igb at batten.eu.org
Mon Dec 20 13:20:05 GMT 2010
> In summary though, without explicit legal contracts stating that your patient data will not leave the datacentre in the UK or EU under any circumstances then you cannot proceed with that company's cloud solution without breaching the DPA - no matter what they promise is "coming soon".
I have spoken to people in government on the matter, who said that governance and jurisdiction was the main problem confronting cloud solutions, and was today pretty much an eliminator for use for any project where CESG's remit runs. The implication was that even encrypted data would be a problem (on availability rather than confidentiality or integrity grounds). I've spoken to the UK evangelist for Amazon cloud services and he was able to talk about the certifications that their data centres have (specifically HIPPA for US health data) but confirmed that although they might be able to offer EU-only data from their Dublin datacentre they would not be able to offer UK-only as they don't operate EC3/S3/etc from any UK base. It's hardly any secret that the big players in UK government IT services are building UK-based private cloud infrastructures to address this market, where they can offer location and personnel clearance guarantees.
It does strike me, speculating wildly, that one consequence of the economic problems in Eire may be to make it somewhat less of a low-tax honeypot. I'm not convinced that the sole reason for US companies setting up in Eire is low tax --- you can never underestimate the nostalgia and longing of the Irish-American community towards "the old country" --- but it's clearly one of the primary drivers, and if Eire's tax regime swung closer to the EU median then other locations would be as attractive: the UK, for example. Microsoft's BPOS offering again comes out of Eire datacentres and again has governance issues. What's interesting as well is that the UK government market isn't actually attractive enough to cause MSFT and Amazon to stir themselves from their Irish lair.
More information about the ukcrypto