ServiceNow makes ‘multi-million euro investment in EU services’ as data transfer regulations get murky

Profile picture for user ddpreez By Derek du Preez July 8, 2021
Summary:
The recent Schrems II judgement, which essentially invalidates the Privacy Shield framework for data transfers between the EU and US, creates a complicated environment for cloud customers.

GDPR

ServiceNow has announced that it will be making a multi-million euro investment, including opening over 80 new roles across the EU, to allow customers the choice to have their EU-hosted data always handled exclusively within the EU. Current ServiceNow customers will be able to opt-in to this EU-specific offering, at no additional cost, from early 2022. 

The move to offer services designed specifically for EU organizations comes as regulations around data transfers between the EU and the US - which are frequent for customers of US cloud vendors, with data centers hosted globally - become increasingly complex and difficult to navigate. 

We have written at length about the Privacy Shield framework that has governed data flows between the US and the EU for the past few years. This framework was essentially invalidated recently after an Austrian data protection activist - Maximilian Schrems - won a case in the Court of Justice for the EU arguing that Privacy Shield was insufficient to warrant the US's partial adequacy decision, given the US government's data gathering and surveillance initiatives. 

Whilst the ramifications of the ‘Schrems II judgement' rumble on and data protection experts get to grips with what this means for data transfers between the EU and the US, the European Data Protection Board issued a numbers of recommendations that include: 

  • Mapping all transfers of personal data to third countries 

  • To verify the transfer tool your transfer relies on

  • To assess if there is anything in the law or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you rely on

Confused? So are a lot of EU organizations that rely on cloud services from US vendors, which is what has prompted the latest announcement from ServiceNow. Things are getting increasingly complex in this area and ServiceNow is hoping that it can give its customers an option that reduces the burden of ensuring they stay on the right side of regulatory requirements. 

An EU cloud area

As noted above, from 2022 ServiceNow will let EU-based customers opt into its dedicated EU services, ensuring data will always be handled exclusively within the Union. The aim is to help its customers meet their data compliance obligations and new teams are being created to provide support for customers and partners based in the EU. 

We got the chance to speak to Mark Cockerill, VP of Legal EMEA and Global Head of Privacy at ServiceNow, about the announcement to get a better understanding of why ServiceNow is making this investment. Cockerill says:

We are in a situation where customers have to undertake further analysis on their transfers outside the EU, further diligence. There's a degree of concern as to how they comply with the laws and the principles. What we appreciate is that customers are concerned, they want a simple solution to a complex problem. 

They want to have greater control and capability to be able to say to their users, to their customers, ‘Hey, we're using a provider that cares about this'. Additionally there are a lot of public sector customers, for example, that would like a solution whereby their data does not leave the EU. 

So we are trying fundamentally to invest in our customers, put them first and give them the best of both worlds. We want to give them the choice and the flexibility to say, ‘Hey, this is a very clean and clear picture, there are no transfers'. 

Cockerill reiterated the point that ServiceNow is not charging for this service and he claims that the company is making the investment because it's good for customer choice and capability. It's a fairly unique approach across the SaaS industry (although Microsoft has a similar offering), but Cockerill argues that giving customers options that make them feel comfortable about their compliance obligations is important. He says: 

Many SaaS companies of course rely upon a ‘follow the sun model' for scalability and for 24/7 coverage. We're taking the additional step, to be able to provide that completely ring fenced solution for our customers to invest further to give them that comfort. We're leading the way with this and we think it's a fundamental differentiator from the rest of the market.

We are a service provider to our customers. It is not for us to dictate to them how to interpret the European regulations. We simply want to provide them with the ultimate flexibility, ultimate choice. We think that a lot of customers will avail of this, that they will find it beneficial, and they want to have that comfort for their organization and their end customers. But we're just giving them all the information, all the options and all the flexibility. 

We want to solve problems for our customers, solve challenges or concerns before they arise. So we think it's important for our customers to have that capability. This isn't a commercial play to ramp up their costs by 10%. This is about investing in Europe, investing in them.  

My take

At the end of the day, choice is a good thing. Of course customers will likely be having to undertake the arduous task of getting to grips with their data transfers anyway, as per the European Data Protection Board Recommendations. No one is exclusively using ServiceNow in their organization - there will inevitably be a mix of SaaS providers and not many of them are yet offering this sort of service. However, having one vendor in that mix where you just know you don't have to worry about where the data sits and where it's going will be a relief for some. I expect we will see more of this over the coming months and years as data becomes increasingly valuable.