Transcription
The Impact of EU Data PrivacyLegislation on the Enterprise FileSync and Share marketDetermine your provider’s EU compliance strategy
SummaryCatalystThe enterprise file sync and share market is expanding worldwide, as companies meet the need foremployees to exchange information and collaborate on documents across different geographies,jurisdictions, and time zones. However, some cloud-only services face a challenge in the EuropeanUnion (EU), where legislation is in preparation to extend protection of individual citizens’ data privacy.Although the actual law is set to come into force only in 2017 or 2018, Ovum argues that everyone inthe enterprise file sync and share value chain, from providers to enterprise customers and individualend users, needs to be aware of the changes under current discussion within the EU. Companiesshould start work on their data governance framework now, with a view to fine-tuning it for fullcompliance as and when the law is passed at the end of 2015 or early 2016.Ovum viewEven though the lawmaking process often appears to move at glacial speed, there is no doubt that theEU Data Privacy Regulation is coming. Whether it actually comes into force in 2017 or 2018,companies offering or using cloud services in EU territory need to pay heed to it now. This includesproviders and users of cloud-based enterprise file sync and share services. Ovum’s advice tobusiness and IT decision-makers is to become fully acquainted with the general themes and directionof the new legislation now, even though these may undergo further changes in the coming months.Key messages The EU is adapting to a new technology landscape, with the drafting by the EuropeanCommission (EC) of the General Data Protection Regulation (GDPR). The advent of cloud services has led the EC to expand the remit of privacy legislationto cover data collectors and data processors from outside of the EU. The EU is a secondary market for most enterprise file sync and share vendors, manyof who are based in the US. These leaves some organizations within the regionfeeling uneasy, especially where data residency is a sensitive issue. Enterprise file sync and share vendors vary in their adoption and verification ofprivacy programs. Supporting modern, mobile work styles is adding to the compliance challenge. There will always be enterprises who mandate an EU datacenter for their public cloudservices. Companies in the EU mulling their options for enterprise file sync and share serviceswill have to factor in whether potential providers have an EU datacenter. Hybrid enterprise file sync and share solutions, such as Egnyte, appeal to largeenterprises that want to leverage their existing infrastructure and accommodatefuture requirements. The Egnyte approach to enterprise file sync and share is pragmatic as well aspractical. The Egnyte Enterprise File Services Suite ranks as a technology leader in Ovum’senterprise file sync and share capability model.
RecommendationsRecommendations for businesses and institutionsKnow the law and question potential enterprise files sync and share providersaccordinglyThis report will help you familiarize yourself with the main points of existing data privacy legislation inthe EU countries in which you operate, as well as the general direction of the upcoming Data PrivacyRegulation (see Table 1). Quiz any prospective cloud service provider on their stance regarding theupcoming law. If they are headquartered in the US, do they have Safe Harbor Certification verified bya third-party organization such as TRUSTe? Are they investing in a data center presence within theEU or European Economic Area?Evaluate the enterprise file sync and share market methodically, payingparticular attention to business, IT, and end-user requirementsThere is an enterprise file sync and share solution to address almost every business need, but notone that meets them all. CIOs and IT decision-makers should be prepared to accommodatecomplementary products and solutions based on the organization's needs.The appeal of cloud-based services and file storage solutions is undeniable, but business and ITmanagers know that many business scenarios are not suited to this model. There are practical issues,information security management issues, and IT service management issues that impede the way tocloud solutions, so a hybrid approach is a more tenable option for large organizations.Content sprawl is inevitable but can be minimized. CIOs should therefore work with the business tofind simple ways to steer users, activities, and content toward managed solutions.
