After months of speculation over the future of Safe Harbor, following the European Court of Justice’s decision in October last year to strike down key portions of the ruling, last week we found out what that future looks like. The EU-US Privacy Shield replaces the 16-year-old arrangement that many organizations had relied on to legally transfer personal data between Europe and the US, but this is just the latest example of the regulatory uncertainty involved in cross-border data flows.

safe harbor lifebelt thinkstock photos
– Thinkstock / PaulFleet

Catalyst for change

Since the revelations about nefarious data collection practices by US government agencies, countries and politico-economic blocs have redoubled efforts to ensure companies store user data on local servers. Geographic restrictions on where data can go have been imposed, usually citing some combination of privacy and national-security grounds.

Russia has implemented one of the strictest laws, requiring personal data about Russians to be stored and processed on servers physically located within Russia. Other countries, including Brazil, India, South Korea, and China are considering similar proposals, while Indonesia, Malaysia, Nigeria, and Vietnam have laws in place provisioning for the local processing of data. A handful of others, including Australia and some provinces in Canada, have specific localization rules related to particularly sensitive categories of information, such as health data.

And then there’s the governments, including Argentina and the EU, who have prohibited the transfer of data overseas unless the foreign jurisdiction has sufficiently strong privacy rules. And this is where a number of the issues relating to Safe Harbour arose, leading to its suspension and ultimate replacement. The EU-US Privacy Shield aims to protect the data of Europeans transferred to the US by putting some new safeguards in place around access to this data by public authorities. And under serious pressure after the Snowden leaks, the US has also committed to non-subjection of Europeans’ personal data to mass surveillance.

While some Internet companies had already begun to address these challenges by looking at the fixed locations where data is stored, the construction of in-region data centres, or usage of localised cloud or content delivery services only addresses part of the problem. Understanding the cross-border routing of data is an important part of the compliance analysis, but is often overlooked, despite in many ways being a more complex problem.

germany passport privacy border thinkstock photos johannes86
– Thinkstock / johannes86

The problem at hand

Imagine a German company that has a data centre in Frankfurt and services end-users across Germany. It limits its internet traffic to a local Tier 1 network, let’s say, Deutsche Telekom, expecting to confine its internet traffic to Germany. That company would probably be pretty disappointed to learn that it can probably expect somewhere in the region of 20 percent of its traffic actually exits the geographic boundaries of Germany before crossing the border again to reach end users. And all because of where the pipes through which the data flows run.

This scenario isn’t theoretical, it’s real and is indicative of the situation everywhere and there are other factors to consider that complicate matters further. For companies that hold particularly sensitive data – personally identifiable information, health data, sensitive banking information, etc. – are routing and storage options versatile and customisable enough to provide specialised routing for particular types of data in compliance with domestic laws?

Then there’s the data that travels internationally, passing through countries that the end-points may have sensitivities around. This might stem from politics, lax local network security, or trade sanctions. How well do we really understand transit paths, and even when we do, are policies in place to reroute traffic quickly?

Everything that has happened with Safe Harbour, just goes to show that even highly structured legal regimes can still produce sudden uncertainty. While that remained in place for 16 years before it was superseded by the EU-US Privacy Shield, It’s unlikely that such a lengthy period of time will pass again before regulations are adjusted; so how quickly can you adjust your technical solutions if regulations change?

Curing what ails you

Content delivery networks and cloud providers are not in a position to solve the problem on their own, as many are limited by their own internal networks and geographic commitments. Even major Tier 1 networks, as our Deutsche Telekom example illustrates, frequently route traffic across several sovereign borders. There is no silver bullet for compliance with the EU-US Privacy Shield and the governance of data flows, but visibility into routing paths along the open internet and private networks should be part of the solution.

A German company may find 20 percent of its traffic exits Germany before reaching German customers

Addressing the problem from a data residence perspective is incomplete at best, and can lead to a false sense of confidence that regulations are being adequately complied with. So many companies these days rely on the global Internet to serve their customers, and in this era of increasing geographic restrictions, visibility of real-time traffic patterns, along with geo-location information, provides them with a much more complete solution to the problems posed by the EU-US Privacy Shield framework.

Dave Allen is senior VP & general counsel at Dyn