Back to publications
Download the publication
8 June 2016

Choosing a “sovereign” cloud computing solution

The choice of a cloud computing solution can sometimes be a real headache for CIOs and entrepreneurs cautious of taking the timeliest decision for the backup of their data. The consequences of such a choice may be decisive given the quantity and often-strategic nature of the information entrusted to the cloud services provider.

Considering the numerous cloud offers to businesses or the public, it may sometimes be difficult to spot in the contract documentation (mostly non-negotiable general terms) the essential criteria that will reveal the actual commitments of the provider. Among these, the territory on which the data will be stored regularly appears to be determinant for security and confidentiality levels, elements in which users have great concern and legitimate high expectations.

While in the past American companies almost trusted the entire market, the increasing number of offers by providers of other nationalities is now giving clients a wider range of options. For instance, it is now possible to retain “sovereign” cloud solutions provided by companies such as Cloudwatt or Numergy, which are both French companies operating their services directly from the French territory.

European and French service providers have brought the customers’ attention to the “sovereignty” question, presented as a necessary and comforting alternative. But some US providers have quickly adapted their offers and their communication about the presence of their servers in Europe to attract customers with a seducing argument, seemingly …

These dedicated offers for the European market were quite appealing despite the actual concerns that recently appeared because of the NSA and the potential threats resulting from several US bills (such as the SCA, the FISAA laws and the Patriot Act).

This situation was acceptable until a court-decision of a US judge in April 2014. The story began in December 2013, when a US Judge ordered Microsoft to give the Court access to the contents of one of its customer’s emails stored on a server located in Ireland.

This unprecedented case gives the opportunity for a State, the United States authorities in the given situation, to interfere into the data and information stored in a third country, despite the apparent protection granted by the laws of this sovereign country.

Microsoft, which appealed against this decision, is in an embarrassing situation for two main reasons: for the sole purpose of preserving its customers trust, Microsoft may invoke the protection granted by Irish and European laws, but such position would inevitably imply the non-compliance of the company with the court injunction. If on the opposite Microsoft would choose to apply the US court decision, then the company could be in breach of the laws of the territory on which the data is stored.

If the US court decision is confirmed, European companies shall face a real threat for their data stored by US service providers, even when storage takes place on the European territory. It is not even certain that a blocking statute law, such as it exists in France, would be of any help for a US service provider having to face the pressure that a US judges would inevitably exercise in such case.

Considering this threat, the most obvious solution would be to opt, whenever possible, for “sovereign” cloud solutions operated by companies that mostly run their business outside of the United States. Companies will then save the risk of seeing their data ending up in the hands of the authorities of another State…