WavebreakmediaMicro - Fotolia
With the result of the EU referendum now known and Privacy Shield, the data transfer successor to Safe Harbour, finally in place, the uncertainty these seismic events have generated could blight the European datacentre community for some time to come.
451 Research issued an advisory note several days after the result of the EU referendum, suggesting operators have slowed or suspended datacentre planning until a clearer idea emerges of how the post-Brexit world will pan out.
Speaking to Computer Weekly, Andy Lawrence, vice-president of datacentre technologies and eco-efficient IT at 451 Research, says that keeping a lid on capital expenditure will be front of mind for CIOs and IT directors for some time to come.
“I would advise CIOs to at least stop and have a serious discussion about what this means, and, if they think it’s going to have a serious impact, hold back for a few weeks,” he says. “But the overwhelming likelihood is that not a huge amount will change in the longer term.
“The Brexit camp are of the view that, ultimately, the economy will be stronger. That’s a matter of interpretation, but I would personally say proceed cautiously, and there is a strong possibility that nothing will really change from a datacentre perspective.”
At the time of writing, it is still unclear when the UK government intends to begin the process of exiting the EU, and how much access – if any – the post-Brexit UK will retain to the European single market.
This has prompted speculation about whether UK-based businesses in the financial services and manufacturing sectors, in particular, are likely to relocate to the EU to retain the benefits of free access to the single market.
Should that happen, they will presumably be looking to relocate some – if not all – of their datacentre capacity requirements to Europe too.
“Some companies operating cloud services may choose to host more services within the EU to ensure access to the open market; others may opt for both locations,” says the 451 Research advisory note.
“UK datacentre operators will have to compete even harder against operators in countries such as Belgium, Luxembourg and Finland, which will likely say it is safest to operate from within the EU.”
Read more about cloud and data protection
- The technology industry welcomes Microsoft’s legal victory over US government’s demand to hand over emails stored in Ireland.
- Estonia is reportedly in talks with the UK and Luxembourg governments about the possibility of occupying datacentre space in either location to back up the vast quantities of data that allow its digitally led economy to flourish.
Estonia leads trend
There is already anecdotal evidence to suggest this is already a trend in the European datacentre market, following reports that the Estonian government is weighing up whether to call on the UK or Luxembourg to fulfil its backup datacentre requirements.
According to a report in the Financial Times about the proposed arrangement, the outcome of the EU referendum vote has prompted the Baltic state to widen its search for suitable datacentre capacity to Luxembourg, rather than concentrate solely on the UK.
That example aside, the consensus within the IT analyst community is that we are unlikely to see companies shift their datacentre capacity requirements from the UK to Europe overnight.
But that’s not to say the amount of UK-based datacentre capacity these companies use will not go down in the long term, as the multiyear contracts some businesses have with their co-location providers, for example, come to an end.
In other cases, such as that of cloud infrastructure provider Iland, the Brexit vote may prompt some to accelerate any pre-existing plans to expand their datacentre footprint within the continent.
“While Brexit hasn’t triggered a shift in our expansion strategy, it will likely accelerate our timeline,” says Frank Kreiger, director of compliance at Iland.
“The reality is cloud customers consistently struggle to understand data protection laws, particularly because the laws are frequently in flux.”
For the avoidance of doubt, end-users tend to favour providers that can offer them access to in-country hosted cloud services, he continues, which is why Iland is pushing to ramp up its European presence.
“We find many companies’ geographic choices are based on their preference to be in their own country or the multiple countries of their end-customer bases.”
Safe Harbour furore
Another item that may have helped sharpen the minds of European CIOs about who to trust with their corporate information has been the furore surrounding the collapse and replacement of the Safe Harbour data transfer agreement.
In October 2015, the European Court of Justice declared Safe Harbour an invalid means of transferring data belonging to European citizens to the US, in the wake of a lengthy legal challenge by Austrian privacy campaigner Max Schrems.
On the back of this, a number of US companies that had previously relied on Safe Harbour set out plans to ramp up their European datacentre presence, even though a replacement agreement, the EU-US Privacy Shield, was in the works.
