The pitfalls of offshore cloud

CIOs who send their data to an offshore or global cloud may be in for more legal and financial trouble than it's worth, according to a new whitepaper released yesterday.

Whitepaper co-author, Connie Carnabuci, partner at law firm Freshfields Bruckhaus Deringer (Credit: Luke Hopewell/ZDNet Australia)

The whitepaper, commissioned by Macquarie Telecom in partnership with law firm Freshfields Bruckhaus Deringer and entitled "The Cloud and US Cross-Border Risks", aims to warn not just CIOs of the legal dangers of offshore cloud, but every level of a company considering a cloud move.

Matt Healy, head of Regulatory and Government for Macquarie Telecom, told the The Cloud and US Cross-Border Risks roundtable that as business moves to global cloud, traditional economic borders begin to break down, presenting new legal and financial risks.

Legal risks

Businesses looking to host their data in a US-based, offshore cloud environment open themselves up to a whole new world of legal strife, according to whitepaper co-author, Connie Carnabuci, partner at law firm Freshfields Bruckhaus Deringer.

Data stored in a US-based cloud, for example, has a higher chance of being accessed by government agencies, making privacy assurances difficult.

US-based data faces exposure to the controversial Patriot Act and Foreign Intelligence and Surveillance Act, meaning that data stored in an offshore cloud environment may be accessed by US federal law enforcement agencies, regardless of who owns the data.

Australia has very strict regulations in terms of how private data can be handled, Carnabuci explained, a view which the US does not share. The US handles data privacy on a sector-by-sector basis, while several key pieces of legislation make it easy for law enforcement agencies to access data for any and all investigations.

"There's no doubt that the US Government has got much greater powers to access private data than the Australian Government has under corresponding laws," Carnabuci said, adding that agencies can view data with a lower probable cause than would normally be required.

"You don't, for example, need to be able to show probable cause that the target is engaged in criminal activity, so it is potentially the case that government may seek access to your private data stored in the US," she said.

Aussies hosting data in US clouds also can't claim protections under the Fourth Amendment, which protects against unlawful search and seizure of property and information, due to the fact that data is held by a third-party cloud provider.

"The Fourth Amendment falls away and is not applicable where data has been provided to a third party," Carnabuci explained.

"The reasonable expectation of privacy is extinguished when you've provided data to that third party," she added.

Data privacy is eroded further by mutual treaties and agreements signed between countries, such as the European Convention on Cybercrime, meaning data stored in the US may end up in the hands of European law enforcement if required, without the knowledge of the customer.

The biggest risk, however, according to Carnabuci, is how customers will see your company if it hosts data offshore.

"If your company becomes the centre of an investigation, it's going to cost you time and it's going to involve money to deal with that investigation … [however] it's not about the penalties under the data privacy laws, it's about disruption to business and losing customers," she said.

Financial risks

The simple act of storing data can, in some circumstances, be classed as operating a business within the US, opening Aussie companies up to additional income tax obligations from the federal and state governments where the hosting is taking place.

"While mere storage of data typically should not amount to the conduct of business within the US for tax purposes, the activity can be treated as the conduct of business if the non-US person stores data for the account of others, or allows customers or other third parties access to the data," the whitepaper said.

"Anyone who's looking at a global cloud solution would do well to get advice because you need to look at all the circumstances. If there's a dedicated facility or if you take an equity stake in a hosting provider, for example," Carnabuci said.

Macquarie Telecom's Healy said that given the minefield surrounding global cloud hosting, businesses would do well to go with a local, mid-range cloud provider first in order to suss out the regulatory framework around global hosting.

"It may be more appropriate to take its first steps into cloud computing via an onshore provider where the controls and arrangements are perhaps more transparent," he said.

(Front page image credit: Steep Drop image by Mat Walker, CC BY-SA 2.0)