The European Union's data protection proposals, announced earlier this week, could unsettle end users looking at cloud adoption, but European cloud providers stand to benefit, according to Andy Burton, chairman of the Cloud Industry Forum (CIF).
Speaking to Techworld at Cloud Expo Europe in London yesterday, Burton said that, while there is a risk that sovereign law could come into conflict with the new EU legislation around data protection, that risk has been greatly over-exaggerated.
The main concern is to do with a clash between amendments to the EU Data Protection Act – which includes the so-called “right to be forgotten” – and the US Patriot Act, which enables authorities to search telephone, email, and financial records without a court order.
The new proposed law, unveiled by EU Justice Commissioner Viviane Reding on Wednesday, states that people and organisations will have the right to ask for personal data to be deleted from servers hosted by third parties, and those service providers will have to comply unless there are “legitimate” grounds to retain it.
However, there is a potential loophole whereby, if the data is hosted by an American cloud provider, the US government could enforce the Patriot Act to examine the data, if there was a suggestion that it contained anything incriminating.
According to Burton, this is a legitimate concern, but one that will affect very few organisations. “There’s a certain amount of fear, uncertainty and doubt (FUD) being spread,” he said. “This is unlikely to be an issue in reality unless you’re involved in anything dodgy.”
This does not stop companies from worrying about their data privacy. Burton said that 73 percent of organisations serviced by CIF in Britain currently store their data in the European Economic Area (EEA), and more than two thirds of those host in the UK. This is even before the American issue has been introduced.
“It’s a very emotive issue, and I would argue that people are currently more concerned than informed,” he said.
However, cloud providers based in the European market could turn the FUD to their advantage, explained Burton. The only way that European companies can absolutely guarantee that their data doesn’t end up in the hands of US authorities is by choosing a provider that not only has a data centre within their jurisdiction, but is also owned by an organisation based in that jurisdiction.
“It also comes back to that sense that people want to work with organisations that they trust,” he added. “I mean that with no negativity towards Google or Amazon – they’re good quality businesses. But the point is they’ve not got the same personality; they’re not your local reseller.”
Burton said that the cloud vendors to watch will be the ones that enable their customers to monitor wherever their IT systems are running and wherever their data is stored. “That’s going to become more and more critical,” he said.
One company that is hoping to tap into this market is London-based infrastructure-as-a-service (IaaS) company Ospero. The company’s new distribution-as-a-service (DaaS) offering, based on the Ospero virtual grid (OvG), claims to have Viviane Reding’s “Privacy by Design” ethos at its heart, helping SaaS vendors to comply with local data protection laws outside of their own domestic markets.
“We’ve put together a network of 19 data centres through three service providers – one in Europe, one in North America and one in Asia-Pac,” explained Jason Currill, chief executive of Ospero. “We run the same kit throughout – it’s VMware end-to-end, and we picked vBlock as our backbone – so when anyone comes to host or store with us, wherever they go throughout the 19 data centres the infrastructure is exactly the same.”
Currill explained that customers can move an image from one data centre to another by simply dragging and dropping it. The data centre becomes a virtual distribution point for SaaS applications, but organisations’ data is stored locally.
While other managed hosting companies like Rackspace and Peer 1 also have data centres in Europe, they do not have the same spread, (Ospero has facilities in Germany, Sweden, Portugal, Italy, Spain, the UK and the Netherlands). Currill said this was important, because some EU countries, like Germany, do not offer safe harbour from the US Patriot Act.
The new EU legislation has widely been welcomed by the cloud computing industry. Interoute, which also has a broad European footprint, said that the collation of harmonised data protection rules across 27 countries would “save organisations from a headache”. Informatica’s Charles Race also said the change will push data protection further up the corporate agenda.
However, some industry observers are concerned that the EU is moving too slowly, and warn that the onset of cloud computing could render the new rules redundant before they are actually implemented.
“If it is a further two years before internet companies are legally obliged to comply with the latest changes, will they still be relevant?" asked Francois Zimmermann, chief technology officer for Hitachi Data Systems UK. “To implement effective data management policies the rules and policies should be updated as part of an evolutionary process, with changes being introduced as and when they are needed, rather than in a raft every few years or so.”