Sometimes I think I should write a travel blog instead of a privacy blog. I'm the kind of guy who likes to be outdoors and physically active, and I'm just back from hiking in Spain. Galicia has a pristine coast like Brittany, but with fewer tourists. And it's relaxing to have a few days to enjoy privacy, instead of worrying about it. If I don't feel safe hiking in a place, I sure wouldn't recommend putting a data center there.
Data centers are now big business. They're part of the fundamental infrastructure of the Web. And people naturally want to know that the data that they choose to store in the cloud will be safe. The location of data centers is one factor in ensuring that data will be safe.
Some countries have proven successful at fostering a data center industry: a few come to mind immediately, ranging from the US, UK, Ireland, Belgium, The Netherlands, Norway, Finland, Hong Kong, Singapore, Taiwan, Japan (of course there are others, but these were top of mind for me). All these countries strike me as welcoming jurisdictions, and they are succeeding in convincing international investors to put their money and host data there. Nowadays, data centers can be large investments, involving hundreds of millions of euros, creation of hi-skilled jobs, and spurring a virtuous cycle of hi-tech clustering. It's no surprise that many countries are competing to attract them.
I think there are two big factors in picking locations for data centers, namely, physical-infrastructure stuff and law.
Physical infrastructure includes: 1) cheap, reliable and renewable energy sources, 2) a cool climate to reduce electricity running costs, 3) lots of bandwidth.
But law is just as important. What's the legal/regulatory environment in each country, with regards to:
- the rule of law?
- fair legal process to validate/challenge government and law enforcement requests for user data?
- holding intermediaries liable for third-party content in the cloud?
Many countries around the world fail all of these tests. Some of them only fail one or two of them. There is no commonly-accepted "black list" of countries where international companies should avoid placing a data center. That's an interesting challenge, and perhaps deserves some public discussion. Maybe someone should do a study to rank countries according to these criteria, just as countries are regularly ranked for competitiveness. For example, companies also need to worry about opening a data center in a country where its employees could be held personally liable for third-party content hosted there. (friends, how's that for understatement?)
Maybe the safest place to put data centers, in terms of protecting users' data from government surveillance, would be on boats floating in international waters, powered by waves, cooled by sea water, and safely beyond the jurisdictional reaches of most governments. Ok, not really, but then again, try coming up with your own list of countries. And if you're having trouble concentrating, would you run the risk of landing in jail for a risky bet?