By: Robert Bath, VP Global Solutions and Tom Kingham, Director Sales Engineering, EMEA
On October 6, the European Court of Justice ruled that Decision 2000/520 of the European Commission, which stated that Safe Harbour-certified US companies provide adequate protection for personal data transferred to them from the EU (the Safe Harbour Adequacy Decision), is invalid. The judgment is immediately effective without a grace period. The Court of Justice ruling in October declared invalid the Safe Harbour framework that had been in place between the European Union and the United States since 2000. The framework gave companies the ability to move personal data of European data subjects to the US, even though U.S. laws were not deemed “adequate as a general matter”. To participate in the framework, U.S. data importers were obliged to self-certify to a series of principles designed to ensure personal privacy was protected. In response, the EU Commission and US negotiators are attempting to reach agreement on a new version of Safe Harbour – dubbed “Safe Harbour 2.0” before the end of January 2016, when the Data Protection Authorities (as the Article 29 Working Group) has stated that enforcement against companies for relying on the (now invalid) old framework will begin.
So, what does this invalidation mean for the more than 4,000 companies which had previously relied upon Safe Harbour to justify U.S. based service providers or affiliates accessing EU personal data? Each now needs to carefully review its data processing strategies and identify whether contractual or operational changes are required to maintain compliance, especially in light of the risk that Safe Harbour 2.0 is not timely adopted or itself is invalidated.
One potential avenue for companies to avoid relying on the Safe Harbour framework is to open data centres in the EU for storage of the data of EU citizens. Such data-localisation activity, driven partially by longstanding Safe Harbour concerns, has already started. For example, US-based NetSuite has announced plans to open a new outsourced data centre in Dublin, while Google is expanding its facility in Belgium and building another data centre in The Netherlands.
However, building your own data centre is not an appropriate strategy for all organisations who wish to establish an EU presence. The cost of establishing, maintaining, and supporting connectivity to a dedicated private data centre is simply out of the reach of many firms. An alternative for those firms is to leverage a local data centre service provider who can connect them to the cloud and to other data centres in an agile fashion.
Digital Realty is positioned to help customers who wish to establish a presence in an EU-located data centre while achieving their cloud and colocation needs through a hybrid architecture. The combination of our robust European platform, colocation offering, and direct connexions to cloud providers (offering in-region capacity) allows us to help firms of all sizes adopt the right solution.
Taking a hybrid approach to the challenge can deliver additional benefits. By selecting the right partner with a strong European presence, organisations will be able to become part of an ecosystem that provides capacity and connectivity wherever it’s required. We call it the ‘elastic hybrid cloud’.
Broader opportunities for the region?
Rather than being merely an onerous drag on companies, concerns about EU data requirements could well provide a shot in the arm for digital investment. The region already has a leading data centre and network infrastructure. Further investment in this vital capacity as demand continues to increase could spark innovation among governments and local IT firms and will also ensure firms have access to the capacity and flexibility they require for future growth.
Digital Realty is poised to help companies and cloud firms continue to grow, in spite of any uncertainty arising from this Court of Justice ruling, and assist with laying the groundwork for the realisation of the ‘elastic hybrid cloud’ in Europe and beyond.
We will continue to work with our clients as they adapt to the changing regulatory landscape while at the same time positioning them to take full advantage of future opportunities.