The Houses of Parliament want to move to Microsoft Office 365, and will mitigate the risk of the US Patriot Act by making contractual agreements to ensure sensitive data sits in Europe. [...] When asked how the Houses of Parliament can ensure that the data stays within the EU, [the head of parliamentary ICT at the Houses of Parliament] said that it was looking for contractual agreements that would ensure that the data remains in Europe.
You would have thought, maybe in light of recent events — I don't know, perhaps a little thing called mass U.S. surveillance of foreign nationals — that the U.K. parliament, of all institutions, would be taking data protection and privacy a little more seriously.
Not so much.
According to the publication, the U.K. parliament's IT chief Joan Miller told delegates at the Cloud World Forum in London last Thursday that despite the temptation for foreign governments to "hoover up data and gain information from us," the IT chief and her staff "don't think it is a problem."
With the U.S. National Security Agency brouhaha continuing to spin in headlines, one might think it would be a good time to back off away from putting potentially sensitive parliamentary data into the cloud, which would make it easier for U.S. authorities to serve secret data requests in spite of existing legal channels.
But these legal instruments, which have come to greater prominence as a result of the NSA leaks, have been known in political circles for years. And Parliament is wedging its head in the privacy sand at the expense of these extraterritorial surveillance laws in order to save a quid or two.
Let's rewind a little bit.
Reason one: U.K. privacy watchdog warns of cloud danger
The U.K.'s data watchdog, the Information Commissioner's Office (ICO), told ZDNet in April 2011, "the USA PATRIOT Act could be used to get EU-sourced information from a U.S. company. If the U.S. company approached the EU company with a request for the information, then the EU company would have to consider whether to disclose the data."
Parliament may report to the watchdog on data protection matters, but it doesn't have to listen — though at its own peril. The ICO confirmed this a year later in a conference deck for data protection officers.
Reason two: Microsoft admits issues of cloud jurisdiction
Referring back to the aforementioned Microsoft U.K.'s then-managing director's comments — perhaps ironically in this case — at the launch of Office 365 in London in June 2011, Gordon Frazer said the software giant "cannot provide [...] guarantees" that that EU-stored data, held in EU based datacenters, will not leave the EU under any circumstances — even under a request by the Patriot Act.
That's about as explicit as you're going to get from the industry, which ultimately turned out to be a valid concern knowing what we are now aware of in regards to the NSA's spying on foreign nationals, which includes EU and U.K. residents.
Reason three: Contract clauses don't protect against third-country laws
Miller told attendees at the London conference: "...sensitive data like e-mail systems and Microsoft Office files need contractual agreements to manage where the data sits," adding that contractual agreements would ensure the data remains in Europe.
Except, again, not wanting to bring up the NSA "unpleasantness," these contractual clauses don't protect against third-country law. What Miller brought up were the "model clauses" set up between Microsoft and the EU in December 2011, just months after the reach of the Patriot Act was disclosed by the company's own U.K. chief. These clauses determine exactly where data resides.
The cloud pact offers, for all intents and purposes, a safer cloud than those that do not provide such guarantees. In a world where domestic and foreign government agencies can slurp up as much data as they like within the loosely-defined scope of the laws they are bound by, in fact it makes very little difference to the end user, client, or customer.
The takeaway lessons for the CIO, CPO
The fact that the Houses of Parliament is, now of all times in light of recent news, considering a cloud solution isn't actually the headline here. It's the blasé and ignorant attitude towards cloud security, data protection, and privacy that also ultimately puts politicians and their electorate at risk from foreign surveillance.
Chief information and privacy officers, above all else, are responsible not only for corporate data but the data they hold on their customers. In the parliament's case, it's split between political affairs, sensitive communications with parliamentary committees, and correspondence with their electorate.
Parliament's customers in this case are the politicians, who are accountable the electorate. In public sector services, you can't always take the easy option in the hope that the cost benefits at the time offset the public anger in the future when they discover their data has gone astray or been "inadvertently" (or deliberately) vacuumed up by a foreign intelligence service.
Despite tech stocks taking a nosedive over the past few quarters, and with still a shaky economy, there still isn't an excuse. IT budgets may be pressed, and spending may have been cut back. But often the simplest and cost-effective service isn't always the best solution.
And ignorance is not a defense. Let alone when you're accountable to the wider public.