Personal data in the UK is protected by the Data Protection Act, which amongst other things, mandates that personal data cannot be transmitted outside of the European Economic Area. This means that we can all sleep easy at night knowing that our data is not stored on the servers held hostage by some rogue nation but is well carefully stored 'in England's green and pleasant land'. How and where is is stored has received attention recently because it seems that it is stored on laptops left on trains, on unencrypted CD's sent via mail , memory sticks and who knows where else.
When storage of data for cloud computing is discussed, the 'Regulatory Requirements' are often cited as reasons for not being able to adopt cloud technologies. I am sure most of the readers of this blog would rather have their personal data well-managed in the cloud than in an Excel spreadsheet on a memory stick somewhere at the end of the Central Line (wherever that may be) - left there by an 'information worker' who both follows the Data Protection Act and falls asleep on the tube...
Recent events in the financial sector have tarnished the credibility of regulators and all the smart ideas that they come up with. I am skeptical about any anti-cloud regulations made up by people who lack credibility or have nefarious agendas. I sincerely doubt that any regulators have read Cryptonomicon, which gives an interesting science fiction view of the value of data (with a little sub-story where a server with data was seized only to pass though the server room door which had a very powerful electromagnet in the frame). The people who wrote and approved the regulations were probably brought up in an era when James Bond cold war movies were popular - at a time when moving very important data around required car chases, explosions and a very cool 'microfilm' camera, the contents of which had to be smuggled out in the stockings of a good looking agent.
Now we know better. The physical location of data, provided it is properly managed (in a secure location, data centre etc), is of very little importance from the point of view as to which rogue government can get their hands on it. IP addresses don't care about geography or politics and the Internet demands we think about locations where there is a good tradeoff between available bandwidth, latency and cheap power. These days we also want to keep data in multiple locations that follows the sun as the load changes or to spread data for redundancy. We want to send data around using asynchronous messaging protocols in our SOA world, where data should have the freedom to be where it is needed. I could, for example, architect a system that keeps encrypted data partitioned across two countries, the indexes in another and the private keys right here. That way if any rogue government had some court order to seize my data using a patriot act, I could let them have whatever data is in their country and show them the finger. I could build a redundant data architecture that could take a data node of the network and delete the data at a moments notice, from my mobile - the SWAT team wouldn't be able to get to the server room before the data seemingly ceased to exist.
There is more to various regulations than geographic issues - there is security, auditing, network configuration, retention and a whole host of other things. But they may be wrong, and in the context of cloud computing they need to be investigated, pushed and assessed to their practicality. After all, in terms of the UK Data Protection Act, the loophole is that as soon as the personal data is encrypted (i.e. it cannot be used to identify a person) then it is not covered by the act. All you need to do is hash the LastName field and you are done - you can store the data anywhere.
I am reminded of legislation enacted by California in the 90's when imaging and document management was picking up. In order to encourage people to archive data onto Magneto Optical disks instead of tape (which can be altered) they passed a law outlawing the use of 'rewritable media' for storage of business documents. They effectively banned paper and they rescinded the law when this was pointed out to them. Regulators don't always get it right.
Does anyone have a good summary of the 'Regulatory Requirements' that get in the way of cloud computing so that we can have a look at them?
Update: A follow-up - At least in the cloud you know where your data is
Simon Munro