Data security and compliance are themes that have been widely recognised in Europe for some time. Following the introduction of GDPR in 2016, the CLOUD (Clarifying Lawful Overseas Use of Data) Act was passed in 2018 which enables US law enforcement to access any data owned by US domestic companies that is stored overseas for criminal investigations, writes Hiren Parekh, VP Northern Europe, OVHcloud.
In July 2020, the Privacy Shield ruling was overturned in the European Court of Justice. Privacy Shield was an EU-US agreement which provided companies on both sides of the Atlantic with a mechanism to comply with data protection requirements in support of transatlantic commerce. This means turning to Standard Contractual Clauses (SCC), but these are not without their own concerns. Factor in the Brexit-related data compliance issues and we have a very convoluted landscape.
Follow The Stack on LinkedIn and connect with the team.
Staying ahead of data management has clearly been a high priority for businesses for some time, however, the dash to the cloud and the changing legislation over the past 12 months have accelerated the conversation. In addition, the breaching of sensitive or strategic business data also seems to be increasingly under threat as privacy becomes questionable in our new remote working environment. The truth is, despite businesses projecting a seamless data management process externally, data security, privacy and compliance is a labyrinth.
Across big business such as AWS, Microsoft, Google and the like, largely based in the US and China, there is a growing realisation that partnerships and compatibility are going to be required to navigate and overcome the EU’s GDPR and national data privacy restrictions. One might argue that for this approach to be successful, it will take more than compatible solutions, it will require a consensus rooted in industry-wide commitment to transparency and data compliance.
Industry wide commitment
The biggest global tech companies are mostly US-based and there have been several court cases and rulings in the last year that illustrate the different approach to data sovereignty and privacy. As a result, the big tech companies are now acknowledging the different jurisdictions, such as in the EU, and adapting their environments accordingly to handle sensitive data.
At a European level, industry initiatives like GAIA-X of which OVHcloud is a founding member, reflect an example of industry-wide commitment to data transparency and security. The objective is to build a powerful ecosystem of players that share the same values and respect for data, reversibility, openness, and transparency.
The GAIA-X cloud project is a joint initiative from German and French public authorities, supported by their respective ecosystems. The goal of the project is to define the axes of influence for a trusted European cloud. With integrators, manufacturers, players in the telecom sector, and institutions, this European ecosystem exists and is united by a strong set of values.
Essentially, European or otherwise, all companies need to provide a level of trust for customers and end users. The Big 3 and Salesforce have all joined GAIA-X for instance – but clear stipulations are that they need to respect data privacy and be transparent with customers about where data is processed and stored using their infrastructure. For example, Salesforce is now putting some of the power back in the users’ hands by offering its customers choice of where their Salesforce software is physically hosted.
In addition, synergies within GAIA-X are forming to support compliance and security developments. The recent partnership between OVHcloud and German operator T-systems is an example of this; by bringing its own infrastructure and technological stack within the T-Systems datacentre, OVHcloud is responding to a multitude of legislative restrictions – namely, ensuring compliance with the General Data Protection Regulation (GDPR) and preventing exposure to the CLOUD Act – creating a trusted public cloud offering for data-sensitive businesses.
Similarly, OVHcloud will soon be introducing a new hosted private cloud offering by bringing Google’s open-source compatible Anthos technology to its own highly scalable dedicated infrastructure. Operated and managed in Europe by OVHcloud teams, it will be fully GDPR compliant and sovereign.
The impact of Brexit on data compliance across the borders
UK businesses now moving data-sensitive applications to the cloud are looking for guarantees that their data remains in the UK or within a UK datacentre while Brexit continues to present uncertainties for the EU-UK relationship. Whilst there is a 6-month extension pending as part of a post-Brexit transition, the EU will likely decide that the UK has an adequate level of data protection where personal data can continue to flow freely. Data processing across borders can play a significant role in enabling innovation and is therefore pertinent to business development.
What is particularly important is that UK companies will be required to manage the data of EU citizens using best practices and being liable to evidence this. Having recognised certifications or being able to control and monitor data management efficiently will be key. This is where compliance plays a role and can benefit companies to use data more effectively. However, a trusted cloud environment guaranteeing European countries that strategic data is protected for their states, companies, and citizens is critical to making the most of essential data.
Ultimately, the headquarters of your cloud provider dictates your data sovereignty options, meanwhile the US hyperscalers are still subject to the US CLOUD Act. Many are now understanding that data location is a topic that is pivotal with regards to who can access your data and by what means. What is unclear is whether the data will transit or circulate on a common network across borders.
The latest innovations that enable speed, agility and scale are significant value-adds for business transformation but, beyond using it effectively, the real power comes in knowing where your data is processed and stored. This will become a deal breaker, and the real answer to data compliance in the UK and Europe.