,

Data Residency, Data Sovereignty and the Mad Scramble

Posted by ownCloud GmbH – 7. October 2015

We’re a software company and our roots are in the open source community where, just four years ago, we started to believe there was a better option to file sync and share—a better option to cloud-based vendors like Dropbox and Box—and we put a stake in the ground.  We wanted people to have control of their data and decide who sees what and when.  The addition of mobility and desktop client capabilities added usefulness and then somewhere along the line, developers got together to build 215 (and growing) apps for ownCloud.  Users want to control their data on their terms and they want the same convenience and even more innovation compared to consumer cloud services.

But the key point about control is data residency.  The declarative place at which data resides. Until yesterday, Europeans could choose to share their personal data with any US company they chose—be it an e-commerce site, social media channel or a business associate – provided that such company self-certified for the Safe Harbor agreement.  It was implemented in 2000.  But in Tuesday’s ruling, the European Union Court of Justice ruled that the terms of Safe Harbor are not only insufficient, but violate the EU’s terms on data privacy and rights to proper justice.

In real terms, the Wall Street Journal suggests that 4,500 US tech companies will be directly impacted including any of the large cloud services:  Google, Apple, Facebook, Amazon, Microsoft, Salesforce, Dropbox, Box and more.  The implications are a bit overwhelming as companies of all sizes scramble to realize and overcome the huge barrier that seems to be interpreted differently on respective sides of the pond.   The Snowden revelations are cited in the court ruling as clear signals that data of European Citizens is not protected in the same way inside the European Union compared with the United States.

And, this is not the first—nor last—iteration.  The Canadian Government passed the Digital Privacy Act in June of this year which built upon the Personal Information Protection and Electronic Documents Act (PIPEDA) legislation that is similarly designed to protect PII and put companies on the hook for where data is stored and its relative security.  There is a lot of talk of risk and trying to assign it accordingly.

But, let’s take this back to the user and the (perhaps) prescient view we took on this topic four years ago.  We have always believed that data residency and data sovereignty matter.  And so do our customers and users.  When the control plane for your file sync and share solution as well as the data, files and documents live on-premise, you get to control your data.  Period.  That means key management, metadata, access control and all the associated file info lives in your own data center and not under the microscope of others. If you’re a multi-national corporation or you have multiple data sites that cross borders, your compliance needs may be different at each location.  This is where federated cloud sharing gets really interesting.  Each ownCloud instance retains its own control plane with discrete management and yet may share with other ownCloud deployments.  In compliance, without compromise, without missing out on the innovation and convenience that end-users demand.

Today, ownCloud and its customers are not scrambling.