Exporting through the Cloud – Where is Your Data Going?
Use of Cloud-based services has grown rapidly over the last five years. Cloud service providers (“Cloud Providers”) are increasing in numbers and cloud-based offerings are being offered to the general public with increasing frequency. Many companies are choosing to host Software-as-a-Service (SaaS) products and other offerings in “the cloud.” And many companies, from start-ups to publicly-traded companies, are viewing the Cloud as a solution to various needs.
One of the many reasons why Cloud Providers can make more money than providers of typical location based or virtual servers, is that cloud providers often move some or all of a customer’s data to servers in different data centers in different countries, allowing Cloud Providers to take advantage of load balancing or lower price opportunities for electricity and other costs. If you are a customer of a Cloud Provider and are exporting any technology, data or services outside of the United States, you may be subject to the export control laws of the United States, including but not limited to the Export Administration Regulations (“EAR”). Who enforces the EAR? The Bureau of Industry and Security (“BIS”). The BIS and EAR exist to protect the export or deemed export of sensitive information that may impact national security and the export of information to countries under sanctions, boycott, etc.
If a Cloud Provider moves or transfers sensitive data outside of the United States (export), or an application worthy of export regulation, who is liable? According to two advisory opinions issued by BIS (January 13, 2009 and January 11, 2011) relating to Cloud Providers and services, the customer of the Cloud Provider is the most likely candidate for responsibility. Essentially, the BIS believes that Cloud Providers are not the “exporter” of a customer’s data and applications, even when the Cloud Provider is the party responsible for transferring such information to another destination outside of the United States. The wisdom of these opinions remains to be seen and/or conclusively tested. But (currently) in the eyes of the BIS, export obligations in connection with cloud based international transfers of data and applications, rest with the customer of the Cloud Provider. What is a customer of a Cloud Provider to do to avoid problems with using Cloud Providers? Here are a few suggestions to get you started:
- Create and maintain policies to ensure compliance with export law.
- Analyze data and applications for export control applicability and compliance before uploading to the cloud.
- Make sure the Cloud Provider is reputable and operationally adequate (and/or has no locations outside of the United States and doesn’t employ foreign nationals, both of which might subject a transfer to a “deemed export” classification).
- Restrict (by written agreement) the geographical locations to which a Cloud Provider can transfer your data and applications. Restrict (by written agreement) the nationality of personnel who are involved in providing any service related to the cloud services of the Cloud Provider.
- Include audit rights in your Cloud Provider agreement to ensure compliance with law and the terms of the agreement.
- Select a cloud provider that can provide cloud-based services that are export control compliant.
- Draft a request for an advisory opinion (with proper facts) that will persuade BIS to change or soften its position, or push for a change to the above-mentioned advisory opinions or in the EAR.
Export control laws and regulations are extensive and require excellent organization skills and patience to navigate. Because of strict liability (including civil and criminal penalties) for non-compliance, export laws (including when considering cloud based services) should not be ignored. The above items are only prophylactic protection and are not a substitute for verification of compliance or alternative means of storing data and/or hosting applications.