[LINK] Microsoft slams local data centre edict

Fri Nov 25 13:15:20 AEDT 2011

On 25/11/11 09:59, Rick Welykochy wrote:
> Jan Whitaker wrote:
>
>> The position MS takes about not focusing on the security misses the
>> governance problem: whose law will cover the screw ups? It's not just
>> about technical security or even privacy. It is about jurisdictional
>> accountability. IANAL, but the issue of server location has seemed to
>> be powerful enough for other actions where jurisdiction comes into
>> play. Why does Microsoft say in their submission (as quoted in the
>> article) that the government could contract them to meet the local
>> jurisdictional requirements? Is that accurate?
> I have a contract with an Aussie mob which has a clause stating that
> the contract is bound by the laws governing the State of NSW in Australia,
> and that any legal actions taken with regards to the contract shall be
> heard in a court of NSW. I am currently in Canada doing the actual work.
> But if any court action arises under this contract, it will take place
> under the jurisidiction of NSW.

That's a maybe. You could always insist a matter be heard in a Canadian
court, which could decide whether or not to apply Australian/NSW law.
The Aussie mob would have to convince the Canadian court that the
balance of convenience lies with them relinquishing the matter to a NSW
court, *and* that you would not be disadvantaged in the process.

Conflict of Laws/Private International Law is fun for everyone
(especially corporations).

What's written on the page isn't absolutely binding. Unless you accept
that it is.

> So it appears that a contract can set the terms of the jurisdiction.
>
> But! If the data centre is hosted offshore and another gummint decides
> to intervene and even acquire that data, there is probably little one
> could do onshore in Australia about it.

This is, perhaps, part of the concern. As would be allaying concerns
about jobs 'going offshore' (not that foreign data centre jobs were ever
here to be taken away). It is far easier to enforce domestic laws
domestically. It is also easier to conduct audits, and other compliance
procedures if you can drive to the data centre without a passport.

A service provider (or tenderer for services) might prefer to do the
work elsewhere, but the mob paying for the services ought to have some
say in the matter - not merely because they're paying for them.

American companies often whinge about having to comply with non-US legal
requirements: particularly when those laws favour the rights and
interests of others. But they're not alone. In any event, there is a
strong push towards 'common' laws in the international arena, and lots
of time spent complaining about costs of compliance with different legal
rules. It may well be 'cheaper' to deal with one set of requirements
than two or more (and that's an assumption, not a fact), but
monocultures are far less resilient than plural ones.

eHealth is already fraught with risks, and compliance costs. To remove
the data from our jurisdiction only multiplies them. Geography on it's
own doesn't resolve problems, but it can certainly compound them.
Quality of service and continuity of service over international data
trunks are some of many issues that are conveniently overlooked in this
article. Single site hosting is *always* susceptible to outages - just
ask local airlines and a certain (former) internet host.

-- 
Steven