- May 14, 2020
Litigation often spans country borders, but how is eDiscovery and data sovereignty handled when data generated and stored outside the United States? Many countries have laws that stipulate that data created in a particular country must also be stored in that same country. However, during a lawsuit’s legal discovery phase, supporting content can be requested no matter where that data is stored.
A landmark case began in 2013 which collided head-on with country data sovereignty and corporate rights. American law enforcement sought data on a user of Microsoft services in relation to a drug trafficking case; Microsoft argued in Microsoft Corp v. United States that the data in question was located exclusively in a data center in Ireland and argued that the data held exclusively on Irish servers were not subject to U.S. jurisdiction. A federal court issued a warrant under the Stored Communications Act against Microsoft for both personal user data and email.
Microsoft challenged the warrant but lost. Microsoft appealed to the U.S. Second Circuit Court who froze the warrant until a decision could be handed down. While the case was awaiting judgment by the U.S. Supreme Court, the U.S. Congress passed the Cloud Act.
The CLOUD Act states that companies must provide information properly requested by law enforcement “regardless of whether such communication, record, or other information is located within or outside of the United States.” The passing of the Cloud Act finally decided the question of the federal courts and cross-border eDiscovery. In fact, Microsoft agreed with the Act and issued the following statement:
“We welcome the Supreme Court’s ruling ending our case in light of the CLOUD Act being signed into law. Our goal has always been a new law and international agreements with strong privacy protections that govern how law enforcement gathers digital evidence across borders. As the governments of the UK and Australia have recognized, the CLOUD Act encourages these types of agreements, and we urge the US government to move quickly to negotiate them.”
Many companies have begun to look at multi-cloud strategies to help them protect against vendor lock-in, but they carry with them a higher cost – more systems to manage and regulatory and legal complexity – they must determine where the data is stored and whether it can be moved legally once stored in a specific country under local laws.
Multi-cloud is the use of multiple cloud computing and storage services in a single heterogeneous architecture. This definition also refers to the distribution of cloud assets, software, applications, etc. across several cloud-hosting environments. With a typical multi-cloud architecture consisting of two or more public clouds as well as potentially additional private clouds, a multi-cloud environment aims to eliminate the reliance on any single cloud provider. Also, in a multi-cloud environment, synchronization between different vendors is not crucial to complete a computation process. However, the company must be able to stipulate storage locations.
For example, if an organization was running applications and services within a multi-cloud infrastructure, they could be in violation of multiple nations’ data sovereignty regulations at the same time. Consider this; violating Brazil’s LGPD data protection law as well as the EU’s GDPR could end up generating fines equal to a combined 6% of the company’s global revenue.
Because of the distributed nature of the cloud, where data is stored may not be known to a customer or the SaaS provider may not be able to ensure storage in a specific geographic location. Furthermore, most SaaS cloud platforms are not designed with data sovereignty in mind. For example, many SaaS platforms are designed around a single data center, meaning SaaS cloud subscribers agree to store their data in the vendor’s cloud infrastructure no matter where it is, usually in one or two countries. To ensure against misunderstandings, both the customer and SaaS provider must take extra precautions to ensure all data sovereignty requirements can be met. Potential customers should be aware of their data sovereignty requirements and ask the vendor if they support specific country laws. SaaS providers should limit their data sovereignty claims to only those countries where they have data centers.
Basic data sovereignty topics to discuss with cloud vendors:
Find out why major, regulated organizations around the world trust Archive360 with their most sensitive data. Contact us today to find out how we can help.
Archive360 is trusted by thousands of companies, including Netflix, Samsung, McKesson, and 3M, with migrating Enterprise Vault and other archiving major migration workloads.