Businesses are increasingly relying on cloud servers to store electronic data in which other entities or individuals have legally recognized interests. Types of sensitive electronic data now regularly stored in the cloud include: patient medical records; banking and financial records for individuals and businesses; and students’ academic performance records, test scores, etc., from elementary through post-graduate.
The geographical location of the cloud provider’s resources have become increasingly varied as cloud providers expand their offerings to customers throughout the world. Users may not be sure of the exact location of their data, including which of the cloud provider’s servers the data is on and the physical location of those servers, because of the resource pooling at the heart of many cloud services. For cloud services that provide some level of data redundancy (i.e., the cloud provider stores copies of the data in multiple places in an effort to limit the impact of a server failure) – an attractive feature of cloud computing – this may be especially true. In fact, those redundant services by default may not have any awareness as to the data owner’s location.
For companies interested in more fine-grained control over data, including specific geographic restrictions about where data can be stored, many cloud providers are willing to develop custom solutions based on those requirements. For example, a number of cloud computing providers will now sign the Business Associate Agreements (“BAAs”) required under HIPAA regulations, including Box, Microsoft, Google, Amazon, Verizon, Dell, Symform, and Egnete. Likewise, more and more cloud providers are starting to comply with the European Union’s data protection requirements. For example Google enumerates its compliance with various security standards, including the EU, on its Compliance Page, available at: https://support.google.com/googleforwork/answer/6056694?hl=en.
Microsoft has recently indicated its compliance with the EU Data Protection directive, and Dropbox has indicated that it complies with the U.S.-E.U. Safe Harbor framework.