The NSA revelations of last year, the enactment of the Canadian Anti-Spam Law (CASL) in June, and recent European Commission meetings have brought issues of privacy and national data control to the forefront of the minds of IT professionals and technology users around the world. Although many countries, such as Egypt, UAE, and Malaysia, still have no data privacy laws, most industrialized nations are looking to beef up their data protection regulations as soon as possible. In some cases, this is the result of Edward Snowden’s revelations about the NSA. Brazil didn’t worry much about its data protection policies until President Dilma Rousseff found out that the NSA was tapping her phone. Then the Brazilian Internet Law (Marco Civil da Internet) was quickly passed.

Another trend we’re seeing is the shift in data policies and country borders. In Russia, for instance, a new law was passed by the Duma requiring that the “systematization, accumulation, storage, updating and retrieval of personal data of citizens of the Russian Federation, [must be] held on databases located in the territory of the Russian Federation.” This law takes effect in 2016. Even countries, such as Germany, that already have stricter than average data privacy laws, continue to tighten their laws with new legislation.

Where’s My Data?

Where once there was very little legislation governing things such as email lists and opt-in verification, countries and states are looking to get tough on data breaches and information mis-use, but this gets a lot harder to do when you don’t know where the data resides.

As anti-spam laws become more stringent, countries such as Canada require that businesses keep subscriber records secure, well-verified, and up-to-date. Recent trends indicate that, if anything, this trend toward great accountability is growing. New York Times Business Correspondent Danny Hakim recently observed that the words “cloud computing” did not appear in the European Commission’s general data protection regulation when it was introduced in 2012, but they do now. “The European Union wants to regulate the cloud even if that makes its use more complicated,” Mr. Hakim wrote. Not everyone in the European Commission supports these regulations, but it demonstrates the extent to which governments are willing to become involved if businesses don’t do a better job of securing their data.

For this reason, a stronger emphasis is being placed on the use of location specific data sources. After all, it’s hard to comply with the laws when you don’t know exactly where your files reside. Armed with this information, country and state authorities can better determine where the problems in the information chain occur, and companies can avoid potential problems by keeping control over the information, rather than turning it over to third parties.

Hopping Off the Cloud

One side effect of this is a decreased interest in cloud-based solutions. In Germany, for instance, cloud grew only three percent in 2013, compared with nine percent the previous year. Oracle, a company that relies heavily on cloud-based solutions, saw a dip in its orders between 2013 and 2014 everywhere except the Americas. In an NPR report, Cisco senior vice president of security Christopher Young acknowledged that this was an issue, especially outside the U.S. “[Y]ou can go to Latin America, you can go to Europe, to Asia, and there’s many examples of customers asking those questions.”

This is quite a change from two years ago, when all the chatter on Internet was about doing things “in the cloud.” Companies bent over backwards to promote their “cloud-based” solutions. Now, we are seeing a shift away from this everything-in-the-cloud approach to a more thoughtful approach. For the low security needs, people still use cloud solutions, but when data security and national laws enter the picture, on-premise (“on-prem”) platforms clearly have an edge.

Keeping the Borders Closed

As Symantec pointed out in a recent article on their site, “[a benefit of] an on-premises delivery model, particularly for organizations with regulatory requirements, would be the twin needs of identifying and securing an organization’s sensitive information. On-premise deployment of these technologies offers capabilities that meet the needs of finding sensitive information where it lives and allowing appropriate access to authorized users. …[On-premise email solutions] permit complete control over the custody of data. … This is a critical consideration in a variety of situations.”

Hey You, Get Off of My Cloud

On the Journal of International Law and Politics New York Forum (JILP), an Australian author explaining why Australians should use Australian-based cloud system inadvertently explains exactly why people are opting for on-premise systems: “[W]hen you take advantage of locally (in an international sense) based service here in Australia, you’re getting an extra layer of protection. [These] solutions will be governed by Australian law (and not the laws of some other nation)….You’ll never be at the mercy of a foreign government or foreign agent or the changing winds of their security policies – and as an Australian citizen using Australian-based cloud solutions you’ll have a voice in the rules, regulations, and laws governing the security and protection (as well as the enforcement of) those policies moving forward.”

While the JILP author is correct that a cloud-based system within a country’s borders affords that extra layer of state protection, it doesn’t address the problem that comes with any cloud-based system, and that is, you never really know where it is. The service might say it is local, but it could be anywhere. If asked where you data is, the best you can do is wave your hand and say, “It’s out there somewhere.” On-premise has no such limitations. When asked where your data is, you can point directly at your servers and say, “It’s right there.” This kind of locality is hard to beat.

Compliance is Not Negotiable

The key here is compliance, legal compliance, that is, and in email marketing, compliance is non-negotiable. As Bill Claybrook points out on TechTarget: “Compliance is viewed as a big obstacle toward widespread cloud adoption, and rightly so. It is driven by law and legislation so there is no choice but to comply.” He also points out that “Some regulations stipulate where sensitive information can and cannot reside.” If that information must reside in the country of origin, then an on-premise email marketing system will settle the matter.

At Goolara we offer both solutions—hosted and on-premise—so we don’t have a dog in this fight. We see the advantages of each system for different purposes. For many companies, particularly those with minimal or shaky IT departments, a hosted solution is usually a better choice, but a company with a strong IT Department and tight security is better keeping things in-house. If you are not sure which solution is best for you, give us a call. We can assess your needs quickly and accurately and give you our recommendation based on your individual business factors.