The EU and the US are currently negotiating a fresh Safe Harbour agreement that retains privacy for EU citizens during transatlantic data transfers. Whatever the outcome, there are creeping data localisation laws springing up across Europe in any case, so it's tempting for private companies to strive to keep as much personal data as possible within the national borders it was produced in. Not only for security, but for compliance.
But can Europe cope with a surge in demand for local data centres? At any rate, the cloud model is changing …
Should data localisation now be standard practice?
Not according to David Barker, Technical Director at 4D, a UK data centre, cloud and colocation provider. "Data localisation is a political tool and doesn't support good technical designs or assist businesses," he says, insisting that requiring all personal data to be stored, processed and accessed only on servers within a geographical border is a knee-jerk reaction to the NSA and Edward Snowden leaks.
Others are only concerned with reacting to the fallout. "In Europe we are certainly approaching that, given the recent changes to EU data transfer laws," says Justin Giardina, Chief Technology Officer at Texas-based iland Internet Solutions, though he thinks that companies need to work with their cloud providers to manage compliance to the new laws. "Sometimes data localisation will be required, particularly for sensitive customer data."
However, it's often just as much about using advanced security technologies and following compliance processes.
Is data localisation even possible?
It may sound simple to a politician with no experience of IT, but exactly what constitutes personal data is unclear, and besides, it's hard to isolate. "Personal data is everywhere and often extremely complex to separate out so that it could be localised – it is often mixed into other general traffic on the internet," says Barker, who explains that it would require very deep packet inspection and complex routing to ensure particular data only stays within national borders. Besides, he further notes, enterprise resource planning (ERP) and customer relationship management (CRM) systems often contain mixes of data.
What could the public cloud look like?
The public cloud is dominated by AWS, with Microsoft revving up behind. Presently there is no choice on where data is stored, with the only geographical concern one of minimising latency – the closer you are to a data centre, the fewer milliseconds you have to wait when using apps and cloud BI tools. That all changes if the EU insists on data localisation.
"We can expect the major public cloud providers to start opening more local data centres with the option of hosting your data and services in those data centres," says Barker. There will also have to be much more detailed contracts between businesses and cloud providers.
Cue a new-look public cloud that's more customised, and comes with local expertise. "Public cloud providers will need to offer in-region data centres as well as data sovereignty, to assure companies that their customer data will not cross international borders," says Giardina, who thinks that public cloud customers will hence demand highly local support and service agreements.
To some extent the geographical shift has already begun. "At the moment Amazon and Microsoft are both opening UK-based data centres to supply public cloud facilities from within the UK borders primarily to meet UK government legislation," says Barker. The UK's Data Protection Act states that data must not be transferred outside the European Economic Area 'without adequate protection'.