For all the implied promises of cloud-based computing, data doesn't just hover in the air -- it also has to have an earthbound home in the form of a server. Because those servers can be anywhere in the world -- and, consequently, under the auspices of local laws -- the location of the servers storing a company's own data and/or customer information can have serious privacy and human rights implications.
"Once you put data on a server in a particular country, you are definitely subjecting that data to the jurisdiction of the local authority," explains Vivek Krishnamurthy, an associate in Foley Hoag's Washington, D.C., office, who authored a recent memo called "Why Every Company Needs a Geolocation Policy."
As the memo details, government authorities typically have a "nuclear option" in order to obtain identifying data about users: either "physically raiding a data center or holding one or more employees in contempt of court for failing to turn over the data being sought." The corollary is that legal frameworks for protecting privacy and freedom of expression vary around the world, including among established democracies.
"There is a lot of concern in the internet user community and the internet activist community about where exactly companies are locating data," Krishnamurthy says.
Companies have a lot on the line, too: the safety of employees and their interest in protecting the integrity of company data, including proprietary information. "I think companies should also be wary about where they locate sensitive internal data," he says.
As companies expand into overseas markets and the demand for remote computing services grows, they face "two different pressure points," Krishnamurthy says:
- Engineering pressure: For performance reasons, companies need to locate data as near to the end-user as possible. "Nobody wants to wait 15 seconds for something to load," Krishnamurthy says. "You want it now."
- Regulatory pressure: Some countries, such as China, require companies to obtain operating licenses in order to set up shop, and a common requirement is that companies locate servers in-country. In other words, "if you want to operate here, you have to play by our rules," Krishnamurthy says.
More recently, BlackBerry maker Research in Motion made headlines in India and Canada for reportedly bowing to pressure to give access to private instant messages to Indian government authorities.
This isn't an issue for technology companies alone. Banks hold information on clients' mutual funds. Airlines know where customers travel. Retailers keep track of purchases. "Many brick-and-mortar companies are becoming technology companies," says Krishnamurthy. "They collect large amounts of data about their customers that is personally identifying."
And the information that technology companies big and small possess can be even more revealing, down to a user's thoughts captured in blogging, note-taking, and email services.
In order to protect both users' and the company's good name, Krishnamurthy recommends that companies conduct a human rights impact assessment before locating data in a new jurisdiction:
Such a review should begin by considering all local laws governing the disclosure of information to law enforcement and intelligence agencies in normal and emergency circumstances. If concerns are identified, the company should consider serving that market from a nearby jurisdiction that affords greater protections for human rights.Google, Microsoft, and Yahoo are spotlighting the importance of such assessments as members of the Global Network Initiative, which was formed in 2008 to help protect the privacy and free speech rights of internet users. Member companies commit to an outside audit of their policies with respect to internet freedoms.
"Pursuant to the GNI, these three companies have developed very detailed policies on where they locate servers and where they locate user data," says Krishnamurthy. "Those policies don't say that companies won't locate data in country X," but they do establish that if a company is considering locating data somewhere, it will conduct a review first.
"The key thing is to actually think about it," Krishnamurthy says. "You may well decide it's worth the risk, but you should know there are risks."