There are still a lot of unknowns when it comes to Rule 41 – especially as government administrations change, new data protection rules across the world come into force (such as GDPR) and the political landscape continues to remain uncertain. Organisations are understandably concerned about where they put their data and where they choose to host their IT systems – even more so during a period of instability where regulations and laws can change quickly based on world events or public opinion.
Yet, we don’t advise getting caught up in the hype surrounding Rule 41. Some cloud providers are warning customers away from considering non-UK based hosting services; advocating ‘buy British’ as a way to avoid the ‘risks’ of Rule 41. Carrenza wants to help customers who are unsure about where they stand with regards to Rule 41: we want to set the record straight on Rule 41.
Last year, the US Department of Justice made an important amendment to the controversial Rule 41; a rule concerning how law-enforcement agencies in the US access data pertinent to a particular crime or case. In essence, it gave law enforcement agencies the permission to access information on servers and computers outside of the US. With the greatly expanded reach of Rule 41, US law enforcement agencies may, in theory, be legally able to access data stored in data centres anywhere in the world. As such, some businesses based in the UK are now concerned about working with US cloud service providers in the fear that the security of potentially sensitive corporate or customer data might be compromised.
What does Rule 41 mean for UK businesses?
The amendments to Rule 41 have proven highly controversial, since they present the potential to narrow the right to privacy for citizens not just in the US, but all over the world. British organisations that host some of their systems with providers operating data centres owned by US companies are concerned that their local laws may not apply should US law-enforcement invoke the rule to acquire access to their servers. Furthermore, UK businesses may be unsure of which jurisdiction to turn to if they receive a request from a US law-enforcement agency acting on Rule 41.
However, for data stored in the UK, it is important to remember that Rule 41 is still subject to a mutual legal assistance treaty (MLAT) operating between both countries. Additionally, all data belonging or pertaining to EU citizens and stored in data centres that are physically located within the EU will be subject to the General Data Protection Regulation (GDPR) when it comes into force in May 2018; a regulation designed to give EU citizens more control over their personal data.
Yet some UK cloud service providers have even gone so far as to warn their customers to avoid working with any technology partners who use US-based datacentres. This is misleading: even with the current rules, law-enforcement agencies are usually still able to obtain the data they need, regardless of where the datacentre is located. If compelling enough evidence is put forward to a data-processing company (i.e. your cloud hosting provider), they will usually be ethically obliged to help anyway. For the most part, the amendments to Rule 41 are simply intended to speed up investigations.
Choosing a Cloud Provider in light of Rule 41
For the most part, choosing the right cloud service provider for your business is about choosing the most suitable service for the workload. For example, many businesses, particularly those in highly regulated sectors, may choose to host systems in UK-based datacentres because they don’t want their data to leave the UK. Nonetheless, it’s important for any company to know exactly where their data is stored and, consequently, which legal jurisdiction it falls under, particularly if the data in question is highly confidential. Organisations need to enter into hosting contracts with more awareness of where their data is hosted, what laws and regulations that data is protected by and their hosting provider’s commitment to data regulation policies such as the GDPR and the Data Protection Act.
While undoubtedly controversial, some of the concerns regarding Rule 41 have been exaggerated. For many everyday applications, most of the industry leading public cloud services are perfectly suitable from a data residency point of view; with global hosters such as Amazon and Google enabling customers to specify which datacentres, in which locations, to house their IT systems. However, when dealing with any cloud-based service handling highly-sensitive data, customers may prefer to use a more tailored cloud contract to have more control over where data resides, and what happens when they want to retrieve data or end the contract. Carrenza often works with organisations who need to tailor their cloud requirements to a greater degree than many of the hyperscale providers, such as Azure or AWS, can facilitate. By providing a multi cloud approach through Carranza’s own UK cloud services and complimenting this with Public Cloud services we are able to provide the flexibility of being a smaller and more agile provider but can wrap around a bespoke contract to suit individual clients’ needs.
Ultimately, Rule 41 is unlikely to affect most companies based in the UK or elsewhere in Europe as data belonging to EU citizens is still protected by the GDPR when it comes into force. Organisations who need to be concerned about Rule 41 will likely already be in contact with the UK Home Office about how they can facilitate any requests from US law enforcement agencies. Yet, for most of us, we will likely remain unaffected by Rule 41, even if services are hosted with a US hosting provider.
As many of our communications move online, it’s fairly likely that there will be more and more requests for data by law enforcement agencies across the world, not just by the US. It’s probable that governments will start to create frameworks to better set out how data is protected or made available in light of law enforcement requests.
The important thing, as we always say, is to know where your data is, understand what jurisdiction your data falls into should you receive a request under Rule 41, and be confident that your cloud hosting provider is compliant with the major data protection policies and is also savvy about how to protect your data in light of new legislative changes; across Rule 41, GDPR and beyond.
Carrenza will be holding a number of events on the new General Data Protection Regulation (GDPR) to help you get to grips with the new regulations and how it can affect you. We are delivering these events in conjunction with Grant Thornton, giving you the opportunity to hear from experts in the industry about the impact of GDPR and how to get ready for May 2018.
Find out more about the events: /events
Delivered by HPE and Carrenza
Carrenza is a HPE Silver PartnerReady Service Provider, delivering hosting and cloud services to customers across the UK and Europe. Powered by HPE products and technologies, HPE Service Provider partners deliver a wide range of services, including dedicated hosting, hybrid cloud hosting, managed hosting, application specific hosting for mission-critical applications. HPE supports Carrenza in delivering its unique, UK based Multi-Cloud solution through joint go-to-market initiatives and sales engagement.