Secret plans to rip up data sovereignty rules, but does data center location matter any more?
- Summary:
- There are plans to ban national data sovereignty restrictions underway, but Gartner reckons it's time to stop worrying about where data centers are located.
Wikileaks recently issued details of a draft trade treaty being negotiated in secret which could blow existing policies on data sovereignty into a million pieces.
For the cloud services industry, the treaty - if implemented - would finally bar signatory countries from coming up with rules to prevent data held in the cloud from being stored and processed outside national borders.
The proposals are included in an an annex to the Trade in Services Agreement (TISA), which is currently in closed doors negotiation among the representatives from the US, Canada, Australia, New Zealand, Japan and the 28 nations of the European Union. (No China, no Russia, no BRIC countries.)
Article X.11 of the annex is the one that matters. It states:
No Party shall take measures that prevent transfers of information or the processing of financial information, including transfers of data by electronic means, into and out of its territory, for data processing or that, subject to importation rules consistent with international agreements, prevent transfers of equipment, where such transfers of information, processing of financial information or transfers of equipment are necessary for the conduct of the ordinary business of a financial service supplier.
The negotiations are actually being led by the US and the UK, both keen to ensure that New York and London reinforce their roles as the leading global financial centers. As such the draft refers to financial data in the main, but the principles established here have wide ranging applicability across sectors.
According to Wikileaks:
The draft Financial Services Annex sets rules which would assist the expansion of financial multinationals - mainly headquartered in New York, London, Paris and Frankfurt - into other nations by preventing regulatory barriers. The leaked draft also shows that the US is particularly keen on boosting cross-border data flow, which would allow uninhibited exchange of personal and financial data.
The cloud services lobby
Law professor Jane Kelsey of Auckland University says that it’s the US IT and cloud industries that are lobbying hardest to prevent governments insisting that data be stored and processed locally. In her view:
The entire services lobby wants to stop governments from requiring data to be processed and stored locally. The firms that dominate cloud-based technology are mostly US-based. US firms also dominate the information and communications technology sector in general.
Kelsey specifically cites two proposals of interest, the first from the EU, the second from the US.
The EU one is simple: no-one’s to be allowed to prevent cross-border data transfer.
And yes, this would be the same EU whose officials have been making such a song and dance about data sovereignty post-PRISM and demanding tougher data protection rules be put in place.
If this proposal is accepted, says Kelsey:
The state’s right to protect personal data, personal privacy and confidentiality is limited by an obligation not to use that right to circumvent the provisions of TISA. This is a catch-22: the government cannot adopt any privacy etc measures if they arguably breach any provisions of TISA. But they could have taken such measures anyway!
The US proposal is much more direct, she explains:
It wants a blanket right for a financial services supplier from a TISA party to transfer information in electronic or other form in and out of the territory of another TISA party for data processing where that is an ordinary part of their business. It is hard to think of a form of financial service where data processing is not part of the business. This obligation is stated in a positive, unfettered form. There is no pretence of any right for the state to protect personal privacy and data.
In both cases however, personal privacy plays second fiddle, she warns:
TISA does not affect states’ ability to require disclosure of information, presumably to the government, about individuals. It is not concerned with protecting personal privacy or preventing those who hold the personal data from abusing it for commercial or political purposes.
When data is held offshore it becomes almost impossible for states to control data usage and impose legal liability. Protecting data from abuse by states has become especially sensitive since the Snowden revelations about US use of domestic laws or practices to access personal data across the world.
Does any of it matter?
Interestingly research firm Gartner’s just come out with feisty claim that we should all stop worrying about the physical location of our data as it’s essentially irrelevant post-Snowden.
What’s going to matter most by around 2020 is a mix of legal location, political location and logical location in most organizations.
Gartner identifies four types of data location:
- Physical. Gartner argues that while organizations have historically equated physical proximity to data with physical control over that data, the reality is that locally-stored data can be accessed remotely. As such, physical location concerns need to be risk-balanced with other factors.
- Legal. Legal location is determined by the legal entity that controls the data, AKA the organization. Gartner points out that there could legal entities involved, such as a service provider that processes the data on behalf of the first entity or a captive offshore data center that supports the second legal entity in its role.
- Political. Essentially this one is all about image. If you’re a government body or a reputation-sensitive commercial organization, then you’re going to need to factor in considerations such as law enforcement access requests, use of inexpensive labor forces overseas and questions of international political balance.
- Logical. Logical location is determined by who has access to the data at any given time. It may be owned by a company headquartered in one country, but processed by a cloud services firm headquartered in another, through a subsidiary in a third country. The data’s logical location would be that of the country where the company’s headquarters is.
In reality there’s no single answer, states Gartner. The firm cites the example of a German company signing a contract with the Irish subsidiary of a US cloud provider, which backs up its data physically in a data center in India. Logically all the data would be in Germany, but legally it would be in Ireland, politically in the US and physically in India.
Gartner research vice president Carsten Casper argues:
None of the types of data location solves the data residency problem alone. The future will be hybrid — organization will be using multiple locations with multiple service delivery models.
IT leaders can structure the discussion with various stakeholders, but eventually, it's the business leader who has to make a decision, based on the input from general counsel, compliance officers, the information security team, privacy professionals and the CIO.
Statements like ‘it's illegal to store such data outside the country’ are often interpretations of legal language that is far less clear. Each organization must decide whether they accept those interpretations.
My Take
Casper adds with a striking note of pragmatism that in the end it might not matter that much anyway:
While public outrage is still high about data storage abroad, there is little evidence that consumers really change their buying behavior.
That’s not going to stop cloud service firms from trying to put their data sovereignty houses in order as best they can. Salesforce.com is already committed to opening data centers in the UK, France and Germany. Oracle has opened up a public sector specific data center in Scotland to serve the UK government market. NetSuite has its own plans for a European data center presence. And so it goes on.
Just this week, IBM Softlayer opened a new London data center, the latest of 15 to open across Europe as part of its plans to open 40 centers across five continents to serve its global clientele.
Lance Crosby, SoftLayer CEO, said:
This is part of our overall expansion; we’re not just building here but around the globe. We are extending into Asia, Australia and ultimately the goal is for us to have two data centres in each major country around the world.. to pick and choose exactly which data center you are in.
Meanwhile next time an EU official gets on their hind-legs to bang on about data sovereignty, let's bear in mind what's going on behind other closed doors.