Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2011-07-18 05:41:20Format, images and links may no longer function correctly. A couple weeks back I wrote a piece on the Commission on the Leadership Opportunity in U.S. Deployment of the Cloud (CLOUD2) looking at what the U.S. could do to encourage global companies to adopt U.S. based cloud providers. I enjoyed speaking to the international working group on potential eDiscovery concerns with cloud providers. The group is analyzing the issues and creating innovative recommendations for the Obama administration. Their work just got a bit harder as Microsoft’s UK Managing Director Gordon Frazier admitted to ZDNet that EU data stored in Office 365 could be accessed by U.S. government under the U.S. Patriot Act. This should not be a surprise to anyone who has watched the debates over government internet monitoring programs like Carnivore and NarusInsight. It apparently was a surprise to members of the European Parliments who are now demanding answers.
Companies large and small are contemplating cloud based application services to replace traditional enterprise software licensing. The fundamental concern seems to be that cloud hosting blurs jurisdictions, ownership and custody definitions. Just because data is generated, hosted and accessed exclusively from the EU does not mean that it is safe from U.S. government if the hosting company has a U.S. presence. Foreign companies will rightfully fear that their ESI could be accessed by the U.S. government using the Patriot Act and they would never know about it. This issue affects every global cloud-based provider; FaceBook, Google, Rackspace, Amazon, Salesforce, Bloomberg, etc.
If your ESI has been read by the U.S. government, have your privilege rights been waived? As a non-attorney, I am guessing not. But remember that theoretically everything that the U.S. government gains access to could become exposed through a Freedom of Information Act request when declassified or deemed harmless to the government’s interests. We are verging on conspiracy theories at this point, but law is about ideas more than reality. I am interested in seeing how this plays out and if the U.S. government will recognize EU’s data privacy rights. Cloud companies already struggle with third party subpoenas for user email, documents and event logs. Now they have to worry that global clients may insist on some kind of notification or permission clauses before signing large service agreements. Have you encountered any questions or hesitations from clients worried about their ESI stored in the U.S? Let us know about it.