23 minute read
3.3.3 Preliminary interview results and analysis
Drafting interview questions The desk research questionnaire and analytical framework developed in Tasks 1 and 2 respectively were used as the basis for developing the interview questions. We developed a standard interview questionnaire, which was used as a starting point and which we adopted to each specific interviewee. Such flexibility was important as the situation and background varied considerably between the interviewees. Adapting the questions to the specific answers provided by the stakeholders in the survey, the Study team was able to ask the “right” questions to maximise their input for a more comprehensive picture of the operation of barriers in their Member State.
Contacting stakeholders and organising interviews In concurrence with the design of the interview questions, selected stakeholders were contacted by email in order to arrange the interviews. Emails were followed up by phone calls to confirm receipt of the email and to try and arrange interviews in a timely manner.
Advertisement
Holding interviews and reporting The interviews were structured to be conducted either through conference calls or video calls (using Skype) with the interviewees. Each interview lasted between thirty to forty-five minutes and it followed a similar outline, namely: a brief introduction to the study by the interviewer, a tour de table of the parties, discussion of specific questions and answers, a description of the next steps of the study and explanation of how and when the interview reports would be used and any anonymisation requirements. During the interview interviewees’ views and experiences were discussed in detail, with regard to data location restrictions impacting them and/or their organisations and / or their sector to gain a better understanding of the local situation and practical operation of data location restrictions and /or barriers. Following the interview, an interview report was written up and sent to the interviewees for feedback and validation, after which the reports were revised and finalised. The validated Interview reports were sent to the EC as attachment to the First Interim Progress Report and any remaining reports were thereafter sent by email. These can be found in Section 6 (Annex III). Please note that not all interview reports can be made available due to anonymisation requirements of certain organisations.
3.3.3 Preliminary interview results and analysis The study team has carried out twenty interviews, across the main relevant sectors, where the interviewees have a presence in a specific Member State or across the EU or even globally. A majority of interviews (11) were held with stakeholders from industry, more specifically with companies operating in cloud computing services and/or the telecommunications sector and associations representing those companies either at national, EU level or globally. Two of these were SME’s and three were Industry Associations that represent (amongst others) SMEs. Three interviews were conducted in the financial sector and two with organisations that are active in the health sector. Four interviews were held with a public sector authority. Below we provide a summary of the interviews, divided per sector.
Industry It appeared from our interview with European Business Association Business Europe that their members are generally keen to acquire more knowledge on the existing national legal /regulatory data location restrictions. Additionally, there seems to be an appetite for a reduction in unjustified data location restrictions across EU Member States; a lot of businesses find that the current patchwork of legal requirements with regard to data location and cloud makes it difficult to provide and / or develop cross border services within the EU.
Cloud service providers such as interviewee Amazon are frequently confronted with data location requests from major customers, who require that data remain in their local jurisdictions. Amazon decided to diversify their data centre locations, since it allows them to meet these concerns in a scalable way. Usually the drivers are compliance related, mainly over data protection concerns. Further, Amazon stressed that regulators and customers should understand that they provide IaaS services, which differs from many other types of cloud providers, in that they do not know what data is involved in their activities. Amazon thus does not, and is not required, to know if and what kind of (personal) data are on their services. Consequently, it cannot assume responsibility for compliance with legal requirements. Thus, customers have to make the right choices to match their legal requirements, and to ensure appropriate security. It is important for Amazon to “remain agnostic on this point. Otherwise it would be a risk for privacy and security reasons. We cannot see the customers’ data, and do not want to do that, or assume legal liabilities on this point.” It is interesting to note that Amazon occasionally engages with regulators in order to provide assurances to their customers that they can use our services in a compliant way. This was also the case with the Dutch regulator (the Dutch Central Bank), which has publicly listed Amazon as (currently one of 14 in total) service providers that agreed on the inclusion on the right to examine in their contracts with regulated financial institutions, in accordance with Dutch legal requirements.
