Technology has continued to evolve and transform seemingly all orthodox and traditional processes at an alarming pace. Enterprises and organizations in a bid to maintain competitive advantage and meet their objectives are making huge investments in technology; to upgrade existing infrastructures, systems, replacement of local servers by outsourced remote services etc. The need to house big data is certainly motivating developers to find new and ingenious ways to meet demand optimally. The rapid evolution of processing power, storage technologies and availability of high quality broadband speed and big data have enabled the realization of a new computing model called cloud computing.
Simply put, cloud computing refers to technology in the cloud; which comprises of set of hardware, network, storage, services and interfaces that are combined to deliver enhanced value to enterprises. In a cloud computing environment, data and applications are hosted "in the cloud" instead of maintaining physical infrastructures on site. Cloud service delivery is divided among three archetypal models, namely Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS) over the Internet based on user demand. Instead of purchasing, operating and maintaining a specific hardware and software environment and bearing the costs incurred themselves, users pay a fee based on actual requirement (utility billing model) or a recurrent fixed fee (subscription billing model) for the use of the information resources required and which are made available by Cloud Service Provider (CSP).
Amidst numerous legal concerns and commercial benefits of cloud computing; data sovereignty is a major concern enterprises and organizations should consider before migrating their data to the cloud. Data sovereignty entails that information which has been converted and stored in the cloud are subject to the laws of the country in which it is physically stored and located. This is pertinent because information stored in the cloud eventually ends up on a physical infrastructure owned by a CSP located in a specific country. A cloud provider may, without notice to a customer, move the user's information from one jurisdiction to another or even sub-contract the cloud services. More so, offshore cloud computing simply refers to hosting of data in the cloud which are physically stored or domiciled in another country other than the country of the data owner.
As a result of the peculiarities and risks associated with offshore cloud computing, most countries' data sovereignty laws require companies and organizations to keep certain types of data within the country of origin, or place significant restrictions on transmission outside the country of origin. Some jurisdictions including Nigeria have mandated the hosting of all Government Agencies' data within Nigeria because of their sensitive nature. Indeed, the legal protections applicable to a single piece of data might change as data is transferred across national borders, or to the control of a different entity. There are many practical reasons a company or organizations might be cautious about having its data transmitted beyond its own national borders, or held by entities under another jurisdiction's supervision. Offshore data centers in distant locations are obviously more difficult to monitor than local ones. Moreover, some parts of the world are simply more vulnerable to natural disasters, wars, "acts of god," or government intrusions. The issue of data sovereignty goes beyond mere geographical location of the data, since certain classified government information may be subjected to the laws where the data is domiciled. Governments and leading organizations are starting to recognize that the country where data is stored is critical hence the clamor for the onshore hosting of data and cloud services. This is majorly on the premise that data stored on the cloud may be subject to third party/government access without users' knowledge. Data stored in another country may be more accessible to the government under local laws when such data is subpoenaed in compliance with the provisions of the law.
CSPs are often trans-border and different countries have different legal requirements concerning personal and government information. Currently, most countries do not necessarily or specifically have comprehensive laws and regulations that apply and regulate cloud computing services. For instance, the European Union (EU) has data protection laws, but they do not address concerns in cloud computing as they apply only to personal data. In USA, cloud computing has been formally defined by the National Institute of Standards and Technology (USA NIST), it has provided a comprehensive definition of cloud computing and addressing certain issues with respect to cloud computing. New Zealand in 2013 updated its cloud computing code, CloudCode, developed by the Institute of IT Professionals NZ (IITP). In Nigeria, although there is no comprehensive legislation on cloud computing, the Office for the Nigerian Content in Information and Communication Technology (ONC) issued Guidelines "Nigerian Content Development in Information & Communication Technology", which mandated that all Government data must be hosted in Nigeria.
The data ownership and rights rest with the customer (the originator of the data) irrespective of the location where the data is stored. Unless in cases, where the rights and ownership have been legally transferred to the CSP by the customer under the appropriate law. However, the terms and conditions of service offered by CSP may sometimes suggest some medium of ownership rights, even without legal transfer. This may lead to data security threats emerging from the possibility of misuse of data by CSPs for marketing or data mining purposes. Customer data held in multiple jurisdictions depending on geographical location are affected, directly or indirectly, by subpoena law-enforcement measures. To overcome the problem of multiple jurisdictions, one of the possibilities may be to mandate the CSPs to host the data centers only in countries where they originated. Another alternative may be to impose restrictions on cross border movement of some critical information like military intelligence, tax returns, financial transactions, health records etc.
In light of the global paradigm shift, the Nigerian Government should consult relevant stakeholders to make informed contributions in drafting robust and comprehensive Data Protection Act that will also make provisions for emerging issues on cloud computing. The cloud computing laws and regulations will regulate the CSPs relationship with the customers as regards hosting of data onshore and offshore. In the interim, to enable the fulfillment of the requirements about the offshore cloud computing, the enterprise must know in which countries the cloud vendor infrastructures are deployed on which the data is stored. The CSP is to be under an obligation not to transfer the data to other countries without prior consultation and obtaining the enterprise's consent. Finally, all relevant contractual issues should be documented in a comprehensive Service Level Agreement (SLA) which must be reviewed by experienced legal advisers in order to identify the risks and mitigate them accordingly.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.