Europe is updating its data privacy legislationThe EU is adapting to a new technology landscapeProvision for the protection of data privacy within the EU was first made under the Data ProtectionDirective of 1995. While it underwent a degree of extension with the E-Privacy Directive of 2002(which took into account, for instance, the information gathered by cookies), by the beginning of thisdecade there was widespread recognition in Brussels that technology had moved on, and a newregulatory regime was required to deal with the world of smartphones, tablets, universal broadbandconnectivity and, perhaps most of all, cloud services.Thus, in 2012, the European Commission (EC) unveiled a draft General Data Protection Regulation(GDPR) that, once full agreement has been reached on the subject with the European Parliament andthe European Council, will supersede all previous EU legislation on the subject. ection/news/120125 en.htmText of the proposal can be found ument/review2012/com 2012 11 en.pdfThe GDPR aims to simplify complianceBesides bringing the EU’s regulatory stance on data privacy up to date, the GDPR also aims tosimplify compliance by creating a “one-stop shop.” This would be a central authority with whichcompanies, organizations, and institutions will be able to agree on the steps they need to take, ratherthan having to deal with a separate regulator for each of the 28 member states in which they haveoperations.The scope of legislation expands in the GDPRData processors are now also covered by regulationThe advent of cloud services has led the EC to expand the remit of legislation to cover not onlycompanies that collect data on individuals (which may be customers or potential customers) and thedata subjects (i.e. the individuals whose data is being collected for analysis), but also what it callsdata processors. These are companies who are performing some function on the data, or even whoseinfrastructure is used to process it somehow, even though they are not custodians of the data in theway that the collectors are.Collectors and processors from outside the EU are included inthe new legislationAnother extension of the scope of proposed legislation in the GDPR is the company’s country oforigin. The GDPR covers all organizations collecting and/or processing EU citizens’ private data withinthe EU, whether or not the companies themselves come from a member state. This is, of course, ofimmense importance in the context of cloud services, where so many of the leading cloud serviceproviders, and so much of the innovation in services, come from the US.
Data residency is a big issueThe data processor category would include all manner of cloud service providers, whether they areoffering infrastructure, platform, or software as a service (IaaS, PaaS, or SaaS). An example would beAmazon Web Services (AWS), whose cloud-based storage service, S3, carries all kinds of data for amultitude of organizations, some of it no doubt encrypted. But as a data processor, AWS would stillhave certain data privacy responsibilities in the EU once the new law comes into force.Among these is data residency, which is already an issue under current legislation in a number ofEuropean countries, and will become a more stringent requirement across the EU in the GDPR. Dataon EU citizens cannot be stored outside the European Economic Area (the EEA, i.e. the EU countriesplus Iceland, Liechtenstein, and Norway) in countries that do not have equivalently strong dataprotection standards.There are currently just 11 countries that meet the EU’s requirements for an equally stringent dataprivacy and protection regime, with the US notably absent from the list. The countries with anadequate level of protection for data transfers outside the EEA are: Andorra Argentina Canada Faroe Islands Guernsey Isle of Man Israel Jersey New Zealand Switzerland Uruguay.For more information, data-protection/principle-8-international/This is clearly a major challenge for cloud service providers from the US, which is home to 67% of allcloud services. Such companies typically move into Europe initially with only sales offices, relying ontheir data centers in North America for service delivery. Even if they do establish a data centerpresence in the EU, they need to be careful that, in setting up their replication routines for dataprotection and disaster recovery/business continuity purposes, the replicated volumes will need tostay within the borders of the European Economic Area.The Safe Harbor programIn order to bridge the differences in approach to data privacy between the EU’s 1995 Directive and theUS government, as well as to provide a streamlined means for US organizations to comply with theDirective, the US Department of Commerce, in consultation with the European Commission,developed a "safe harbor" framework. It also set up a website to provide the information anorganization would need to evaluate – and then join – the US-EU Safe Harbor program. However,only 8.9% of US cloud services providers have currently gone through the self-certification process. A
