How the law dictates data gravity in the cloud

I’ve spoken quite a bit to date about the application-centric nature of cloud computing, and how this changes the nature of operations for the enterprise. That’s all well and good, but it should be quickly apparent that there are some constraints out there that limit what options a team has in where to place and run cloud applications.
Sure, we can talk about virtualization platforms, supported operating systems and SLAs (if SLAs even matter). However, I would argue that one of the most critical determinations of the placement of cloud workloads is also one of the weightiest: the law. I’ve called this out before, but I think there are some new elements worth exploring given recent controversy over applicable laws in the European Union and the United States.
Here’s the thing. For the most part, cloud-related laws on the books today or in the works right now are almost entirely about data, and data has “gravity,” as my friend Dave McCrory has pointed out. This is true in the sense that the more important it is, the more likely services and applications are going to move to the data, rather than vice versa.
As McCrory notes:

Consider Data as if it were a Planet or other object with sufficient mass. As Data accumulates (builds mass) there is a greater likelihood that additional Services and Applications will be attracted to this data. This is the same effect Gravity has on objects around a planet. As the mass or density increases, so does the strength of gravitational pull. As things get closer to the mass, they accelerate toward the mass at an increasingly faster velocity.
Services and Applications can have their own Gravity, but Data is the most massive and dense, therefore it has the most gravity. Data if large enough can be virtually impossible to move.

(He has since updated his theory to note that the mass is created by importance, rather than sheer volume, of data. For example, New York Stock Exchange trading data has huge “mass,” and traders routinely build and deploy applications and services as close to that data as possible. U.S. census data is huge, but its importance in most day-to-day activities is relatively less, so people draw census data into applications tied to other, more “important” data.)
So, where does the law fit in? Well, if the law dictates where data can be placed, the the law dictates where that “gravity” will reside, and therefore where workloads will be run to take advantage of that data. You can’t place a workload in a U.S. data center that requires highly personalized data from the EU, or you are breaking the law. So, if you want to “optimize” workload placement, EU law has dictated most of your options.
The irony of all this is that I predicted the importance of the law in the “flow” of applications across the globe in 2008, but it didn’t come to be as I expected. In one of my favorite all-time posts, I wrote:

If law will in fact have such an influence on cloud computing dynamics, it occurs to me that a new cost factor might outshine simple operations when it comes to choosing where to run systems; namely, legality itself. As businesses seek to optimize business processes to deliver the most competitive advantage at the lowest costs, it is quite likely that they will seek out ways to leverage legal loopholes around the world to get around barriers in any one country…
…So, run your registration process in the USA, your banking steps in Switzerland, and your gambling algorithms in the Bahamas. Or, market your child-focused alternative reality game in the US, but collect personal information exclusively on servers in Madagascar. It may still be technically illegal from a US perspective, but who do they prosecute?

It turns out that instead of taking advantage of loopholes and economic advantages in the law, business might find themselves being forced to distribute their applications in specific ways just to stay within the bounds of the same law.
Are there ways out of adherence to data “gravity,” and therefore legal restrictions to workload placement? There may be. Check out McCrory’s follow up post on Defying Data Gravity, for example. But even most of those options are about using distribution to ease the pain of data gravity from a pure technology perspective. They don’t generally address the pain of keeping data within political and legal boundaries while continuing to meet the performance and availability objectives of the users of that data.
As you think about the ways you operate cloud applications, consider the methods you will use to address legal restrictions on data placement, and the related effect that has on application operations. You’ll be way ahead of the game if you do.