GDPR may help colocation companies sort through data sovereignty regulations
Data sovereignty is becoming increasingly important to colocation providers. The location where data physically resides is of concern to their customers as they seek to comply with a series of often conflicting laws around the globe.
The General Data Protection Regulation (GDPR) is scheduled to take effect in May 2018 and is designed to “harmonise data privacy laws across Europe,” according to the GDPR web site. Unlike the law it replaces (the 1995 Data Protection Directive), the GDPR will have a “long arm,” according to Mark Bailey, a partner with the UK law firm Charles Russell Speechlys, who presented on the topic of data sovereignty at the recent International Colocation Club 2016 event in Paris.
That “long arm” essentially means the law applies to any company that deals with private data on EU citizens, even if that company is located outside of the EU. And the law comes with some stiff penalties for those who fail to comply. It carries fines of up to €20 million or 4% of annual revenue for the most egregious offences, whichever is larger. Such hefty fines make the GDPR the kind of law colo providers should definitely familiarise themselves with.
To the extent that the GDPR does indeed harmonise data privacy laws in the EU, it can be seen as a positive step when it comes to the question of where colos should build data centers. “As much as you've got data laws driving location specifically, it's very often the conflict of laws or political decisions that drive these decisions,” Bailey said. “Uncertainly is perhaps one of the greatest issues we've got here rather than certainty and law.
Currently, every single country in the UK and Europe has its own data protection laws and authorities, creating confusion for any company trying to comply with them all. The GDPR will essentially normalise laws across the EU, bringing certainty in terms of what the law is – which is a good thing.
With its “long arm,” the GDPR could also be seen as setting standards for U.S.-based companies. That's significant because 90% of European personal data is processed by U.S. service providers, Bailey said. But currently the U.S. does not have an approved transfer mechanism for moving private data out of the EU.
“The U.S. has never been deemed adequate,” he said, calling the situation “a giant political football.” In fact, only a handful of countries – including Canada, Argentina and New Zealand – have managed to pass with EU regulators.
The situation could be remedied based on the extent that U.S.-based companies adhere to the GDPR.
The UK, of course, has its own issues to deal with as the result of Brexit. Will the UK comply with the GDPR or chart its own course?
Given the timing, the odds are the UK will comply with the GDPR, Bailey said. He noted it's unlikely the UK will be able to separate itself from the EU before the GDPR takes effect in May 2018.
If all of this sounds a bit confusing, that's because it is. But for colocation providers, the news is still positive. Bailey quoted various experts who all expect sound growth over the next several years. He noted that the growth in servers across Europe is set to triple in the next 3 to 5 years, which translates to millions of servers.