Privacy Shield should mean greater legal certainty about EU-US data

01 March 2016

Dave Allen, SVP and general counsel, Dyn

Months after the ground-breaking decisions by the European Court of Justice to invalidate the US Safe Harbour, representatives from both sides of the Atlantic have now agreed the ‘Privacy Shield’ to govern the transfer of data between jurisdictions.

Of course, the devil will be in the details. But this regulatory development is a move toward greater legal certainty regarding the flow of data between the US and Europe. During this era of emerging and unsettled geographic restrictions on cross-border data flows, the ruling shines a light on the need for enterprises to have visibility into actual routing paths of their data.

Since revelations about data collection practices by US government agencies, many countries have imposed geographic restrictions on where data can go. For example, Russia requires all personal data about its citizens to be stored and processed on servers physically in its own country.

Some internet companies have already begun to address these challenges at the data residency level, looking at fixed locations where data is stored, constructing in-region data centres, and using localised cloud and content delivery services.

But this only solves part of the problem. Understanding the actual paths and cross-bordering is, in many ways, a much more complex and important issue for businesses to get to grips with.

Take for example a German company with a data centre in Frankfurt and end-users across Germany. It limits its internet traffic to a local tier 1 network and therefore fully expects its internet traffic to remain in the confines of Germany.

However, upon analysing traffic patterns in real time, that company would be disappointed to find out that around 20 per cent of its traffic actually exits the borders before coming back to reach its users.

This is vitally important information for businesses to be aware of. How can they be in a position to comply with the domestic laws that reside in specific geographic boundaries without it?

Therefore, addressing the problems posed in light of this new framework solely from a data residence perspective is incomplete at best, and can lead to a false sense of confidence that regulations are being adequately complied with. Access to traffic patterns in real time, along with geolocation information, provides business a much more complete solution.