The Dutch and Canadian governments have something in common: they both don’t like the Patriot Act when it comes to cloud services. The Patriot Act permits, under various broad and somewhat undefined circumstances, the government to access the records and data of, among others, cloud service providers.
In particular, both governments have expressed concern about the security and privacy of governmental data being maintained by cloud providers in the United States because of the possibility of disclosure of that data under the Patriot Act. I recently worked on a cloud services agreement involving data of the Canadian government. They insisted on locating the servers on which the data would reside in Canada to avoid application of the Patriot Act. This is a trend continued by the Dutch government, which others are likely to follow.
What does this mean for private businesses? It means we all need to be mindful that the laws of other countries may impact our data when stored in the cloud. For example, in one country in Asia, document retention laws applicable to cloud providers may limit the providers’ ability to delete customer data after a contract terminates. This means highly sensitive data may remain on their servers for a protracted period of time beyond termination of the agreement.
A business storing data in the cloud must ask questions about where its data will be stored and investigate local laws to determine their impact, if any, on the business' data.