Amazon's Pitch to Europe: Your Data Is Safe From American Spiesby
In surprise, European court ruling boosts U.S. tech industry
Amazon, Microsoft and VMWare are expanding EU data centers
Bad news for American tech.
That was the reaction from many industry watchers in October when Europe’s highest court -- reacting in part to revelations that U.S. intelligence services were vacuuming up the private information of millions of Europeans -- struck down a longstanding agreement that this data could be beamed to the U.S. without seeking citizens’ explicit consent.
The impact on cloud service providers was expected to be particularly severe because they depend on the seamless global movement of data to sell access to everything from medical records and bank statements to Facebook profiles and photos. Well, a funny thing happened on the way to the Apocalypse. Far from suffering, Amazon, Microsoft, VMware and other big U.S. cloud providers say European demand for their services has actually grown since the European Court of Justice invalidated the so-called Safe Harbor agreement.
U.S.-based cloud providers are luring customers with pledges to keep data far from the prying eyes of American spies by sequestering it in Europe. At the same time, American companies are rushing to have their data-handling policies blessed by European regulators so clients can safely move data around the world.
The Safe Harbor ruling “has definitely been an opportunity for us,” said Richard Munro, chief European technologist for the vCloud Air service offered by Palo Alto-based VMware. He declined to put an exact figure on sales growth since the Oct. 6 ruling but said his company’s ability to keep customers’ data exclusively in data centers in the U.K. and Germany was a big selling point.
Amazon Web Services, the world’s largest cloud provider, is increasingly winning business for its German data centers from non-German customers seeking to place their data under the jurisdiction of what is widely perceived as one of the world’s strictest data protection regulators. Ian Massingham, the company’s London-based “technical evangelist,” said demand for these German data centers, located near Frankfurt, has been the fastest growing among any region Amazon has ever launched.
This year or next, Amazon plans to open a data storage operation in the U.K., its third European region after Ireland and Germany.
The stakes for the U.S. industry are high. The so-called Big Four cloud providers – Amazon, Microsoft, IBM and Google – account for half of all worldwide cloud services, according to Synergy Research Group. They’ve been spending billions on data centers around the globe, including extensive European facilities. Their strong presence in the region has allowed U.S. tech companies to adjust to the Safe Harbor ruling.
But risks remain because Europe’s data-transfer rules are tricky to comply with and because no one knows what will replace Safe Harbor.
The original agreement allowed companies to transfer data to U.S. servers provided they self-certified compliance with seven broad principles, ranging from notifying individuals about what data a company collects to taking reasonable steps to protect data from loss, misuse or unauthorized access or disclosure. The court basically concluded that self-certification wasn’t enough.
Even before the ruling, U.S. and European negotiators had been working on a new data transfer agreement, which is supposed to be concluded by the end of the month. There’s no telling, however, if a new pact -- dubbed Safe Harbor 2.0 -- can be hammered out by then or if it will withstand judicial review.
“The core of the problem is not technical but political,” said Daniele Catteddu, the Brussels-based director of Europe, Middle East and Africa for the Cloud Security Alliance, an industry group whose members include many of the world’s largest tech firms. “Until the U.S. has a corresponding data protection authority and a venue where a European citizen can file a complaint if their right to privacy is not respected in the U.S., then data transfers there are going to continue to be a problem.”
In the meantime, companies from Google to Amazon must contend with increasingly tough data protection laws. In mid-December, the European Union agreed on a new regulation that will come into force in early 2018 and imposes fines of as much as four percent of a company’s global annual revenue for violations. The rule also makes data processors, which include most cloud service providers, jointly liable with their customers -- the businesses that collect the data -- for any security breaches or mishandling of data.
In their pitch to customers, U.S. companies emphasize that they’re relying on EU-suggested contract language and applying for certifications from EU data protection agencies to ensure they don’t run afoul of European laws. BMC Software, a Houston, Texas, company that provides business management software through the cloud, spent three years making sure its data-handling policies passed muster with French regulators.
Elodie Dowling, BMC’s vice president and general counsel for Europe, the Middle East and Africa, calls French-sanctioned certification, which is valid throughout the E.U., a “competitive differentiator” that has drastically sped up sales negotiations.
Meanwhile, U.S. companies continue to look for ways of keeping European data out of the reach of the U.S. government.
Microsoft, which is contesting a U.S. search warrant for e-mails held on its Irish data servers, came up with a novel solution: storing data in German facilities operated by Deutsche Telekom, which acts as a “data trustee.”
Microsoft declined to make an executive available to comment for this story, but the thinking is that the U.S. wouldn’t be able to subpoena such information from Microsoft. Instead, it would have to approach Deutsche Telekom, which wouldn’t have to comply with a U.S. court -- or so goes the theory.
“It is a good way to make it clear to everyone that Microsoft is trying to protect its customers’ data,” said Ann LaFrance, a lawyer specializing in cyber security and data protection issues in the London office of U.S. law firm Squire Patton Boggs. But in practice, she said, Deutsche Telekom’s extensive ties to the U.S. –- the company owns T-Mobile –- mean a U.S. court might well claim jurisdiction, with serious potential consequences for Deutsche Telekom’s U.S. businesses if it chose not to comply.
The larger risk is that the world becomes partitioned into data regions, impeding the free flow of information. In a blog post, Microsoft’s chief legal officer Brad Smith said a balkanized Internet could mark “a return to the digital dark ages.” He warned that someone trying to buy a product online could have the transaction rejected because the retailer isn’t permitted to transfer credit card information to a payment processor located outside Europe. Or, he said, an airline could reject an online ticket purchase because the carrier couldn’t transmit passport information to the destination’s government.
The Safe Harbor ruling has provided a boost to companies such as Microsoft and Amazon --- but that doesn’t mean it was good news for business overall.