Cloud services – location location location
Last week, we saw the launch of a new and powerful IaaS service (vCloud) from Foreshore (Jersey). Why would you choose to host your Cloud based services with a supplier who will undoubtedly charge more than a big player such as Microsoft? It may seem an unusual question, so here are my thoughts on what to consider before shipping your data to a different location in order to reduce (immediate) costs.
What’s a jurisdiction?
- A jurisdiction is more than just a location. For example, knowing that your Internet transaction processing system is hosted in the USA isn’t enough – you need to know which state(s) it is in and understand the legal and tax implications of being located in those states.
- You need to look at the legal and tax implications of all the relevant jurisdictions, including where you and your business are located, where the hosted servers physically are (including any disaster recovery facility) and also where your hosting provider’s headquarters are.
- Where do your clients think their data physically is?
- Do your clients actually care where their data is ? For example, a Trust client usually takes a keen interest in data jurisdiction, whereas a client of an online shop probably takes no interest as long as their data is secure and their goods are delivered.
- How would your clients react if their data was hosted in a different location to where they thought it was?
- Do any of your client agreements specify the physical location or jurisdiction of their data? If you haven’t repapered clients recently and sought their agreement to the changes (if required), you may be bound by legacy agreements.
- Do your client agreements make provision for you to transfer their data to any other jurisdiction of your choice?
- If you have ‘click-wrap’ agreements, this may be easier for you. In other words, if you have the ability to change your agreements and simply republish online for them to become effective.
Legal and regulatory
- Have you ensured that the jurisdiction you are considering for hosting has data protection, regulatory and legal standards at least as high as your current location? For example, would you want to be associated with a non-white listed OECD country by hosting your data there?
- For example, Singapore does not have one unified data protection law. Instead, it is subject to over 140 disparate and sector specific statutes that regulate the use and disclosure of personal data.
- Some jurisdictions could have more stringent laws than your current jurisdiction. For example, Germany currently has some of the most onerous data protection laws in Europe. This may place more demands on your organisation.
- How will you maintain compliance across multiple jurisdictions? For example, the storage and processing of payment card data.
- If the relationship between you and the hosting provider turns sour, are you comfortable with the legal process in their jurisdiction? You may need to use it.
- Does your regulatory regime require you to physically inspect the data centre used?
- Microsoft, being a USA company, have confirmed that their European data centres are subject to the USA Patriot act. Are you comfortable with this?
- Have you taken taxation advice about the jurisdictions, to determine if you will need to pay tax there? You need to think about where you are, where your company’s operations are, where your clicnts are and where you are hosting.
- If you host a transactional website in the USA, it can create a taxable presence for USA federal income tax purposes. Just storing data would not usually be deemed to be conducting business for USA tax purposes, however the activity can be treated as the conduct of business if the non-USA person stores data for the account of others or allows clients or other third parties access to the data. Click here to read an interesting document regarding the USA tax implications – it’s written for Australians but the principle is the same.
- If you are considering hosting in the USA, don’t forget that the USA has fifty states (hence it’s name!), each with it’s own laws and taxation regime. Make sure you know which state(s) your data will be in and how that state’s laws and taxation will impact you. Click here to read about the Amazon challenge on a new California tax as an example.
- If you host a transactional website in Singapore, you could be liable for Singapore tax if it is deemed that your Singapore presence is deemed a permanent establishment – ie you have a fixed place of business in Singapore and you carry-out your business activities wholly or partly through that place. You can start to see that a hosted Internet transaction website could be deemed as taxable in a jurisdiction other than where you may be located.
- Is there a double taxation agreement in place between your business jurisdiction and the hosting jurisdiction? You don’t want to pay tax twice!
Don't forget the companies and individuals (such as consultants) that you work with. Are they storing and/or processing any data for you? If so, you need to make sure that you know where that data is and who has access to it.
And finally ….
The message here is that all that glitters is not necessarily the most appropriate for you and your business. An apparently low cost solution may not be the best solution for your business.
Look before you leap to an apparently lower cost supplier and different jurisdiction.