select few have elected to have their compliance with Safe Harbor verified by TRUSTe, a leadingonline, independent privacy management services provider.Profiling may prove the most difficult topic of allPerhaps the most contentious issue of all for anyone engaged in e-commerce will be that of profiling.This is the practice of analyzing a person’s online behavior (what sites they visit; what pages they goto within those sites; where they stay the longest; at what times of day they like to shop online; whatpayment mechanism they prefer etc.) in order to tailor product marketing and promotions to appeal tothem.The fundamental question here is one of consent. There is a clear desire on the part of manyeurocrats and legislators to impose some form of consent requirement for personal data to be used inprofiling and, even more so, for it to be forwarded from one data collector to another for profilingpurposes.This currently looks like being an “opt-in” clause, whereby the individual will have to expressly consentto having their data used in profiling, though there are also moves in some quarters to introduce the“opt out” alternative, which would mean that data could be used unless an individual specificallyrefused for it to be. It is Ovum’s opinion that, given widespread support for data privacy across the EUin the wake of the Snowden revelations, opt-in is more likely to prevail in the regulation rather thanopt-out.Table 1: Some of the major changes in the GDPRGDPR issueChangeImpactOne-stop shopCompanies will agree their compliancestance with a single EU-wide regulatorinstead of one per member stateSimplification of compliance. NB thisplan is still not 100% guaranteed tocome into forceData processorsData privacy legislation is extended fromdata controllers and subject to a new class ofactor, the data processorCSPs, SaaS providers et al need tocomply with EU Data Privacy lawExtraterritorialityCompanies headquartered outside the EUare covered by the law if they are handlingdata on EU residentsNon-EU EFSS vendors must pay heed,investing in local data centers, forinstanceData residencyData on EU data subjects cannot betransferred outside the EEA. For UScompanies, Safe Harbor certification isrequiredAs above. US providers should alsoinvest the resources needed to achieveSafe Harbor certification validated by athird-party such as TRUSTeProfilingA data subject will need to give consent fortheir data to be passed to other datacontrollers than the one to whom they gave itfor purposes of profilingThis will potentially impact dataprocessors if they are using orforwarding information to other datacontrollers, or indeed using itthemselves for profiling purposes. NBthere is still debate as to whetherconsent will need be explicit or can beimplicitSource: Ovum
New EU data privacy legislation will presentadditional challenges to enterprise file sync andshare vendorsThe EU is a secondary market for most enterprise file sync andshare vendorsOne of the most common concerns that enterprises have when considering cloud services, especiallythose used for storing and accessing business information and content, is regulatory compliance. Thisis often made more challenging because each vendor has its own market priorities and approachesdepending on the industries and geographies that it currently serves and targets. This can make lifecomplicated for the CIOs and compliance managers of multinationals, even when suppliers take aproactive approach to compliance matters. Maintaining regulatory compliance within a single marketis not easy for any business, and this is especially so for those enterprises whose operations,products, or services span the globe.The majority of enterprise file sync and share vendors are headquartered in the US, clustered aroundthe Silicon Valley area, and Ovum notes that privacy-related issues sometimes catch these vendorsoff-balance, as domestic requirements differ significantly from the European region. Meeting therequirements of multiple markets with the same set of services undoubtedly adds cost and complexityto any service delivery model, and this will impact the business plan of any vendor. So, organizationsbased in the EU should examine the commitment of US-based file sync and share companies bylooking at the vendor’s investments in the region, and not just sales offices.Enterprise file sync and share vendors vary in their adoptionand verification of privacy programsOvum interviewed 19 vendors in the course of producing the Ovum Decision Matrix for Enterprise FileSync and Share (August 2014, Report ID: IT0021-000018), and while there was general recognitionthat “hoops have to be leapt through” to do business with EU businesses and institutions, there wasno common approach to addressing changes in legislation. However, those vendors that are adoptinga truly global approach to the enterprise file sync and share market, such as Egnyte, do appear to beinvesting in expertise with a focus on compliance issues beyond the domestic horizon.In practice, this means that they employ specialists to look across the markets that they wish to targetand serve, and then evaluate these markets to determine their unique regulation and certificationrequirements. From this assessment, a control set is developed that determines what the vendor hasto do to control its products and services to achieve regulatory compliance in a given market. Ideally,these controls should be verified and validated by an independent body or assessor; however, it is notuncommon for companies to self-regulate, perhaps through the use of data privacy management(DPM) solutions.The US-EU Safe Harbor List (http://www.export.gov/safeharbor) maintains details of organizationsthat have notified the Department of Commerce that they adhere to the US-EU Safe HarborFramework developed by the Department of Commerce in coordination with the EuropeanCommission. As noted above, the US-EU Safe Harbor Framework provides guidance for U.S.
