Two long-simmering questions about data residency requirements have been answered, but neither resolution will...
fully quell cloud providers' lingering uncertainty around international data transfers.
Last week, the European Commission formally adopted the U.S.-EU Privacy Shield to provide legal cover for transatlantic data transfers. Meanwhile, a federal court overturned an order for Microsoft to provide access to a customer's emails in Ireland. Both moves provide a degree of clarity to cloud providers and customers that rely on these global networks of data centers to conduct business around the world, though more challenges lie ahead.
Privacy Shield fills the void left by the dissolution of the Safe Harbor agreement last October and is seen as an improvement for privacy and transparency, though some advocacy groups feel it still doesn't go far enough. It replaces the self-reporting model that 4,500 companies relied on through Safe Harbor with a higher bar for approval and regular reviews of participants' practices by the U.S. Department of Commerce.
The initial agreement on the Privacy Shield framework was reached in February, though there have been several adjustments since, including restrictions on bulk data collection and surveillance by the U.S. government.
CA Technologies, a global software company headquartered in New York, relied on corporate binding rules and worked with customers to update contracts with new clauses to respond to the "legal vacuum" caused by the dissolution of Safe Harbor, said Christoph Luykx, the company's EMEA government relations director.
Questions from CA customers following the end of Safe Harbor have been infrequent or low on the priority list, and mostly came up during specific contract negotiations or renewals. CA didn't have a set of stipulations it wanted to see in the new deal, as long as the framework would reflect the EU Court of Justice's concerns and provide businesses with stability and legal certainty, Luykx said.
Companies can start signing up on Aug. 1, and CA likely will sign up for Privacy Shield after its legal team reviews the full, final text. "We're in safer waters, but it's not smooth sailing, because we do have some more challenges ahead," Luykx said.
Safe Harbor was in place for almost 15 years before it was struck down last fall by the European Court of Justice. The court's ruling was based on an appeal by Max Schrems, an Austrian privacy activist who raised concerns about Facebook's use of customer data. Schrems reportedly plans to appeal Privacy Shield, as well -- but even if he doesn't, industry observers expect some form of legal challenge to crop up in the next couple of months.
Privacy Shield is an improvement from Safe Harbor, but there's still plenty of gray area, and the pending legal fights only add to the uncertainty for cloud service providers and customers, said Duncan Brown, research director for European security practices at IDC.
Some companies won't care about the effect on data transfers, but for those dealing with sensitive data, it's important to understand Privacy Shield isn't the only option, he added. Cloud service providers can use binding corporate rules or insert model contract clauses into contracts with EU customers.
"We're recommending vendors and end-user clients seriously investigate one or both of those mechanisms as a backup, and possibly as a long-term answer, to Privacy Shield," Brown said.
Cloud data center propagation not a panacea
Microsoft has said it will implement Privacy Shield, but it's unclear if other major cloud vendors will follow suit. Amazon, Google, IBM and Oracle, among others, offer EU model contract clauses for their customers.
Part of their strategy to get around data sovereignty and privacy concerns is to build data centers inside Europe, opening a crowd of new facilities in recent years, with more planned or now under construction. The vendors have built their networks to allow users to restrict the flow of data, so it stays inside Europe, or even inside a specific data center, in case the information is restricted from leaving that country.
CA is not a cloud infrastructure provider, but it does deliver software as a service hosted in multiple locations. Everyone is looking at where to put data centers based on a wide range of criteria, including cost to run and proximity to users, Luykx said. The legal ramifications are important, but these safeguards may not be sufficient for a company outside of Europe servicing a customer on the continent and needing access to databases in the EU, he added.
"A lot of the focus is on keeping the data in one data center, but it doesn't work like that," Luykx said. "Data still needs to flow."
Microsoft's win ripples through the clouds
The Privacy Shield adoption was followed just days later by a court ruling in the U.S. that signaled a further push to protect data sovereignty and quash an effort that could have deeply affected how cloud providers operate.
The Microsoft case pertained to a December 2013 warrant issued under the Stored Communications Act that required the company to turn over the contents of a customer's emails stored outside the U.S. Federal prosecutors believed the account was being used for drug trafficking, but the warrant was overturned last week by the U.S. Court of Appeals for the Second Circuit.
In the earliest days of cloud computing, the pitch was it didn't matter where your data resided, but it turns out that thinking was wrong, Brown said. This ruling is important because it essentially prevents U.S. law enforcement agencies from being able to reach into any U.S.-based companies' data centers around the world to extract information, he added.
Duncan Brownresearch director of European security practices for IDC
"The fact that they won is not only good news for them, but good news for everybody, because it reasserts that residency is important," Brown said.
More than two dozen media and technology companies filed amicus briefs in support of Microsoft, including cloud vendors, such as Amazon, Salesforce and Rackspace. The ruling "paves the way for better solutions to address both privacy and law enforcement needs," said Brad Smith, Microsoft president and chief legal officer, in a blog post.
Smith called for replacement of the decades-old laws governing data protection with a new International Communications Privacy Act, and he praised the work by the U.S. Justice Department to pursue a bilateral treaty with the United Kingdom on this particular issue.
All of these issues likely will be revisited when the General Data Protection Regulation goes into effect in the EU in 2018. Europe is leading the way on this issue and the new agreement "raises the bar" for data protection and privacy, including extraterritorial clause that covers data about EU citizens irrespective of where that data is physically processed, Brown said.
So, despite the lingering uncertainty around international data transfers, the Microsoft case and Privacy Shield have, at very least, served as a wake-up call.
"What [these events] have done is shed a light on the whole area of data transfers and data residency," Brown said. "There is a much better understanding of the issue, and understanding by U.S.-based cloud providers that it genuinely is an issue for some EU-based companies."
Trevor Jones is a news writer with TechTarget's data center and virtualization media group. Contact him at [email protected].
How U.S. government surveillance efforts affect cloud market
Cloud users, providers adopt shared responsibility model for security
Break down what's in your cloud computing SLA