According to reports, several of these companies, including Amazon Web Services (AWS) and Microsoft, were planning European builds way before Safe Harbour ever became an issue, mindful of CIO concerns about data sovereignty and latency with cloud-hosted apps.
Several weeks after the Brexit vote result was announced, all 28 current EU member states were asked to vote on whether the EU-US Privacy Shield data transfer agreement should be approved for use, with the majority agreeing it should.
The agreement was officially adopted by the European Commission shortly after, paving the way for US companies to register their operations with the Privacy Shield framework from 1 August 2016, and resume the transfer of data belonging to EU citizens back to their servers Stateside.
Privacy Shield on shaky ground
The crux of Schrems’ issue with Safe Harbour stemmed from his misgivings about how much protection it gave European citizens from the mass surveillance activities of the US government.
According to various legal experts, there is also a very high probability of Schrems – or someone else – mounting a legal challenge on similar grounds against Privacy Shield, potentially ushering in a fresh wave of disruption for US companies looking to serve a European customer base.
Steve Farmer, legal counsel, Pillsbury
Steve Farmer, counsel at technology-focused law firm Pillsbury, shares this view. He believes Privacy Shield has similar failings to Safe Harbour.
“Privacy Shield will almost certainly be subject to a legal challenge. A key reason Safe Harbour was deemed invalid was because it was considered that the redress mechanisms for individuals who were subject to mass surveillance were inadequate,” he tells Computer Weekly.
“Privacy Shield arguably fails to address what the Court of Justice of the European Union had in mind in terms of redress and so significant question marks hang over it.”
For this reason, Farmer advises companies thinking of registering for Privacy Shield to proceed with caution, and to think carefully before investing time, effort and money in complying with an agreement that may unravel.
“The storm clouds which hang over the future of the Privacy Shield diminish its value as a long-term compliance solution, and sole reliance on it for the time being is arguably only for the foolhardy,” he adds.
However, Clive Longbottom, principal analyst and founder of market watcher Quocirca, says it is unlikely that a legal challenge against Privacy Shield will cause as much damage as the takedown of Safe Harbour did.
"The old Safe Harbour was brought down and required an almost complete rewrite to get it to Privacy Shield version one, which was then knocked back by the EU,” he explains.
“The latest version is now acceptable to the EU, and has a great deal of commonality with the general data protection regulations.
“I doubt that any legal challenge will be able to bring down Privacy Shield completely. Instead, it is, at worst, more likely to require some clausal changes to be made to it.”
Privacy Shield alternative
While European and US lawmakers hammered out the details of what Safe Harbour’s successor should look like, enterprises that had relied on the agreement to transfer European users’ data back to the US were advised to make alternative arrangements.
These included making use of binding corporate rules or model contract clauses, both of which Farmer says companies might be better off using for a while to come yet.
“Binding corporate rules and model contract clauses remain the safest and most sensible routes for businesses to follow for the time being,” he says.
Longbottom is not so sure, and believes companies that continue to rely on them could be putting themselves at risk of a legal challenge of their own later down the line.
“I would now say that model clauses are more likely to fall foul of court findings, as each one is a distinct item,” he says.
“Lawyers would prefer the model clause approach as each company has to pay a lawyer to draw up the multiple model clauses that are required, rather than just signing up to Privacy Shield.”
Microsoft court success
All this uncertainty over the sanctity of Privacy Shield (and its alternatives) may lead to European CIOs prioritising the use of cloud services that are hosted in-country or within the continent at least, as Iland’s Kreiger suggests.
Longbottom, though, cautions European datacentre operators against getting too carried away with the idea that Brexit and the uncertainty over the long-term viability of Privacy Shield means they will be overwhelmed with business as time goes on.
This is particularly the case in light of Microsoft’s court victory in July 2016, which saw the software giant granted the right to deny US law enforcers access to emails stored in Ireland belonging to a suspected drugs trafficker.
“The Microsoft legal ruling is the thing that could have the most impact on the European hosting and co-location markets,” Longbottom says, “because there is now less likelihood of the US courts being able to demand access to data through something as simple as a disclosure warrant.
“I’d expect to see the US companies with cloud and datacentre operations in Europe make more noise and be able to slap down the pure-European players who have rightly been making hay while the data protection sun has shone on them.”