Cloud computing and privacy are innately at odds. Privacy laws apply to one country; the public cloud, in its ideal form, is not related to any country. Privacy officers should not accept "no" for an answer when asking whether the processing of personal information in the cloud or abroad is allowed. Most privacy laws have some flexibility, guidance is evolving slowly and, in many cases, there are legally acceptable solutions. Organizations should focus on the location of the legal entity of the provider, not on the physical locations of its operation centers.
There are other cases when sensitive company information should not leave the country (for example, if there are export control or national security concerns), but in most cases — and usually under conditions — in-country storage is not mandatory for privacy compliance. In some cases, it will be sufficient to ensure that personal data will not be stored in a specific country that is known for its privacy violations.
Privacy officers — and enterprise decision makers — should support IT’s cloud and offshore initiatives where possible while achieving maximum privacy protection for the individual customer or employee. This will consume 20 to 30 percent of the privacy officer's time.