As the demand for cloud services continues to grow, cloud service providers (CSPs) are increasingly looking to expand the number and reach of their cloud data centers. And as CSPs look more and more to Europe, it’s extremely important for them to be aware that regional, national and local regulatory conditions pose some of the most complex challenges.
In Europe, as in the rest of the world, market trends, regulatory rules, security factors and infrastructure conditions vary by region and country, creating operational and strategic implications for companies when they select territories for data centers. In addition, regulatory and legislative changes don't move at the speed of technology. As the marketplace clamors for new cloud services, regulators and public policy makers constantly struggle to catch up.
Germany, the largest and wealthiest national economy in Europe, has a robust cloud services sector. But as CSPs evaluate Germany as a home base for cloud data centers, significant changes in data privacy regulations across the European Union (EU) and within Germany need to be actively considered.
Companies like Microsoft are addressing concerns about data security, privacy from U.S. government mass surveillance practices and perceived mistrust of U.S.-operated cloud services by developing new models for cloud data centers. In addition to teaming up with T-Systems, a subsidiary of telco Deutsche Telekom, Microsoft is adopting a “trustee model” for its two new cloud data centers in Germany. Under this trustee model, customers in Germany will be able to choose and trust in how their data is handled and where it is stored.
Like other EU countries, Germany observes two sets of regulations on data privacy and data interchange: its own laws, plus the EU’s broader “Data Protection Directive." Both levels of regulation must be understood by market participants and monitored over time for changes. The EU's Data Protection Directive is even now under review. In another recent example, a ruling by the European Court of Justice (ECJ) on the Safe Harbor principle has major implications for internet commerce.
The Safe Harbor principle had enabled US companies to self-certify adherence to comparable EU policies on data privacy and security. But in a landmark ruling, the ECJ found the July 2000 “Safe Harbor” decision to be void. The ECJ said the level of protection for personal data in the US is inadequate, because the data of European customers is not sufficiently protected from access by US security agencies. The ECJ's ruling could spur new, EU-wide legislation offering protective mechanisms when data is to be saved outside of Europe.
In the EU, recent legal decisions could usher in dramatically different regulations concerning data exchange and privacy protection. The ECJ ruling on the Safe Harbor principle has the potential to further Balkanize the internet with major implications for CSPs.
Due to this ruling, a significant, drawn-out struggle looks likely regarding the establishment of universal data privacy principles. This will pit international organizations (the EU), nations (such as Germany and the US), sectors (social media platforms, traditional telecoms, cloud services providers) and companies against one another.
During this struggle, we could see a balkanization of the internet with regard both to the routing of data across the Internet and the storage of that data within geographically defined boundaries. This balkanization means different regions and countries around the world could establish and implement their own data privacy regulatory frameworks, which CSPs and enterprises would need to address.
Even among EU members, country-specific regulations pop up. For example, data center operators in Germany must adhere to the rule that data belonging to German companies must stay in Germany. And some German data privacy laws apply only to individual consumers, while others apply only to businesses. The good news, from a regulatory standpoint, is that compared to many developing economies, Germany has a much more transparent regulatory and political system. According to IHS, Germany scores low on “regulatory burden.”
Jagdish Rebello, Ph.D. is a Senior Director for Cloud and Computer Electronics with IHS Technology
Mike Hartnett is a Director for Country Risk Consulting with IHS
Posted on 23 February 2016
