This blog post is part 7 of our multipart series on data sovereignty in the cloud.
Throughout this series, we’ve discussed the various building blocks of a robust sovereign cloud strategy. By implementing some of or all these components, your organization can benefit from enhanced control over your data.
In this post, we tackle one of the key drivers for data sovereignty requirements: The jurisdiction and laws that govern your data when operating in the cloud. Much of this discussion stems from the enactment of the 2018 US CLOUD Act. The US CLOUD Act raised questions about how global cloud providers, like Oracle, evaluate and respond to law enforcement requests, especially regarding data stored or processed in jurisdictions outside the US.
It can be easy to get lost in the legal jargon, so let’s be clear: EU Sovereign Cloud offers multiple safeguards designed to provide customers reassurances regarding data access requests, including isolation, local support and operations. Legal entities also have unique provisions in their articles of incorporation and are empowered to challenge any request for customer data that originates from entities outside of the EU or EU requests that aren’t valid or enforceable under applicable law.
To provide you with reassurances regarding data access requests, Oracle has taken an approach with the following steps:
Sovereignty by design: Developing products and solutions that provide enhanced sovereignty capabilities
Legal access request evaluation: Assessing how to handle information requests submitted by law enforcement agencies and governments
Transparent reporting: Offering publicly available reports on interactions with law enforcement
Ongoing regulatory engagement: Staying abreast of legislation through regular discussions with law makers and regulators
Let’s look at how this approach provides you with both enhanced control over your data and transparency about how Oracle handles access requests.
Customers typically have direct access to the data stored in their tenancy. So, Oracle believes that you’re are generally in a better position to identify and access your own data in response to a legal access request.
For EU Sovereign Cloud, Oracle has EU legal teams responsible for evaluating each legal access request on a case-by-case basis to determine whether the disclosure request is binding and valid under applicable law.
If Oracle receives a disclosure request directly from a law enforcement or government authority, the Data Processing Agreement for Oracle Services and Oracle’s Binding Corporate Rules (BCR-p) provide for the following safeguards:
Oracle challenges any access request that isn’t binding and valid under applicable law. Some statutes, such as the US CLOUD Act, provide multiple avenues for services providers to challenge access requests.
Oracle promptly notifies the customer, including the customer’s and Oracle’s data protection authorities, without otherwise responding to the access request (Subject to the following terms).
If Oracle is expressly prohibited under applicable law from informing the customer, such as preserving the confidentiality of a criminal investigation, Oracle requests that the authority who made the request waive this nondisclosure prohibition. Oracle documents that it has requested this waiver.
Oracle requests that the authority that made the request extend the response deadline to enable the customer’s and Oracle’s data protection authorities to take a view on the validity of the request.
Oracle provides the minimum amount of information permissible when responding to a legal access request based on a reasonable interpretation of the request.
By design, Oracle built the EU Sovereign Cloud using separate EU legal entities. This structure offers more protection from non-EU data access requests. Oracle’s view is that EU Sovereign Cloud realm isolation, local support and operations, and Oracle’s process for handling data access requests supports Oracle’s position that any Oracle entity receiving a data access request under the US CLOUD Act shouldn’t have possession, custody, or control of EU Sovereign Cloud tenant data.
Oracle publishes a report every six months to provide you with information about the requests submitted to us by law enforcement agencies and governments from around the world. These law enforcement request reports are available on Oracle’s website and provide insight into the type of requests received and if Oracle provided a response.
Oracle also publishes privacy policies and cloud service contracts online, and they include clear purpose-limitation restrictions for the use of customers’ personal information and safeguards around legally required disclosure requests from law enforcement, as described earlier.
Oracle proactively engages with global regulators to ensure that Oracle Cloud Infrastructure (OCI) supports our customers’ data protection and sovereignty requirements. For example, Oracle has been closely monitoring the European Cybersecurity Certification Scheme for Cloud Services (EUCS) and other emerging cloud security frameworks to ensure OCI continues to develop products that meet market demands.
With the EU’s rapidly evolving regulatory landscape, our new EU Sovereign Cloud regions have a specific EU Sovereign Cloud Governance Committee dedicated to monitoring regulatory changes and evaluating how they might impact EU Sovereign Cloud customers. Comprised of senior EU-based employees with subject matter expertise in security, data protection, and cloud operations, the Governance Committee is chartered with ensuring that we’re addressing the needs of our EU Sovereign Cloud customers across all aspects of the product, from supply chain to HR policies. Collectively, they help ensure operational integrity and perform periodic reviews to ensure the overall effectiveness of controls and commitments.
Data protection advocates are engaged in an ongoing challenge to balance the privacy demands of citizens with government needs for information. Oracle is committed to providing organizations with the technology and flexibility they need to operate in a fast-changing global economy and a complex regulatory environment. This coverage includes delivering the cloud capabilities to help you meet data protection regulations and secure your most sensitive citizen, government, or other data.
For customers interested in using EU Sovereign Cloud, check out our brand new solution playbook, Learn about the Oracle European Union Sovereign Cloud. The solution playbook provides guidance on conceptual architectures and use cases, as well as some details regarding both the overall capabilities and operational aspects of EU Sovereign Cloud to set the context of the architectures.
If you have any questions about Oracle’s approach to legal access requests or want to learn more about Oracle sovereign cloud solutions, contact one of our representatives. You can also read more about Oracle Cloud Infrastructure’s enhanced sovereignty capabilities in the following articles: