So Safe Harbour is no more. It was announced last
week that after months of negotiations, the ruling will now be replaced with a
new framework called the EU-US Privacy Shield.
By Dave Allen, Senior Vice President & General Counsel at Dyn.
The pact, agreed by the European Commission and the United States, will, in short, protect Europeans’ data when transferred to the US with new safeguards in place around access to data by public authorities. The US also has to commit to not subject Europeans’ personal data to mass surveillance.
This new ruling will still allow big companies to freely move data but it does introduce various hurdles for them to jump. Undeniably, questions and queries over data residency, and security, have dominated conversations around Safe Harbour, but to address the challenges solely from a data residency perspective is incomplete at best. Businesses instead need to turn their attention to a problem that has been somewhat overlooked - the impact of cross-border routing of data during this era of emerging geographic restrictions.
Since the revelations about data collection by the US government, countries have doubled down on efforts to require companies to store data on their citizens on local servers, or otherwise impose geographic restrictions on data, usually citing some combination of privacy and national-security grounds. And it varies across the world.
Russia, for example, is implementing one of the strictest laws which will require personal data about Russians to be stored and processed on servers physically located solely within Russia. In other countries, such as Australia and some provinces in Canada, there are specific localisation rules related to particularly sensitive categories of data, such as health, and in the EU, there are rules prohibiting the transfer of data oversea unless there are sufficiently strong privacy rules in place.
Some Internet companies have begun to address this legislative trend and the challenges at the data residence level, by building in-region data centres or offering localised cloud and content delivery services. But this only addresses a part of the problem. Understanding the actual paths and cross-border routing of the data in transit is also hugely important, and in many ways a more complex issue for businesses.
Crossing the borders
Let’s take a look at a seemingly benign scenario. A German company, with a data centre in Frankfurt and end-users within Germany limits its internet traffic to a local Tier 1 network such as Deutsche Telekom, and therefore expects to confine its internet traffic to Germany. However, upon reflecting on traffic patterns delivered in real-time, with geo-location information, the company would be disappointed to learn that more than 20% of its traffic actually exited the geographic boundaries of Germany before crossing the border again to reach its end users.
There are other hypotheticals we should consider, too, which paint a picture of just how complex the challenges of cross-border routing of data are today.
For example, consider data that may travel internationally and potentially pass through countries that the end-points may have sensitivities about. That sensitivity could stem from politics (regional sensitivity when data is routed between servers in say Israel and Lebanon), security (data that routes through a country with a high rate of security breaches), or trade sanctions law (data that crosses through a country where import/export sanctions exist). In these cases, are transit paths well understood, and are there policies in place to reroute traffic? Can data be rerouted quickly?
Furthermore, companies that hold any sensitive data need to consider whether routing and storage rules are versatile and customised enough to provide specialised routing for particular types of data. Personal identifiable information, health data and sensitive bank data may need to be routed differently to comply with different domestic laws, such as in Australia.
Content delivery networks and cloud providers are not positioned to fully solve the problem alone, as many are confined by their own internal networks and geographic commitments. Even major Tier 1 networks frequently route traffic across several sovereign borders.
So while there is no silver bullet for compliance with the emerging regulatory regimes that govern data flows, visibility into routing paths along the open Internet and private networks need to be seriously considered by businesses that rely on the global Internet to serve their customers. It won’t be enough to just address data residency. In this era of emerging geographic restrictions, access to traffic patterns in the real time, along with geo-location information, provides business a much more complete solution to the problems posed by the new EU-US Privacy Shield framework.