on foreign soil.
If that’s true, it’s a biggie. Until it changes, it knocks out the vast majority of cloud providers (Amazon, Google, Microsoft, Rackspace, GoGrid & dozens of others).
I’ve had this confirmed from two sources. One if a trusted contact in the IT security space. The other was a Microsoft salesman when I pushed him on the subject at the BPOS launch in Ireland.