Introduction and data politics
Who cares where data resides? The cloud is the engine of the global economy, its anti-geographical design perfect for a business world that now ignores national boundaries. That’s what’s fuelled the rise of the internet economy, but it’s coming under threat from more and more data privacy law.
The EU – keen to keep its citizen’s data from the US government – had its Safe Harbour agreement invalidated in late 2015, but transatlantic negotiations now underway will culminate in only one thing: more regionalisation of data.
What is the current state of ‘data politics’?
National governments are busy issuing edicts on where data produced within their borders can travel to, and how. For example, data protection authorities in Germany are investigating data transfers from the EU to the US by companies such as Facebook and Google. And a panel in the US Senate has just approved a bill that would allow Europeans to sue the US government in a US court if the government intentionally discloses their personal data without their permission.
“Data politics has been heating up,” says Frank Krueger, Director of Compliance at enterprise cloud hosting service provider iland, adding: “Many perceive that the EU has made it harder for global companies to do business across borders.”
Is this just interference in business from misguided politicians?
A lot of this is seen as unnecessary, but there’s a fear that it’s as much about jobs as about actual data privacy.
“There are also the additional challenges of governments potentially interfering unnecessarily in order to keep investment in data centres and data centre jobs in their own country,” says Michael Connaughton, Director Big Data, EMEA at Oracle, who calls this “potentially unnecessary protectionism”.
That’s an age-old tactic of politicians, with some fearing that all EU politicians are trying to do is prevent US tech companies like Facebook, Google, Yahoo and Microsoft from operating in Europe.
What will be the effect of the latest EU data regulations?
The effect of any new version of Safe Harbour could mean the end of transatlantic data transfer, as data becomes regionalised. “Global companies will move to hybrid cloud deployments with machines in regional data centres that act like a local wisp of a larger cloud service, honouring both the drive for cost reduction and regulatory compliance,” says Connaughton.
The hybrid cloud is destined to grow. “The new legislation will mean that global companies will need to be much more careful when transferring customer data from the EU to an international location,” says Krueger, who thinks that there could also be an increase in companies choosing to store data in Europe, therefore choosing to use local cloud service providers rather than risk cross-Atlantic data transfer.
With the migration of data from the EU to another location essentially made more difficult by adding all kinds of stipulations and approvals, it’s highly possible that companies in the EU will not take risks, and avoid using foreign (read: US-based) cloud companies.
“Opt-in and opt-out requirements are going to be a large change for US firms,” says Krueger about the scenario in the US. “They tended to operate in the opt-out space, whereas the EU has tended to operate in an opt-in fashion.”
Collection geography and regulatory compliance
It’s all about compliance and ‘collection geography’. “It is essential to know what customer data you are collecting and where it is being collected from so that data can be handled in accordance with the laws of the country from which it is sourced,” says Krueger. “Transit rules will have to be adhered to, as well as in some instances national requirements for accessing the data.”
It’s also not just about where the data sits – who is authorised to access that region’s data will also be critical.
“Does the provider provision you to a cloud that spans across multiple data centres?” asks Krueger. “If so, verify that those spanned data centres are in the right data regions – it’s not uncommon that lower-costing carriers will perform spanning, whereas others are dedicated to specific and approved geo-locations.”
Will multinationals have to use hybrid clouds and regional data centres?
Data politics may be in a new era, but the dust will have to settle on this one. The knee-jerk for a company collecting data on people in Europe may be to put all of its data in a local data centre in Europe, and that way remain compliant. However, it’s more about how the cloud service provider in question handles that data in order to protect it.
“Data encryption is a key requirement here, as well as cloud security technologies including vulnerability scanning, intrusion detection, anti-virus and anti-malware that maintain security of the infrastructure that stores company data,” says Krueger.
There certainly needs to be a new division of labour. One way is for an organisation to store data in private clouds in their own data centres, and use compute resources in the cloud, thereby sending the data up for processing, and immediately bringing it back down to store the output.
“To make this work, the companies will have to invest additional time and effort in cleansing it of all personally identifiable information before sending it out for processing,” says Connaughton, who adds that they’ll also look for private clouds that integrate easily with public clouds.
Is regulatory compliance becoming more important than cost reduction?
Cloud computing as an industry is maturing, with the early low-cost offerings subsequently making way for speed and agility. Hot on its heels is the current trend for regulatory compliance. It’s not exciting, but it’s here – and it shouldn’t be ignored. But it’s not everything.
“The really forward thinking companies are recognising that cloud computing can help them to achieve the regulatory compliance they require,” says Krueger, who thinks that compliance should be viewed as a cost reducer akin to insurance. After all, no-one wants the audits, remediation costs and fines.
Many cloud providers, including Krueger’s own company iland, generate the regulatory documentation necessary for compliance at a fraction of the cost of having an internal compliance team.
A more capable cloud?
What does it mean to protect citizens’ digital privacy? That’s something the EU and national governments are still working on an answer to.
“The different, and overlapping, regulations cause uncertainty for organisations,” says Connaughton, but there’s a more optimistic feeling that not only is data regionalisation possible, but that this is a chance for the cloud to prove itself as a highly adaptable customisable technology offering.
“Improvements for data security and auditing will also facilitate greater use of public cloud through the accurate classification and control of certain data types to ensure that local legislation is complied with and sensitive data does not enter a non-domiciled public cloud,” says Connaughton.
Compliance with a web of data protection legislation won’t be much fun, but in the long-term it should mean a more capable cloud.