'Government Cloud Computing and the Policies of Data Sovereignty' by Kristina Irion
argues that -
Government cloud services are a new development at the intersection of electronic government and cloud computing which holds the promise of rendering government service delivery more effective and efficient. Cloud services are virtual, dynamic and potentially stateless which has triggered governments’ concern about data sovereignty. This paper explores data sovereignty in relation to government cloud services and how national strategies and international policy evolve. It concludes that for countries data sovereignty presents a legal risk which can not be adequately addressed with technology or through contractual arrangements alone. Governments therefore adopt strategies to retain exclusive jurisdiction over government information.
She concludes -
If cloud computing is the next paradigm in computing than governments can not miss this trend and continue to migrate public digital assets to cloud services. Governments find themselves in the dilemma to ensure sovereignty over data residing in the cloud which is virtual, dynamic and potentially stateless. Data sovereignty is an ideal conception of information ownership which compensates for the progressing virtualization of information where digital data is stored and processed remotely. For governments this means:
Government’s control over all virtual public assets, which are not in the public domain, irrespective whether they are stored on own or third parties’ facilities and premises, and which are governed under an effective information assurance framework, including, where appropriate, strategies to retain exclusive jurisdiction over government information.
Countries treat this issue as a legal risk which can not be adequately addressed with technology or through contractual arrangements alone. Hence, in applying their national risk management strategy the countries surveyed (US, UK, Australia, and Canada) restrict cloud solutions for sensitive government information (medium- and high-risk) to their territory which contradicts the cloud technology’s global philosophy.
The call for international policy to remedy the complexity of divergent, and at times conflicting, regulations of different countries pertaining to cloud computing can help to establish a viable commercial environment. International standard-setting may, however, not go far enough to provide a solution to governments’ data sovereignty concerns over transborder flows of government data. From a risk-management point of view the territoriality paradigm which favors national cloud services would preempt any international agreement build on mutual trust.
Besides, the concept of data sovereignty offers a proposition how to strengthen the link between the data owner and the all types of data not limited to the protection of personal information. Cloud computing presents a scenario to argue that it is not enough to update and harmonize existing regulation but to take information ownership rights to a new level.