Microsoft and Amazon have both revealed that they are building data centres in the EU. In Microsoft’s case, Deutsche Telekom will be the data “trustee”; I assume this is in part an anticipatory response to the ongoing Stored Communications Act lawsuit presently in progress in Dublin (in brief, a case to determine whether US government agencies can compel Microsoft to hand over customer data stored outside the US). We have the EU’s data protection working group trying to convince us that you can still do extra-territorial data transfer, while at least one German DPA is saying the exact opposite.
The local data centre thing has been in the wings for a while – I wrote some time ago about Brazil’s (subsequently dropped) localisation provision in its Marco Civil, and about Angela Merkel’s desire for European data segregation. At the moment that seems to mean local as in “EU” – which may yet not be good enough given the ECJ’s decision about Weltimmo and the Hungarian DPA (at stake is whether your data protection within the EU is regulated by your country of domicile, or by the domicile of the customer). The General Data Protection Regulation, due soon, and Safe Harbour 2, may of course change everything again. And now the UK has a referendum on EU membership next year.
I don’t think there’s a simple answer to the “where do we keep our data” question. It’s clearly something that needs far more thought than it used to, especially if you’re contemplating using the cloud or an outsourced service. Whatever you do, even if you change nothing, I’d strongly suggest making sure you have clearly documented your rationale, including your interpretation of the current legislative mess.
The bigger question is: what do we want? Broadly, as businesses, we probably benefit from maximum data mobility. It means that small markets have access to the same technology and services as large ones, at much the same time, and that we can shop globally to get the best price/performance compromise. I suspect there would be a pretty chilling effect on the market in hosted virtual servers, for instance, if you had to host them (and their resilience provision) in the customer’s jurisdiction.
On the other hand, as consumers do we want our personal information travelling the world, unfettered? Some people – like Giles Coren, or Vint Cerf – seem completely unfazed. Others may still value privacy – or fear fraud. Will they be prepared to pay for it, though – not just directly, but also in loss of access to services that decide it’s not worth accommodating them?