Category Archives: data residency

data protection, data residency, News & Analysis, Policy and Regulation

UK citizens trust EU countries with data more than the UK

EuropeWith the countdown to Brexit vote in its final days, research from Blue Coat has highlighted British respondents would be more trusting if their data was stored in the EU country as opposed to the UK.

Although only marginal, 40% of respondents believe the EU is a safer bet for storage of data, whereas only 38% elected the UK. Germany was perceived as the most trustworthy state, though this could be seen as unsurprising as the country is generally viewed as having the most stringent data protection laws. France ranked in second place, whereas the UK sat in third.

While the true impact of Brexit will only be known following the vote, the role of the UK in the technology world could be impacted by the decision. The research showed a notable favouritism to store data in countries which are part of the EU and under the influence of the European Commission’s General Data Protection Regulation. When looking across the Atlantic to the US, within the UK has more trust than the rest of Europe, though it could still be considered very low. In the UK, 13% said they would trust the US with their data, whereas this number drops down to 3% where France and Germany are concerned.

“The EU regulatory landscape is set to radically change with the introduction of the GDPR legislation and this research highlights the level of distrust in countries outside the EU,” Robert Arandjelovic, Director of Product Marketing EMEA, Blue Coat Systems. “Respondents prefer to keep their data within the EU, supporting new European data protection legislation.

“More concerning is the fact that almost half of respondents would trust any country to store their data, indicating too many employees simply doesn’t pay enough attention to where their work data is held. This presents a risk to enterprises, even if their employees treat where it is being hosted with little interest.”

While the impact of the Brexit vote is entirely theoretical at the moment, leaving the union could spell difficult times for the UK as EU countries favour those which are in the EU. What is apparent from the statistics is the US still has substantial work to do to counter the ill effects of the Safe Harbour agreement, which was struck down last October. The survey indicates the replacement policy, the EU-US Privacy Shield, has not met the requirements of EU citizens as trust in the US is still low.

Box, data protection, data residency, News & Analysis, Public Cloud

Box sets target on US government and Europe following 37% growth in Q1

Box co-founder and chief executive Aaron Levie briefing journalists and analysts in London this week

CEO Aaron Levie briefing journalists and analysts in London 

Box has reported healthy growth over the last quarter, increasing revenues 37% to $90.2 million, which the company has attributed to a more diversified portfolio. Public sector organizations and the European market are now in the crosshairs for future growth.

The US government is an area which has seemingly been prioritized by CEO Aaron Levie and the Box team moving forward, following the announcement Box for Government achieved FedRAMP certification from the Department of Defence. As the Department of Defence claims it has some of the highest degree of scrutiny around cloud platforms and technology, the team believe the certification will create a ripple effect throughout the US.

As a number of state and local government agencies lean on federal standards for guidance on what cloud technologies to adopt, the certification could lead to positive strides for the company. Levie highlighted the certification, as well as the partnership with IBM, has created a healthy sales pipeline for the team over recent months in the public sector segment.

The company added more than 5,000 customers to its ranks over the period, taking the total number to more than 62,000 businesses. Box now has 46 million users worldwide, of which 13% are now paying. Levie also highlighted work on its customer services processes has paid off over the quarter as customer churn rate is now below 3%.

“In Q1 we achieved record revenue of $90 million, up 37% year over year,” said Levie. “We also continue to gain operational efficiency and demonstrate leverage in our business model as we move towards our commitment to achieve positive free cash flow in the fourth quarter and in January 2017. Looking ahead underlying demand for Box remains very strong and our competitive position in the market has never been better. “

We created record sales pipeline in the quarter with several seven figure deals in the mix. This has been driven by the growing demand for a modern approach to enterprise content management, our differentiated product offerings and our maturing partnerships that are becoming an integral part of our go to market strategy.”

Box’s expansion strategy over recent months has been built upon the diversification of its product portfolio, but also its partner ecosystem. Firstly from a product perspective, the team launches Box Zones which enables organizations to dictate where data is stored around the world. This offering was brought about through the partnership with IBM.

Data residency is proving to be a sensitive area in recent months due to the confusion over data residency concerns following the decision of the Court of Justice of the European Union to strike down the Safe Harbour agreement, and the subsequent criticism its successor, EU-US Privacy Shield, has received. The Box Zones offering would appear to be the company’s means of negating the impact of data residency by removing the concern of transatlantic data transmission. The team claim the offering has not only gained traction with new customers, but also created a number of upselling opportunities for companies who have operations in regions where data protection rules are more stringent than the US.

