It is possible that electronic data stored on US servers may be subject to search and seizure under the Patriot Act. Enter "patriot act analysis" into any decent search engine and a whole host of commentary will come up. A thorough and unbiased analysis and summary of the legislation can be found here: http://fas.org/irp/crs/RL31377.pdf, produced by the American Congressional Research Service at the US Library of Congress.
To mitigate this risk, review the supplier's Terms of Service, or whatever form their contract comes in. Consider terms related to whether the company who owns or operates the cloud service:
- is based in the United States of America (with regards to your last question, yes, an American company whose servers are outside the US will be obligated to - produce electronic data in its servers located anywhere in the world);
- locates its servers outside the United States of America;
- operates multiple servers in different jurisdiction;
- implements a policy to take all reasonable steps to resist producing such information even if under a subpoena; and,
- implements a policy not to make voluntary disclosure of information to government authorities without a subpoena.
Consider whether you have enough bargaining power to get the provider to agree to include these terms into the terms of service. The reality is that most of the major software as service companies run business models where it wouldn't make financial sense for them to operate servers outside the United States and won't negotiate such terms. So, for smaller nonprofits, the advice to try and get these terms into contracts is simply not practical.
You may want to focus on mitigating business risks rather than legal ones. Consider what it is that you are concerned about when dealing with servers in the US. Here are some questions that you may want to ask:
- are we more vulnerable to the exposure of personal information to hackers (which are non-jurisdiction specific) or to the issuance of a US government subpoena?
- does the cost of setting up a private storage facility outweigh the financial and business benefits of using hosted services?
- is the information being stored truly private or is the information generally available?
- are we under any specific legal obligation to maintain information within a jurisdiction (patient health information in the Province of British Columbia is one example)?
- are these risks appropriately dealt with by disclosing some appropriate risks and obtaining consent from the user?
- are other cloud models possible? private cloud? hybrid cloud?
Just for your information, the Law Society of British Columbia produces a great resources for its members to help its members to assess cloud service providers. It focuses not only on privacy compliance, but also operational risks. The checklist is of course intended for lawyers and is heavily risk averse. But, the issues raised are ones that any business or organization may want to consider: https://www.lawsociety.bc.ca/docs/practice/resources/checklist-cloud.pdf
We caution that we are not licensed to practice in the United States of America. We rely on third party information when relaying the operation of foreign laws.
We also note that the compliance information given in this answer is not legal advice, but advice of a management and compliance nature and as a result readers should use their own caution and judgment when assessing the risks to their organization of the matters discussed in this article.
Hope this helps.