December 12, 2010
Ouch, this has got to hurt. Stuart Maxwell summed it up nicely when he said;
What was he referring to? The Inland Revenue Department in New Zealand dropped a bombshell today when it released the not-so-excitingly named alert RE 10/02. To extract the relevant section, the alert warns business in New Zealand that;
It is the Commissioner’s view that only business records stored in data centres physically located in New Zealand will comply with the record keeping obligations in the Inland Revenue Acts. Taxpayers are responsible for ensuring they comply with their record keeping obligations. Therefore, taxpayers using a cloud computing service will need to be satisfied that all their business records will be stored in data centres located in New Zealand
Data sovereignty, or “where my stuff actually is’, has long been the elephant in the room that no one wants to talk about. At the CloudCamp events I run all across Australasia, I’ve often said that of all the barriers that traditional vendors articulate as reasons not to move to the cloud, data sovereignty is the only one with any degree of validity. In a quick piece of damage control, Xero CEO Rod Drury posted explaining that Xero has been “working with the IRD for some time on a blanket dispensation and assisting IRD on policies around the cloud”.
I concur with Drury’s view that legislation (New Zealand’s in particular but globally in general) simply has not kept up with the realities of technology and that legislation needs to be amended to cover cloud hosting. However lobbying Government agencies, and actually effecting change are two very different things and commenters on the Xero post were quick to express concern about the IRD position;
Personally I’d be reluctant to breathe easy just yet until the IRD themselves actually say that yes, you are OK if you are using such-and-such a service
Does the government of the country where the data is stored have a right to see it without some sort of warrant/due cause process?
It’s a real issue of concern and one that, frankly, I’m surprised hasn’t been raised before. Xero COO Alistair Grigg and Drury do a good job of fighting the fire saying;
Being hosted in the US does technically mean that a US Government agency can request access to your data with due cause. But I don’t expect you’ve got any reason to be concerned about that.
We’re very engaged with the IRD and not expecting any issues. They have been very reasonable and understand what we are doing.
Clearly, given time, legislation will be amended to reflect the realities on the ground. Until then, how much of an impact will this have on prospective customers, especially once the early adopter market has been exhausted and more mainstream customers are needed to fuel growth, remains to be seen.