Neil Stobart, Vice President of Global System Engineering, Cloudian
In this article published in ITPro, I discuss the legal landscape around data sovereignty and the opportunity for MSPs to address data privacy concerns.
Data sovereignty – a boon for MSPs?
By Neil Stobart
Cloudian’s VP Global Systems Engineering, Neil Stobart, thinks data sovereignty concerns will create new opportunities for European-based managed service providers.
According to IDC, by 2022 almost all (90%) of global enterprises will have implemented a multi-cloud solution. Given this rise in cloud adoption, it’s no surprise that the issue of data sovereignty continues to grab headlines.
In layman’s terms, data sovereignty is a legal principle which states that digital data is subject to the laws of the country in which it is processed. It’s a key consideration for organisations that use leading public cloud solutions, as these cloud providers’ data centres can be located anywhere in the world.
When organisations migrate apps, workloads and data to the public cloud, they inevitably relinquish a degree of control and visibility over where their data is located, due to a continued lack of transparency from many large public cloud providers.
As such, the implications of where enterprise data is stored, and where cloud providers are headquartered, has been the subject of much legal wrangling. Let’s take a look at the current legal picture around data sovereignty, and why continuing data privacy concerns could be a boon for MSPs.
What’s the current legal scenario?
A primary concern for enterprises is the CLOUD Act, formally known as the US Clarifying Lawful Overseas Use of Data Act. This requires US cloud service providers to hand over data to US authorities if asked – even if the data is stored within the borders of another country.
It’s worth noting that the CLOUD Act isn’t an obscure, rarely exercised law. In fact, between January and June 2021, Microsoft alone received 101 warrants from US law enforcement seeking consumer content data stored outside the United States. What’s more, at a 2021 US Senate Judiciary Committee hearing, the company argued that many of the secret data requests it receives from US authorities lack legal justification.
The CLOUD Act creates a clear conflict with GDPR, which states that cloud providers must commit to only disclosing personal data based on legal requests arising under EU law. Although a provider might assure customers that their data will be stored within their chosen national borders, this doesn’t guarantee complete protection from US law enforcement.
Also of concern is the Schrems II ruling, which invalidated the US and EU Privacy Shield Agreement. Under that agreement, US companies were allowed to receive personal data from the EU if they adhered to EU standards on data protection and privacy. However, on July 16 2020, the Court of Justice of the European Union (CJEU) invalidated this agreement in a landmark ruling dubbed Schrems II.
The Schrems II case was brought forward by Max Schrems, a prominent Austrian lawyer and privacy advocate. It followed a prior complaint made in 2013, in which Schrems requested the Irish Data Protection Commissioner to investigate data transfers from Facebook’s EU headquarters to its US servers – based on concerns about the US National Security Agency’s data collection and surveillance practices.
As a result of Schrems I, the CJEU decided that the existing Safe Harbour mechanism was invalid. It then designed a new data transfer mechanism to replace it – the EU-US Privacy Shield.
After the Schrems I ruling, Schrems resubmitted his complaint on the basis that Facebook had continued transferring personal data from its European headquarters in Ireland to the US. Facebook did this by relying on so-called standard contractual clauses – model data protection contract clauses that are pre-approved by the European Commission – even where these clauses seemed to contradict the initial ruling.
In its Schrems II ruling, the Court found the new EU-US Privacy Shield to be inadequate for two key reasons. Firstly, the US legal system doesn’t provide adequate protection for personal data, particularly from US government and law enforcement entities. And secondly, EU data subjects don’t have effective means to seek redress against the US government.
Overall, it’s clear that enterprises based outside the US should think twice before procuring a US cloud provider – even if the provider in question has an in-country data centre.
Is this an opportunity for MSPs?
It’s no surprise then, that many enterprises are looking for alternative data storage solutions. MSPs are perfectly placed to meet this demand.
Fortunately, thanks to now-mature compute, storage and management infrastructure, there are a range of excellent options available. Today’s cloud-like storage infrastructure allows providers to offer services that match those of the global providers while strictly maintaining data sovereignty within a specific region. Because the infrastructure is completely under the control of the service provider, there is no question as to how data is being protected.
There’s no doubt that data sovereignty will continue to rise up the agendas of enterprise IT leaders. As they select the right cloud solution to fit their business needs, MSPs have the opportunity to fill the need for compliant storage with locally based services.
