Today most of us use technology in our everyday lives without a basic understanding of how it works (myself included!). A good example of this is the increasing use of cloud storage. The premise of the cloud is that data can be accessed from anywhere via the internet, metaphorically stored in a “cloud” that hovers over us. This is incredibly convenient but not understanding how the cloud works means we are unable to appreciate the legal implications.
Most of us tend to think of the Internet as a magical thing that exists everywhere and nowhere, but it does in fact require physical machines to function.
Let’s take the example of your computer loading this webpage. When you type an address in the search bar your browser sends a request for that website off into the internet. Each website lives on a physical web server somewhere in the world. The server where that site’s content is stored will respond to your request and send the information back to your browser. These communications are made using IP addresses. This all happens so quickly we usually don’t notice it.
The cloud functions basically in the same way. Your data is stored on a server somewhere in the world and you can access it from anywhere via the internet. The legal question then becomes where in the world is it?
Much of today’s distrust in the cloud is a result of data loss and service interruption. These are some of the biggest risks that cloud providers have to guard against. In order to guarantee continuous access most cloud providers will have multiple data centers in multiple different locations, all storing the same information. This way if something happens in one location (e.g. fire, flood, power outage) there will be no interruption in users’ access. While this prevents data loss it also exacerbates some of the legal issues around the cloud.
Now that we understand a little about the Internet’s infrastructure we can better appreciate some of the security risks of cloud storage. We know that all data stored in the cloud must be physically stored somewhere on earth. This means that, in addition to virtual access, we need to ask who has physical access. Generally this is the employees of the cloud provider, but it can also mean local authorities in the jurisdiction where the server is located.
To take one example, servers in the United States would be subject to warrantless searches under the Patriot Act, in addition to any other searches authorized by law. Courts generally are more amenable to making orders about things located in their jurisdiction than somewhere outside of it. Although physical presence is not the definitive test for jurisdiction in Canada the test does require a real and substantial connection. Other jurisdictions have different tests.Often the user agreement you skip through to click the “OK” button specifies that your cloud provider is authorized to hand over any information requested by the authorities.
For organizations that collect personal data by storing data on a server in another jurisdiction you may also become subject to the data privacy laws of the jurisdiction in which the data is stored. Data privacy legislation can differ between countries, putting organizations at risk of not complying with the laws of either or both countries. Canada is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA). PIPEDA has no restrictions on where you can transfer personal data but the organization sending the data remains responsible for the protection of the information whatever the location.
Because we know that cloud providers often use servers in multiple locations to guarantee continuous access it is possible that information in the cloud could be subject to competing claims in multiple jurisdictions.
The more jurisdictions at play the greater the chance that laws will conflict. One of the more well-known examples is the “Microsoft Ireland” case. In late 2013 a New York judge issued a warrant ordering Microsoft to produce certain emails. The emails happened to be stored on a server located in Ireland. Ireland’s data privacy laws prohibited Microsoft from disclosing the emails. Microsoft therefore refused and was held in contempt, but the District Court reversed that decision in July of 2016. The issue is currently under appeal to the Second Circuit Court of Appeal.
It appears that much like the cloud itself, the law around it is still up in the air.
 Microsoft Corporation v United States of America, brief http://digitalconstitution.com/wp-content/uploads/2014/12/Microsoft-Opening-Brief-120820141.pdf