One of the benefits of cloud computing is that information can be mobile. It no longer has to be restricted by your current computer hardware. But sending personal information to another business for processing or storage can change which laws apply, as well as raising the possibility that others might be able to legally access the information.
For example, if a cloud provider does a significant amount of business overseas, the provider could be subject to overseas laws as well as New Zealand laws, even if the information is kept within New Zealand. Alternatively, if the provider doesn't have a significant presence in New Zealand it could be more difficult to enforce New Zealand laws. Different legal rules may apply depending on which country the information is in and your responsibilities may differ as a result. Location can sometimes affect the kind of relationship you can have with your cloud provider, and your options for sorting out any problems. Some countries may also raise different kinds of risks that affect the security of your data, such as the country's levels of corruption.
Of course, location could be a non-issue. The cloud provider might have the same procedures no matter where the information is located. It might only disclose information under a search warrant or court order. But it's worth asking. You're the one who needs to make the judgment about whether the location of the information will create risks that are unacceptable for you and your customers.
So try to find out where your information is going to be held and what laws apply, in case there are any fish-hooks. Have a look at the terms and conditions and ask any further questions that you need to.
Your cloud provider should be able to tell you where its data centres are. They might not be able to tell you exactly which data centre your data will be in though, because they may want to move it around in order to optimise their service.
What the provider should tell you
It's useful to have your information located in countries with similar privacy laws to New Zealand's because it's more likely that if there is a problem, there will be an effective means of sorting it out. In some jurisdictions you or your customers will be able to lay a privacy complaint directly with the local privacy commissioner. This makes it harder for your cloud provider to shirk its responsibilities.
If there isn't a local privacy law, you may need to make sure that equivalent privacy protections are specifically built into your contract with the cloud provider.
The Privacy Act says that you won't breach New Zealand law if local laws require disclosure of personal information. But you won't know if this is relevant to you unless you've checked it out. Your customers may see any disclosure of information as a breach of trust, particularly if a foreign government is involved. So, once you understand how your provider would handle any requests for information, it's a good idea to tell your customers too.
