The European Union’s new Privacy Shield Framework aims at protecting personal data from non-EU organizations and foreign governments, but its effect could be to regionalize data. A hybrid cloud could be the only solution.
The cloud is quickly becoming an engine of growth, its location-free design perfectly suited to a globalized economy where political boundaries are increasingly irrelevant. However, data politics is on the rise. The EU Privacy Shield Framework is designed to make transatlantic data transfer safe by encrypting and anonymizing everything, and auditing exactly who is accessing and using personal information. But most of the major business and industry cloud providers—among them Google, Amazon Web Services and Microsoft—are US-based. Should data from EU citizens be kept inside EU boundaries? One way to achieve this is a private cloud solution.
Private Clouds vs. Hybrid Cloud
Michael Connaughton, Director Big Data at Oracle says:
Organizations want to move to the cloud, but then lose a degree of control over where the data center holding the data is located.
However, companies choosing to keep everything in a private, on-premises cloud data center lose the advantage of the massive computing power available on the public cloud. A private cloud is also expensive to maintain and upgrade. The answer is to deploy a hybrid cloud, a mix of local cloud servers and third-party public services using the remote servers run by the big cloud providers.
The problem here is ‘spanning’, says Frank Krueger, Director of Compliance at enterprise cloud hosting provider iland.
Does the provider send you to a cloud that spans multiple data centers? If so, verify that those spanned data centers are in the right data regions. It’s not uncommon that lower-cost carriers will perform spanning, whereas others are dedicated to specific and approved geo-locations.
Even US-based companies are beginning to open EU data centers in places such as London, Frankfurt and Paris.
Another option is to keep everything as local as possible, using cloud providers inside the EU only. With companies able to self-certify their compliance with the Privacy Shield Framework, this is an understandable choice. This legislation requires that customers be able to choose what happens to their personal data, a complication.
It is essential to know what customer data you are collecting and where it is being collected so that data can be handled in accordance with the laws of the country from which it is sourced.
However, the hybrid cloud comes with controls that allow restricted personal data to be kept in the EU.
Can a company remain compliant by storing information on Europeans in a local data center? Taking advantage of the cloud’s massive computing power requires division of labor. One option is to store data in private clouds in their own data centers, and to use computing resources in the remote or ‘public’ cloud. This involves uploading the data for processing, and immediately retrieving it for storage. That underscores the importance of how cloud service providers protect personal data.
To make this work, companies will have to invest additional time and effort in cleansing it of all personally identifiable information before sending it out for processing.
He adds that companies should look for private clouds that integrate easily with public clouds. Though it appears complex, the end result should be a more capable, hybrid cloud that automates everything, including compliance.