organizations on how to provide adequate protection for personal data from the EU as required by theEU’s Directive on Data Protection.Supporting modern, mobile work styles is adding to thecompliance challengeThere are many established organizations operating successfully and compliantly under multiple,different privacy regimes. These organizations have traditional IT systems, data center operations,and business processes geared to conducting business under regulated conditions in different partsof the world. However, they still want to benefit in some way from cloud services and new applicationmodels, such as file sync and share, especially where there is a need to support modern, mobile workstyles.Employees also want to make use of new devices and modern tools, and this presents significantchallenges for organizations that operate under strict information management regimes. For example,nearly half of the individuals responding to the Ovum Global Employee Survey (n 5,187) said theywere using file sync and share technology to get work done, and the vast majority, some 90%,admitted to using at least one unmanaged product, such as a consumer version of Google Drive,Dropbox, Microsoft OneDrive, or Apple iCloud.Rolling out access to a managed, cloud-based enterprise file sync and share solution is one way ofregaining control of sensitive content, but there is no guarantee that any of the solutions availabletoday will meet the specific privacy requirements discussed above. The market will respond to anychanging privacy legislation, but not without issues and complexity along the way.As mentioned above, there are a number of vendors offering enterprise file sync and share servicesfrom US datacenters that operate under the US-EU Safe Harbor Framework. There are EU nativevendors with offerings also. It should also be noted that there are vendors offering on-premisesproducts that support “private cloud” deployments. The final category of solution is architected for ahybrid deployment model, i.e. customers can store content on-premises and cloud, based on userprofiles and information properties.Enterprise file sync and share products differ interms of their architecture and deployment modelsThere will always be enterprises who mandate an EUdatacenter for their public cloud servicesThere are practical as well as political reasons for organizations based in the EU to stipulate an EUdatacenter for the storage of data and content when evaluating cloud-based services and solutions.The practical reasons tend to be related to latency issues, recognising that not every business orregion of the EU has super-high-speed, global Internet access. There are many enterprises in the EUthat continue with in-house IT strategies, albeit with technologies, products, and processes borrowedfrom cloud service providers. These are essentially private clouds, and a range of products exist tosatisfy this section of the market. On-premises enterprise file sync and share products are offered bytraditional incumbents, such as EMC, IBM, and Microsoft, plus a number of new entrants to the
enterprise content management market, with AirWatch (a division of VMware) and Egnyte the twomost prominent leaders in the market.Organizations headquartered in the EU prefer it when cloudservices providers have a regional datacenterDatacenters are costly to build and run, so choices and strategies that relate to economies of scaleare required to make them profitable businesses. These economies of scale are generally enabled byparticular technology stacks and operational procedures that can be consumed by the widest possiblecommercial audience. Some vendors offering commercial file sync and share services elect to buildtheir own technology stacks and datacenters. These are often optimized to meet the specific needs oftheir business model and the services they deliver.Examining the market leaders group in Ovum Decision Matrix for Enterprise File Sync and Share, it isclear that several vendors, including Egnyte, are able to offer enterprise customers a choice ofdatacenter for the storage of content and instantiation of ser
The Egnyte approach to enterprise file sync and share is pragmatic as well as practical. . The appeal of cloud-based services and file storage solutions is undeniable, but business and IT managers know that many business scenarios
