Since I wrote a blog entry on Supply Chain Data and the Cloud, I have continued digging into the subject. In that process, I ran into two excellent blog entries by David Navetta and Tanya Forsheit, describing legal implications of cloud computing.
If I understand well, there are three key issues that need to be addressed:
Transborder data flows trigger legal obligations. In plain English this means that sharing and transferring data in the cloud is subject to specific legislation. For example, the EU Data Protection Directive prohibits the transfer of personal information of EU residents to countries that do not provide the same level of protection. So, in practice, if you include EU customer information in your Salesforce.com data, make sure the data is kept in the EU.
On the other hand if your data transit through the US, according to the Patriot Act, US agencies are allowed to access your data.
“Reasonable Security” under the law. Companies outsourcing the handling of personal information to another company may have some responsibility to ensure the outsources has some level of reasonable security to protect personal and confidential information.
Electronic evidence/e-discovery. In a litigation context, when the data resides in the cloud, who actually owns the data. We have already talked about the Cloud Supply Chain. This one can be rather complex, so it becomes very difficult ensure the data is preserved as the data may not be readily accessible/preserved by the service provider.
If we add to this that data residing in the cloud is typically replicated and backed-up, it now becomes very difficult to know where all copies of the data are located and whether all legal requirements are addressed. The organization that subscribes the service may not have the possibility to perform the due diligence to ensure adequate security and compliance is in place. It is strange this aspect is not often addressed when discussing cloud. Is it because of lack of knowledge, or do companies hope for the best, waiting for legislation to run its course? What do you think?