[Co-authored by Zachary Reiss-Davis]
On March 30, 2010, Yale University placed a migration to Google Apps for its email services on hold over privacy and security concerns, especially regarding a lack of transparency about in what country its data would be stored in.
Michael Fisher, a computer science professor involved in the decision, said that “People were mainly interested in technical questions like the mechanics of moving, wondering ‘Could we do it?’ ,but nobody asked the question of ‘Should we do it?’” and went on to say that the migration would “also makes the data subject to the vagaries of foreign laws and governments, and “that Google was not willing to provide ITS with a list of countries to which the University’s data could be sent, but only a list of about 15 countries to which the data would not be sent.”
This closely aligns with our January report, “As IaaS Cloud Adoption Goes Global, Tech Vendors Must Address Local Concerns” which examined security and privacy issues involved in moving data to the cloud, especially when it’s no longer clear what country your data will reside in. In this report, we offered that IaaS providers should give “guidance on where data is located and location guarantees if necessary. Rather than merely claiming that data is in the cloud, tech vendors must be prepared to identify the location of data and provide location guarantees (at a premium) if required.”
We have also produced this graphic highlighting our research into data privacy laws by country:
I'm interested in knowing if cross-border privacy concerns are becoming more prevalent.
If you know of other examples where the country-location of you data was a factor in choosing a cloud provider, please share in either the comments or an email. If it’s not an important issue to you, please share that as well.