Whoever first said that ignorance is no excuse when it comes to the law obviously never met the U.S. Code or the U.S. Code of Federal Regulations, which together comprise hundreds of thousands of pages of text. For companies in the U.S., this maze of rules governing the most mundane activities is nightmarish enough, but for those companies dealing internationally, the difficulty quickly becomes worse as the laws of other nations are also piled on. Navigating this legal minefield can be extremely difficult, particularly for data center and cloud-service users and providers. Although this article provides no legal advice on the myriad laws around the world, it does raise some considerations for companies that want to do business abroad.
International Business = More Rules
Naturally, different countries have different laws. Working exclusively in one’s own nation of residence can be difficult enough. In the U.S., data center service providers must, depending on their clientele, navigate legislation ranging from Sarbanes-Oxley to HIPAA/HITECH, and everything in between. But what happens to, say, health or finance data that is moved across borders? In the context of the cloud, when even does one really say that data has moved across borders?
Obviously, at some point the laws of other countries become applicable, and simply complying with the laws in one’s own nation of residence is no longer sufficient. An additional complicating factor, however, is determining when each law applies. Furthermore, different nations’ laws can conflict, and compliance with one set of regulations might even necessitate a lack of compliance with another.
An LLRX.com article (“Legal Implications of Cloud Computing - Part One (the Basics and Framing the Issues)”) astutely notes that “sharing and transfer of data within the cloud, the inability for anybody to easily say where the data is or has been, is the key problem that creates legal issues. An obvious problem is transborder data flow. For example under the EU Data Protection Directive, unless they take certain steps, organizations are prohibited from transferring personal information to countries that do not provide the same level of protection with respect to personal information of EU residents (the United States is one such country).”
Three common situations can arise for companies: First, a company might use a data center (or cloud) service provider with an international presence or that is based in another country. Second, a data center service provider might build or contract with a data center on foreign soil. Third, a data center or cloud provider might deliver services to international customers, regardless of the locations of its data centers. The following are some considerations in each case.
Working With Offshore Data Centers
If you work with a data center or cloud provider on foreign soil, and your services cross into Sarbanes-Oxley, HIPAA or similar territory, then compliance can become a problem. Here are a few points to consider.
- Does your provider comply with regulations that apply to your data? If you’re dealing with patient medical data or financial information, then you probably need to deal with a data center that is compliant with the associated regulations (such as HIPAA). This may be an issue if you’re dealing with an offshore provider, unless that provider specifically tailors its services to your market in your nation (such as the U.S.).
- Will regulations applicable to that provider affect storage or access to your data? A provider is expected to comply with the laws applicable in its own nation. This may (or may not) become an issue with respect to your data. Furthermore, contracts may provide insufficient protection if they are not in conformity with local regulations.
- Does the provider offer any external evidence of compliance? Audits and certifications for various regulatory schemes can help you better select an adequate provider, but don’t limit yourself to these “pieces of paper.” If possible, find out about the experience of other customers in similar situations who have dealt with the provider.
Building an Offshore Data Center
In the case of building a facility offshore (or contracting with such a facility), many of the same regulatory concerns apply: which rules apply, which ones take precedence in the event of a conflict among them and what measures must be taken to ensure compliance. Here are some more concerns to ponder.
- Apply all the usual site-selection criteria. If you’re building a data center or relying on a foreign facility, look at potential for natural disasters, political stability, workforce availability, infrastructure, costs and so forth. Obviously, some countries (and some localities within certain countries) are better locations than others, depending on your business needs.
- Review the legislative/regulatory environment. Operating internationally creates a jumble of legal hoops that you may need to jump through. So consider carefully not only the hassles that may arise owing to compliance issues, but also the cost of compliance. Foreign clienteles may seem less appealing when the regulatory burden is taken into consideration.
- Consider complications back home. Expanding into foreign nations may not really be outsourcing, but it may appear that way to outside observers. Consider whether doing so will cause net harm to your business. Also, keep in mind that additional regulations at home may apply if you deal internationally.
Serving International Customers From Home
The connectivity of the Internet means you don’t necessarily need a physical presence in a foreign nation to serve that nation’s citizens. Cloud computing makes physical distances almost meaningless—too bad it can’t do the same with political borders. Keep these issues in mind.
- International customers are concerned about their own regulations. Serving these customers may require you to comply with foreign regulations, even if you don’t have a physical presence there. And violating foreign laws can still have repercussions at home (yes, it can get you in big trouble in some circumstances).
- Complying with international regulations adds costs. Again, be sure that the costs of serving certain international markets do not outweigh the potential benefits. Research the regulatory burden associated with your services as applied to foreign markets.
Unfortunately, not all countries are interested in making international business easy. Dealing internationally requires doing your homework: determining what regulations (both at home and abroad) apply to your services and how much compliance with those regulations will cost you. And areas like cloud computing are somewhat murky, with many unanswered questions complicating the legal and regulatory landscape. Opportunities abound, but so do pitfalls. LLRX.com notes, for instance, that “contracting may be much more difficult in the cloud environment because the players may not be in a position to make certain promises, and additional duties/obligations may destroy the cheap pricing model for cloud computing.” Just remember, “ignorance is no excuse” may be a ridiculous mantra in an age of excessive, complicated regulations, but it can still land you in legal/regulatory hassles if you’re not careful.
Photo courtesy of The Official CTBTO Photostream