Sometimes this happens because the money comes from departmental budgets, and is spent by people who are not aware of the implications of their actions; sometimes the ignorance is higher up the food chain.
"A minority of organisations are getting very smart about incorporating information security and sovereignty into their contracts with cloud-based providers," reports Rob Rachwald, director of security strategy with Imperva (a data and application audit and security specialist), and may even go as far as auditing their cloud-based service provider.
"It will get better, because it's an evolutionary thing," he says, but at the moment, most organisations are less evolved. "When you go into the cloud, it's often because it's cheaper, and you think you can forget about hardware and software," he explains, "so a lot of organisations don't think about issues such as data security or sovereignty until there's a problem."
Cloud computing allows you to abdicate responsibility for a lot of the processes that would otherwise need to accompany their use of computing resources, but this doesn't include compliance with data protection law; so users of cloud services must know the physical location of the servers on which their data is processed and stored.
"It's as simple as asking the question," Rachwald says.
Although he warns that ensuring your service provider is contractually obliged not to transfer the data to any other countries without prior consultation and agreement can be more of a challenge. Many cloud service providers have one-size-fits all contracts and service level agreements that they are not willing to vary.
Some cloud service providers do try to make it easier for their customers to comply with data protection legislation.
"When we expand from the United States into Europe, we will have a data centre within the EU," says Eric Webster, VP of sales with cloud business continuity and disaster recovery specialist Doyenz.
"We have a worldwide agreement with Internap and will be using their co-location data centre in London," he says, so the data of European customers of Doyenz will never leave the EU. The behemoth that is Amazon Web Services also has regional data centres across the world, that service only certain geographies: the EU Region, for example, uses servers that are physically located in Ireland.
The reach of governments
However, there are scenarios where the location of your data seems to impact less on its privacy and security than the nationality of the organisation that is storing or processing it.
"The issue of whether a government or public authority can gain access to data that is located outside their national jurisdiction is a hot issue right now," says Maughan, because of the international reach of the US Patriot Act.
Sign up for Computerworld eNewsletters.