Despite the advent of global trade deals aimed at lowering tariffs and opening markets around the world, CFOs should be wary when basing business plans on unfettered data access via the cloud. Why? Some countries (and customers) don’t want their data flying across national borders and landing in the hands of intelligence organizations, particularly that of the United States. They would rather house data locally to ensure prying eyes don’t have access to it.

But such “data nationalism” could cause problems for the development of cloud-based business solutions — and raise computing costs.

The conclusion of the Trans-Pacific Partnership (TPP) was a partial victory for proponents of “data globalization,” the idea that data in the cloud should be free of national restrictions.

The TPP eliminates tariffs and other trade barriers between the United States and 11 Pacific Rim countries (Japan, Canada, Australia, New Zealand, Mexico, Vietnam, Malaysia, Chile, Brunei, Singapore, and Peru), a region which produces 40% of global GDP, according to the United States Trade Representative. Prominent among the rules contained in the 5,544-page agreement are provisions to ensure companies can send data across borders freely. Member governments are barred from requiring companies to house “computing facilities,” such as servers, in a country. Also eliminated are the kind of “localization” rules some countries have been imposing, rules that cloud providers see as a significant trade barrier.

globalDATABut the TPP will not keep governments from being possessive of data. The financial services industry is not covered by the cross-border data rules, and Australia has been given an exemption for medical records. The TPP also creates a big loophole to the server localization ban by allowing governments to introduce such requirements, if needed, to “achieve a legitimate public policy objective.”

The “public policy objective“ exception, according to experts, largely reflects concerns over data privacy. Those concerns rose sharply in the wake of the 2013 leaks by Edward Snowden about data gathering on the part of the United States National Security Administration.

“We are seeing to some degree the potential for internet balkanization,“ says Jay Heiser, research vice president at Gartner, referring not only to the TPP provisions but also to those likely to be contained in the Transatlantic Trade and Investment Partnership (TTIP). The next free-trade deal in the pipeline, the TTIP is being negotiated between the United States and the European Union.

More worrying, perhaps, is an October ruling that allows EU national governments to invalidate the 15-year-old safe harbor pact around data. The pact allowed thousands of companies to transfer data to the United States. Governments say the pact violates the privacy rights of Europeans by exposing them to U.S. government surveillance. U.S. and European regulators are reportedly negotiating an updated safe harbor agreement, but the timing, as well as the terms of the deal, are unclear at this point.

“From the European point of view, there’s a civil right to privacy that we do not have in the United States,“ says Heiser.

Concern over this privacy right has already been seen in the form of “national cloud” projects by government such as the United Kingdom and the Netherlands, along with the proliferation of similar local clouds and encryption services, many touted as “Patriot Act-proof.”

Cloudier Future?

Where does this leave providers of cloud computing and their clients?

In the United States, which has so far dominated the provision of cloud services, larger providers are moving to establish local databases whether or not they are eventually required to do so under trade agreements. Most recently, Microsoft announced on Nov. 11 that, starting in late 2016, it would be offering European customers the option of storing data in Germany and expanding regional hubs in Ireland and the Netherlands, where the data contained therein would presumably be shielded from U.S. spying.

“In large part this is a product of the Snowden revelations,“ says J. Bradford Jensen of Georgetown University’s McDonough School of Business. “The Snowden stuff and [the European Court of Justice] ruling are going to make cloud adoption more difficult, and it’s a damn shame.”

The immediate impacts, says Jensen, will be felt by smaller American firms and innovative tech firms, which will face higher compliance costs.

“If [governments and clients] require data to be localized, [they’re] going to raise computing costs,“ agrees Robert Atkinson, president of the Information Technology and Innovation Foundation. “The U.S. leads in cloud computing today and these restrictions would tend to put a damper on this. Data nationalism and data localization are not good.”

Atkinson admits that the TPP contains major provisions limiting data nationalism, the exceptions to these provisions may prove to be more important.

“Whether it be TPP or TTIP, the big issue is that things are going to change, and companies need to be nimble to these changes,“ says BMC Software Chief Architect William Platt. “Safe harbor basically got eradicated [and] there are situations where laws could appear to say that data must remain within [a] country or particular region.”

The Pull of the Globe

While there are strong forces for data localization, Platt and others point to a countervailing tendency: that of globalization, particularly when it comes to the cloud. “The cloud is evolving both in a local sense and on a global basis, and cloud providers are adjusting to this.”

“Who would have thought a couple of years ago that we’d be opening up trade with countries like Cuba?” he asks.

“We had actually anticipated more local startups in the cloud, especially post Snowden,“ says Gartner’s Heiser. On the other hand, as he points out, “the American service providers are still quite strong“ and are likely to retain their global lead in this field for some time going forward.

There’s even good news about the NSA’s bulk phone data collection program. The authority for the program ended on November 29, although some Congressman are pushing for reauthorization.

For now, Gartner expects the 16.5% compound annual growth rate (CAGR) in cloud products seen over the past several years to continue, as big companies like Microsoft respond to local privacy concerns. The current environment, says Heiser, tends to “facilitate very small companies, who can piggyback, and reward very large ones, with the companies in the middle facing the sharpest squeeze.”

Trade pacts and international court rulings notwithstanding, cloud adoption will grow as the demand for access to all kinds of databases increases worldwide.

“Balkanization is not an easy thing to do,“ Heiser says. “You’re not supposed to be able to access Facebook in China, but everybody probably does it anyway.”

Ed Zwirn is a freelance writer based in Bethel, N.Y.

Image: Thinkstock

, , , , , , ,

One response to “Will the Cloud Be Balkanized?”

  1. I can understand that Microsoft “would be offering European customers the option of storing data in Germany.” I studied one interesting project that already addressed challenge to protect sensitive information about individuals in a way that will satisfy European Cross Border Data Security requirements. This included incoming source data from various European banking entities, and existing data within those systems, which would be consolidated in one european country.

    The project achieved targeted compliance with EU Cross Border Data Security laws, Datenschutzgesetz 2000 – DSG 2000 in Austria, and Bundesdatenschutzgesetz in Germany by using a data tokenization approach, protecting the data before sending and storing it in the cloud.

    I also read an interesting report from the Aberdeen Group that revealed that “Over the last 12 months, tokenization users had 50% fewer security-related incidents(e.g., unauthorized access, data loss or data exposure than tokenization non-users”. Nearly half of the respondents (47%) are currently using tokenization for something other than cardholder data The name of the study, released a few months ago, is “Tokenization Gets Traction”.

    Aberdeen has also seen “a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data”.

    Ulf Mattsson, CTO Protegrity

Leave a Reply

Your email address will not be published. Required fields are marked *