Data Localization Takes Off as Regulation Uncertainty Continues
Read original article here: http://blogs.wsj.com/riskandcompliance/2016/06/06/data-localization-takes-off-as-regulation-uncertainty-continues/?cb=logged0.6155642351615276
By STEPHEN DOCKERY, WSJ
Companies are putting the pedal to the floor to get data stored in European countries as the information environment becomes complicated by a new privacy law and threatened by the possible failure of a U.S.-EU data transfer agreement.
Data center operations have been booming for years, but there’s a new urgency in setting them up to help businesses establish a creative solution to privacy regulations. Many companies are reporting a surge in clients after the invalidation of the Safe Harbor data-transfer agreement late last year and as the EU’s new General Data Protection Regulation is set to go online in two years’ time.
Firms are realizing that a centralized data model has lots of hidden risks, and localized data is a must, said Steve Wallage, a managing director at consulting firm Broadgroup.
“It’s become quite a nightmare for some of these companies,” Mr. Wallage said about the uncertain regulatory environment. “They’ve decided that a data center and cloud presence is very important.”
“I think what has happened is the data privacy issues have accelerated that,” he said.
Tech firms are offering all sorts of services that seek to control the flow of a company’s data and minimize risk. Keeping that data in the cloud and in country can help satisfy data privacy laws and put consumers at ease about government surveillance, said the head of Syncplicity, a cloud and data management company.
“They need a solution that enables them to meet that privacy standard and to meet those security standards,” said Chief Executive Jon Huberman. “We never open up the data, all we know is file names and where they sit.”
“In the case that we get subpoenaed we have access to nothing,” he said.
“Behind the scenes the data is only processed and stored in the region that is designated by the business rules,” said Brian Levine a director of compliance at Syncplicity by Axway.
Syncplicity by Axway said it has seen three times as many bookings for its data services from the fourth quarter of last year, when Safe Harbor was invalidated, to the first quarter of this year.
Other cloud and data managers have reported similar upticks in business following the invalidation of the U.S.-EU data transfer mechanism and the heavy criticism of the replacement agreement that has yet to be approved in the EU.
For companies operating with large amounts of data in a number of European countries, data managers have created localization strategies to get company data in major hubs that have business-friendly data-protection authorities.
Data placed in Frankfurt, London or Amsterdam can give companies the distribution they need in Europe, data companies say.
Companies “already needed to put data in Europe to serve their European users,” said Doug Loewe from Interxion, a data service center provider that has reported a jump in recent European business. “You can’t have your data stored in the middle of nowhere.”
Regulatory compliance from third parties is bundled into the data deployment, Mr. Loewe said. “This third party regulatory insight is then rolled into the mix as to which country or countries is ideal to deploy with Interxion.”
Localization offers some degree of risk management, but without an overarching U.S. EU data-transfer agreement or other new regulations it’s likely to not be the panacea many companies are after, an expert points out.
The localization services tout the ability to store data in Europe and access it in the U.S. without transferring the data to a U.S. server. But in the current regulatory landscape, that is still likely to be considered a cross-border transfer and trigger EU data regulations as if the data were in America, said Mary Hildebrand from law firm Lowenstein Sandler.
“The definition of processing under the [current privacy] directive and under the [General Data Protection Regulation] is very broad and I think it’s broad enough to encompass accessing the data from the United States or another jurisdiction,” Ms. Hildebrand said about the EU’s privacy law that will go into effect in 2018.
On the flip side, just because data is stored in Europe and only viewed in the U.S. without a transfer to an American server, doesn’t mean it’s protected from the reach of U.S. enforcers, she said.
Guidance from authorities could be issued to exempt such transfers, but Ms. Hildebrand added that the U.S. treatment of technology export law is a precedent for such an approach to dealing with data that never leaves a server but is accessed by a party in another nation.
“An access from the United States could be sufficient to give them jurisdiction,” she said.