Pulling The Plug?

Written by Matthew Larbey, Product Strategy Director Published 2015-07-20 08:00:00

Away from new products and services, most discussions with customers and prospects over the past week or so has been around data movements between locations and distributed architectures.

Why? Well the recent ruling from the Court of Justice of the European Union (CJEU) on Safe Harbor means that the transfer of EU personal data across the Atlantic (under the Safe Harbor agreement) is likely to be viewed as illegal. The end of Safe Harbor doesn't necessarily mean the end of data transfers between Europe and the US, although national regulators are now empowered to demand an end (or amendment) to transfers if they view them as unlawful.

Other methods for transfer already exist, including gaining the consent of data subjects, and the use of model-clauses pre-approved by the EU. But none of the options are as smooth as Safe Harbor and the last estimate suggested that over 5,000 companies rely on Safe Harbor for transferring EU data to service infrastructure that resides in the US.

At the same time a couple of other related proposals are waiting in the wings:

The creation of a Regional (European) Cloud. This is defined as a group of compute, storage and network infrastructure defined by a geographical border and would mean data being created, accessed and managed only within the borders of the European Union with data prevented from moving freely to other locations outside of the EU.

General Data Protection Regulation (GDPR). The European Commission plans to unify data protection within the European Union (EU) with a single law, the General Data Protection Regulation (GDPR). The current EU Data Protection Directive 95/46/EC does not consider important aspects like social networks and cloud computing sufficiently and the Commission determined that new guidelines for data protection and privacy were required. In June 2015, the Council of Ministers gave its clearest signal yet that it looks to reach agreement on GDPR by the end of the year. As a Regulation and not a Directive, it will have immediate effect on all 28 EU Member States after the two-year transition period and does not require any enabling legislation to be passed by governments.

These changes all have one thing in common – momentum. Some say this is a natural fallout to the Snowden revelations on mass surveillance, others say this is regulation catching up on an unprecedented growth of data. Either way, the changes are only going one way – as a service provider company dealing with EU personal data this is almost a 'reset button' moment.

VIRTUS has already helped many of the world's largest companies by providing UK based data centre facilities that allow services to be sufficiently distributed to avoid making transfers of personal data between Europe and other non EU locations. While not the only solution by any means, using a third party multi-tenant data centre in this way can often offer the most cost effective (and fastest time to market) in order to address change quickly and ensure compliance from a regulatory perspective.

As we appear to be on the cusp of a seismic change in the way data transfer is regulated, I would be interested in your own experiences and views. If you would like to share your view please visit us on LinkedIn