Aside from Box Zones, the team has also launched a number of new offerings including its Governance product, KeySafe and the aforementioned Box for Government offering. Aside from creating new opportunities in the US, the product diversification has also been credited with growth in new regions, which is a key pillar for the Box expansion plans.

From a partner ecosystem perspective, the quarter saw a number of new announcements as well as positive wins out of longer standing relationships. Box announced a new partnership with Adobe in April, aiming to simplify working with digital documents in the cloud, though Levie was particularly focused on the relationship with Microsoft, which has yielded positive results throughout the quarter.

“And nowhere is our ecosystem strategy more relevant than our partnership with Microsoft which continues to yield significant dividends,” said Levie. “For the first time ever customers can now collaboratively edit their Office documents that are stored in Box or edit them on their iPad or iPhone. Adoption of Office 365 continues to be a key driver for new customers to invest in Box as well as allow existing customers to expand their usage of Box.”

Partnerships currently influence around 20% of Box’s revenues which aside from Microsoft also includes AT&T and IBM. The partnership with IBM has been particularly successful in the company’s drive towards Europe, where the option to store data in Big Blue’s German and Irish data centres is attractive, according to Levie.

Cloud computing, data protection, data residency, EU-US Privacy Shield, European Commissio, News & Analysis, Policy and Regulation, Safe Harbour

EU-US privacy debate continues as EDPS says try again

EuropeOn-going efforts to provide clarity and guidance on transatlantic data transmission are unlikely to be seen soon as the European Data Protection Supervisor (EDPS) has outlined concerns over the robustness of the Safe Harbour successor, EU-US Privacy Shield.

European Data Protection Supervisor, Giovanni Buttarelli, outlined his concerns on whether the proposed agreement will provide adequate protection against indiscriminate surveillance as well as obligations on oversight, transparency, redress and data protection rights.

“I appreciate the efforts made to develop a solution to replace Safe Harbour but the Privacy Shield as it stands is not robust enough to withstand future legal scrutiny before the Court,” said Buttarelli. “Significant improvements are needed should the European Commission wish to adopt an adequacy decision, to respect the essence of key data protection principles with particular regard to necessity, proportionality and redress mechanisms. Moreover, it’s time to develop a longer term solution in the transatlantic dialogue.”

This is in fact the second time in a matter of months an official body has expressed concerns over the EU-US Privacy Shield, as the Article 29 Working Group voiced its concerns over the mass surveillance and oversight shortcomings that it believes are found in the pact. Back in April, WP29 commented Privacy Shield had made progress but still hadn’t covered the cracks which had Safe Harbour kicked out last year.

“The WP29 notes the major improvements the Privacy Shield offers compared to the invalidated Safe Harbour decision. Given the concerns expressed and the clarifications asked, the WP29 urges the Commission to resolve these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU,” said the WP29 group in its official opinion at the time.

The new Privacy Shield agreement does in fact encourage European businesses and organizations to be more considered and conservative when sharing data with US entities, however critics of the new agreement have highlighted there are still too many exceptions where the US and its intelligence agencies can move around the agreement.

While the opinion of the WP29 is respected throughout the industry, it was not a concrete sign that anything within the Privacy agreement will change. This is the same for the EDPS. There are no guarantees the agreement will be changed following Buttarelli making his opinion public, though it may be a good indicator as to what need to be done to ensure the pact stands up to scrutiny under the spotlight from the European Court of Justice. This is certainly the case for David Mount, Director of Security Solutions at Micro Focus.

“Buttarelli talks of a need for significant improvements before the agreement can be viable, which raises a key point around the self-certification aspects of Safe Harbour as it once was,” said Mount. “In the past, businesses could self-certify as compliant with Safe Harbour by simply ticking a box. But this does not create a transparent and trusting climate – in fact it does the very opposite, as is the case in any self-regulated environment.

Twitter comments“Any new agreement must be more robust, as per Buttarelli’s comments, and addressing the key issue of self-certification would be a significant step. It will be interesting to see how the EU Commission responds to the EDPS and how negotiations will continue to address the varying issues of self-certification and trust.”

Support for the agreement has been mixed as some European corners have voiced concerns, and some US opinions have been relatively positive, though this may be considered unsurprising. MEP Jan Philipp Albrecht and Edward Snowden were two who demonstrated a critical stance (see accompanying picture), while Microsoft become one of the first major US tech companies to confirm its support of the EU-US Privacy Shield.

