At the Cloud World Forum in June 2014, the CIO of the Bank of England John Finch advised British businesses to be wary of partnering with US-based cloud suppliers as they risk their data being accessed by US government agencies under USA PATRIOT Act.
Finch warned that data sovereignty should be a vital consideration that is just as important as security when it comes to selecting a cloud hosting provider. He urged businesses to gain a full understanding of the regulations of not only the country where the data is stored, but also where the hosting company is domiciled (which is often different, especially in the case of cloud vendors who offer multiple data centres).
In his speech, Finch explained to delegates that “even if that well-known cloud provider says ‘don’t worry, it won’t leave Europe’, if they are an American company, it is likely that your data and processing is now subject to the American Patriot Act. And, if it is integrated to your infrastructure, it is likely that all of your services are subject to the Patriot Act.”
We commented on this subject a couple of months ago when Microsoft received a subpoena from the US Government to hand over data hosted in the company’s Dublin data centres. This stirred up much controversy and highlighted the fact that it doesn’t matter whether the data is physically held outside of the United States if the hosting vendor itself is a US-registered company.
Other cloud providers, such as Verizon, have attempted to circumvent this law by claiming that their data is hosted outside the US in data centres owned by EU companies. However, these companies are subsidiaries of a US parent and are therefore still susceptible to the Patriot Act.
As Finch put it bluntly: “If the CIA or FBI want the data, they have got it. I am not saying it is necessarily a bad thing, but you need to think through very clearly what you are giving and when you are giving it.”
The only way for British and European businesses to ensure the security of their data from the potential intrusion of the Patriot Act is to choose a cloud provider that is based outside of the United States and hosts their data outside of the United States.
HighQ is a registered UK company with data centres in Europe, US, Channel Islands, and the UAE (Australia data centers will be live in August 2014). HighQ’s customers can choose which jurisdiction their data is held in, and being a UK registered company, can ensure (based on existing legislation) that non-US customer data is entirely protected from US laws.