SAP's Ettling warns of new data law trouble for cloud

Phil Wainewright Profile picture for user pwainewright November 12, 2015
SAP SuccessFactors president Mike Ettling has warned of trouble ahead for cloud providers as other countries mull versions of Russia's data sovereignty law

Mike Ettling at SuccessConnect EMEA 2015
Mike Ettling at SuccessConnect EMEA

SAP SuccessFactors president Mike Ettling has warned of "major trouble for the cloud industry" if more countries follow Russia's example in bringing in laws that require certain types of personal data to be stored in-country.

The Russian law, which requires personal data about Russian citizens be kept on servers located within Russia, came into force on September 1st. SAP opened a Moscow datacenter in September, in part to comply with the new law.

Speaking to media at this week's SuccessConnect conference in Rome, Ettling said that the Russian data law was a more significant development than the recent striking down of the 'Safe Harbor' arrangement that had allowed US providers to host EU data. It raised the prospect of separate countries each having their own rules about what type of data had to be stored in-country.

Data sovereignty is going to become a bigger challenge for the cloud industry.

We know about twenty countries looking at this type of law. If more countries contemplate this type of law it could spell major trouble for the cloud industry.

There's no United Nations of data, each country is looking at its own specific types of data. The only way to deal with it is to store specific data in-country. It's expensive.

Rearchitecting for local storage

SuccessFactors has taken steps to ensure that its HCM software products handle data about employees in a way that complies with the new Russian law. Because the software is cloud-based, this ultimately means rearchitecting the way it operates — to allow for the data to be processed at runtime in a different country from where the data is persistently stored, as senior VP of product management Dmitri Krakovsky explained to me:

We have a short-term solution and a long-term solution. The longer-term solution is, we're working on essentially separating runtime from persistence.

You could have a runtime that runs in Germany, but the employee data gets persisted based on local rules. If you're a company that's multinational, Russian citizens get persisted in a database in Russia, UK in the UK, Germans in Germany, so separating runtime from persistence.

Migration to HANA will help with compliance, as the database runs in-memory, which will avoid having to write data to disk for processing purposes. But in order to comply in time for Russia's September 1st deadline, SAP has implemented what Krakovsy called a "poor man's version" of the ideal solution. This is because the Russian law currently allows for additional processing of the data elsewhere, provided its home base is in Russia, he said.

We essentially have a way where we copy data. It gets stored in Russia [and] you have a Russian instance — we have a Russian datacenter now in Moscow. Then we copy it out and just process it, to consolidate with the rest of the employees.

Although it's a little bit awkward at the moment, we can comply technically with the Russian law.

Competitive advantage

Despite having to meet the additional requirements of new data protection laws, SAP sees its strong European operations as a competitive advantage against other more US-centric rivals. In addition to its European datacenters, the operations teams that oversee the SuccessFactors datacenters are also based in Europe. As Ettling told delegates in Rome this week:

The old legislative environment basically is dead.

We can commit to run operations in Europe, which keeps us compliant. Most providers would split operations. The people who run the operations now need to be in Europe.

Krakovsky revealed that SuccessFactors now has more than a thousand customers in Europe (out of a total of four and a half thousand globally). He said that more than four hundred members of the product team are based at various locations across Europe, and there are support teams in Europe too. This means those customers can ensure their SuccessFactors instances are entirely in European hands, he said.

It's not just where the data is stored, which is what a lot of Safe Harbor dealt with, but also who gets to access the data.

For European customers, we guarantee that their data gets only touched by European personnel.

It's not just that we sell in Europe, we also deliver in Europe.

Extra burden

Nevertheless, the need to keep pace with changing data privacy laws puts an extra burden that is not getting any easier. Krakovsky explained:

It's becoming very expensive. It's also hard legislatively because, in Russia, the cases have not been legally argued yet.

There is a law. Nobody has challenged the law. At some point, somebody will challenge the law. Then there will be case law. There is no case law right now.

We do the best we can with our customers, too, to interpret what the law means and where are the boundaries around it. It's becoming definitely a more legally involved problem.

SAP does engage with policymakers, especially in Germany and the EU, but has to work with whatever ends up being enacted, he said.

Some of this evolves the way it evolves. You could try and influence it, but you also have to be compliant with the laws because you get shut down if you're not. Our customers are very nervous about this, too.

With customers relying on providers to give them the tools to enable them to stay compliant, it's important to keep investing in the right assets, he said.

It's a combination of smarter software, it's also investment in the infrastructure in a lot of these countries and investment in personnel to be compliant as well.

That's where being SAP is a good thing because you have the infrastructure — people in countries who monitor rules and regulations and feed it back into the system. That's an expensive infrastructure to build.

SAP is able to reuse approaches developed in individual countries when such requirements start to appear elsewhere, he added.

A lot of this early data privacy and data retention came to us from the customers in Germany and Austria where the laws are a lot stricter. More and more now in a lot of other countries, people are asking — particularly with the NSA and all the spy cases and whatnot — 'What should we do?'

For some of this we have solutions. That's something originated [in one place], but could be used anywhere else because it's built in the software.

My take

Further fragmentation in data privacy laws around the globe is certainly going to make life harder for cloud providers and more expensive for their customers. Whether the motivation is to protect citizens from the depradations of foreign spies or to make it easier for security services to keep tabs on what their own citizens are up to, data localization on the Russian model is in direct conflict with the go-anywhere networking of the cloud ideal.

As SuccessFactors shows, these emerging requirements are not impossible to comply with, but they do demand careful planning to ensure that the software operates on and stores the relevant data in the right location and with the correct safeguards. The problem Ettling highlights is that if each country stipulates different rules on what types of data are affected and how they should be handled, it will become increasingly complex to manage.

All of that costs extra money in software development and support, bandwidth fees and hosting facilities. It may also have performance impacts if data has to be fetched from one or more in-country storage locations before an operation can be completed.

In highlighting this issue, Ettling is sounding a warning bell that this trend is bad news for the cloud industry. But he's also trumpeting what he sees as a competitive advantage for SuccessFactors. With a datacenter already operating in Moscow and another due to open in Sao Paolo next year, it is ahead of other cloud-based HCM providers in its readiness to comply with the emerging wave of data sovereignty laws.

Others will likely argue that Ettling is overstating the risks for competitive reasons, but in the end it is customers, not their software providers, who pay the penalty for non-compliance — and who will therefore demand solutions, at whatever cost.

Image credits: Mike Ettling on stage in Rome by @philww.

Disclosure: SAP is a diginomica premier partner and paid my travel expenses to attend the SuccessConnect EMEA event.

A grey colored placeholder image