Back in April, John Frank, Vice President EU Government Affairs at Microsoft said “we recognize that privacy rights need to have effective remedies. We have reviewed the Privacy Shield documentation in detail, and we believe wholeheartedly that it represents an effective framework and should be approved.”

Although Microsoft has demonstrated a desire to bring the issue to an end, it has also found itself on the wrong side of data requests from the US government, proving it’s no push over. The company has been involved in a drawn out lawsuit, as Microsoft has refused the US government access to data which is has stored in its Dublin data centre, telling the government it “must respect the sovereignty of other countries”.

The company has also filed a lawsuit against the US government and its associated agencies, arguing the right that customers should have the right to know when the state accesses their emails or records, as well as creating the Data Trustee model. The Data Trustee model is seemingly an effort to rebuild trust in the US business, as it hands control of its data over to a European company, in this case Deutsche Telekom, who have to give consent for a Microsoft employee to access the data.

“Businesses have already started looking to alternatives for legitimate data transfers out of the EU in case the Privacy Shield option, once formally adopted, should be taken away,” said Deema Freij, Global Privacy Officer at Intralinks. “For example, Binding Corporate Rules and EU Model Clauses are still seen as strong alternatives. Businesses have been switching to EU Model Clauses to transfer personal data to the US, which they can continue to do on an ongoing basis.

“The responsibility for businesses is only going to increase when the General Data Protection Regulation (GDPR) comes into full effect in May 2018. The next two years will be a huge test for organisations across the world as they begin to realise that data sharing practices will continue to fall under close scrutiny as the concept of data privacy evolves further.”

The EU-US Privacy Shield has made progress in addressing the concerns voiced by European citizens, companies and legislative bodies in recent months, though it is unlikely to be the final answer. In three months, two separate, independent and widely respected opinions have highlighted the short-comings of the agreement, which doesn’t inspire a huge level of confidence. How the Privacy Shield creators react to the opinion is yet to be seen, though it could be one of the deciding factors on how long the transatlantic data transmission argument continues.

data protection, Data Regulation, data residency, European Commission, News & Analysis, Policy and Regulation

Let the countdown to GDPR begin

Location Germany. Red pin on the map.The road to data protection has been a long and confusing one. Despite being one of the biggest concerns of consumers and corporates throughout the world, progress has hardly been moving at breakneck speed, but as of today (May 25th), companies now have exactly two years to ensure they are compliant with the EU’s General Data Protection Regulation.

The general objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU. Data protection is a complicated business throughout the EU mainly due slight differences from country to country, and then again, with overarching EU regulations, or directives which haven’t even made it to regulation.

Conversations surrounding the new regulations have been ongoing since 2012, though companies now have until 25th May 2018 to ensure they are fully compliant. For this would seem an adequate amount of time, however a recent YouGov and Netskope survey highlighted only one in five are confident they will be compliant in this time period. For Eduard Meelhuysen, VP at Netskope, decision makers need to take a step back to get a better understanding of the current state of their data, before concentrating on any company app.

“If they are to comply, IT teams will need to make the most of the two-year grace period which means that both cloud-consuming organisations and cloud vendors will need to take active measures now,” said Meelhuysen. “As a starting point, organisations should take a hard look at how their data are shared and stored, focusing in particular on any cloud apps in use across the organisation.

“The GDPR makes specific provisions for unstructured data of the type created by many cloud apps, data which are typically harder to manage and control. That means organisations need to manage employees’ interactions with the cloud carefully as a key tenet of GDPR compliance.”

a safe place to work“As cloud app use continues to increase within businesses, data will become harder to track and control. But with the GDPR instigating a maximum possible fine of €20 million or 4% of global turnover (whichever is higher) in certain cases, there is now more incentive than ever for companies to focus on data protection. Getting a handle on cloud app use will be a crucial part of ensuring compliance for any organisation, and IT teams will need to start work now to meet the May 2018 compliance deadline.”

One area which has been given attention within the GDPR is that of data residency. New regulations will require organizations do not store in or transfer data through countries outside the European Economic Area that do not have equivalently strong data protection standards. The list of countries that meet these standards is short, 11, with a notable absentee, the United States of America, which could pose problems for numerous organizations.

While this may be considered one of the headline areas for the GDPR and one which will likely be heavily scrutinized, for Dave Allen, General Counsel at Dyn, concentrating too much on this area could lull companies into a false sense of security.

“As the EU GDPR comes into effect, businesses will need to take a hard look at their current methods of sharing and storing data,” said Allen. “While some Internet companies have begun to address new challenges at the fixed locations where data is stored – this alone will not necessarily be enough to ensure compliance.

“Those companies focusing solely on data residency may well fall victim to a false sense of confidence that sufficient steps have been taken to address these myriad regulations outlined in the GDPR. As the GDPR will hold businesses accountable for their data practices, businesses must recognise that the actual paths data travels are also a key factor to consider. In many ways, the constraints which come with the cross-border routing of data across several sovereign states mean these paths pose a more complex problem to solve.

“Although no silver bullet exists for compliance with the emerging regulations which govern data flows, businesses which rely on the global Internet to serve their customers should be seriously considering visibility into routing paths along both the open Internet and private networks. As we enter an era of emerging geographic restrictions, businesses with access to traffic patterns in real time, in addition to geo-location information, will find themselves in a much stronger position to tackle the challenges posed by the GDPR.”

Anonymous unrecognizable man with digital tablet computerOverall, the GDPR will ensure companies take a greater level of responsibility to safeguard the personal data they hold from attacks. Recent months have seen a number of highly publicised attacks significantly impact the reputation of well-known and respected brands, making consumers nervous about which of their personal information is being held. Previously, attacks on such organizations would not have been thought possible; surely they have the budgets to ensure these breaches wouldn’t happen?

Another headline proposition from the GDPR is the consumer’s right to access data which is stored on them, and also the right to have this data ‘forgotten’. For Jon Geater, CTO at Thales e-Security, this will create numerous challenges and changes to the way in which data is stored and accessed.

“The new rules also make clear another important factor that we should already have known: that you can outsource your risk, but you can’t outsource your responsibility,” said Geater. “If organisations use a third party provider to store and manage data – such as a cloud provider, for example – they are still responsible its protection and must demonstrate exactly how the data is protected in the remote system. Therefore, formal privacy-by-design techniques need to make their way down the supply chain if companies are to avoid penalties or nightmarish discovery and analysis tasks.

“In addition, organisations will now have to provide citizens with online access to any their own personal data they store. While the Data Protection Act traditionally allowed anyone to request access to this data, with GDPR in effect organisations must make this available for download ‘where possible’ and ‘without undue delay’.

“This is a very significant change and securing this access will represent a significant challenge to many organisations – especially while still complying with the new tighter rules – and will require robust cybersecurity technology across the board.”

What is clear is there will be complications. This shouldn’t be considered a massive surprise as any new regulations are fraught with complications on how to remain or become compliant, but the European Commission isn’t messing around this time. With fines of €20 million or 4% of global turnover (whichever is greater), the stick is a hefty one, and the carrot is yet to be seen.

data centre, data protection, data residency, Datacentre, DropBox, EU, News & Analysis

Dropbox opens Hamburg office to reduce US/EU data concerns

Dropbox GermanyDropbox has announced the opening of its latest European office, branching into the German market ahead of plans to open a new data centre in Europe latter in the year.

The company has answered concerns from European customers regarding the transmission of data across the Atlantic by committing to hosting their data within the EU; a region which the company claims is generating the majority of recent growth. This commitment has also been backed up with the company opening new offices in Dublin, London, Paris and Amsterdam, in addition to Hamburg.

Data residency has been an issue for European customers for a number of months since the Court of Justice of the European Union declared Safe Harbour void last October. Since then, there have been a number of efforts to sooth the relationship between the US and the EU, though the issue still remains contentious and newer drafts Safe Harbour have been criticized by various European quarters.

As Europe represents a healthy growth region for the Dropbox, it would appear the team are not prepared to wait for the EU/US data storm to blow over. Opening a new data centre in Germany has the potential for Dropbox to avoid the repercussions of the long-standing dispute.

“From manufacturing to professional services to healthcare, industries in Europe and around the world are discovering the benefits of increased collaboration on Dropbox,” said Thomas Hansen, Global VP of Revenue at Dropbox. “And the opening of our Hamburg office is just a part of our European commitment.

“From co-working spaces to corporations, people bring Dropbox to work, and adoption in Germany has been phenomenal. The top three cities in terms of Dropbox signups are also the largest: Berlin, Hamburg, and Munich. But Karlsruhe and Dresden are the real hotspots when measuring users per capita.”

As with other freemium business models Dropbox has reportedly found difficulties in upgrading customers to the paid-for services. The company launched a new relationship with Adyen last year to offer localized payment models in 12 European countries, build around a direct debit payment mechanism, a more popular model in the European markets, as opposed to PayPal or credit card models.