The EU's largest IaaS company, OVH, stated in the interview that they are mainly confronted with the legal requirement that data must stay within the EU in order to facilitate legal compliance. Operationally for OVH “this requirement does not make any difference, since all of our data centres apply the same security practices”. This means that they are ISO compliant and certified, and apply the same procedures to ensure security. OVH added that these requests usually come from the public sector and from industries with sensitive data, such as banks. OVH have no knowledge on the type of data these concerns. With regard to the location of their data centres, OVH are a principally EU based organisation; their compliance with EU laws and principles is an important argument for many of their customers. OVH added that the international market is dominated by a few large international players, and the stronger EU level requirements allow EU service providers to survive more easily in the market: “It is not so clear that an EU service offering by EU providers would exist if there were no data location requirements or expectations”. Within the EU, OVH operates data centres in a few EU countries, including France and Germany, which are countries “where there is a lot of demand for data to stay locally”. Digital Europe, an association representing the digital technology industry in Europe, considers “the removal of regulatory and non-regulatory barriers as crucial to ensure that European digital technology businesses can work across the EU and compete globally.” The main data location requirements that their members encounter within the EU “are related to audits and controls, and interactions with regulators and supervisors.” They find that the definition of national level requirements, such as the requirement to meet local standards or to obtain local permissions, or to interact with national regulators, can be difficult. Many times businesses cannot identify the exact requirements, and there is simply a lack of knowledge, which in turn causes businesses to be more careful. Digital Europe also argued that some local requirements could be harmonised or implemented at the EU level, for example by aligning standards or cooperating between regulators. This could be organised through sector specific consultations and reviews of legislation. “The public sector could also play a role there: there seems to be more of a tendency to keep public sector data in local/national clouds. That does not provide a good example to the market.”
Global Cloud Company Exact Online uses data centres in seven locations, and offers a private cloud deployment model to allow customers to run the services locally. They informed us that they locate EU customer data in two British Rackspace data centres close to London while part of the data for the Netherlands and Belgium are stored at Microsoft Azure with data centres in Ireland and the Netherlands. They chose those countries principally “in order to satisfy demand for high security and audit controls”. Exact’s choice for an EU location: ”was also driven by legal requirements”, where “Data protection and information security are key objectives”. It should be added however that Exact provides “assurances to our customers on security and availability, not on legal compliance. We don’t guarantee compliance with national accounting rules, or data protection. We work globally, so that would not be manageable.” If customers request local storage, then these are met by private cloud services. It seems that there is not a need of interacting with national supervisor authorities, or at least this does not happen systematically, because in practice: “we make sure that our customers can access their data in the cloud, and they can provide it to the authorities. Any other system would mean we need to communicate directly with regulators, and that would be very difficult from a confidentiality perspective. We cannot judge which requests are legitimate; that should be the customer’s decision”.
A telecommunication company that requested anonymisation, pointed out that the complex and fragmented legislative landscape on storing and processing of data is one of the main obstacles for many telecommunication companies that want to expand across borders.
One of other our interviewees, an SME delivering research and consultancy services to both the public and private sector38, proffered that the level of importance of the location of data servers of their cloud provider(s) depends on the type of client. When working on German government projects, data cannot leave Germany, meaning that a local server should be used. However, even if these are stored on a local data centre in Germany, we do not know for sure where this data actually is, and if it is safer. The same interviewee pointed out that data location restrictions, e.g. with regard to health data, can have a detrimental effect on infrastructures of IT businesses, which rely on the outsourcing of certain data processing activities. Data centres are opening in countries where energy process is cheaper, such as Northern countries (e.g. Finland). In this case the German provider would just be a virtual service, while processing on machines is done in Finland. With regard to security of the data, the interviewee suggested that it would be useful if two data centres should be in place, to ensure proper back-up, however currently backup is not organised that way in practice, meaning that security may be high but the availability of the data is not ensured.
When asked about the cost of compliance with data location restrictions, our interviewee pointed out that one needs to look at the benefits too: it might be cost related to data security but restrictions may make some companies money.39
From our interview with a French small (not for profit) industry association, representing IT companies in France, it appeared that their members’ experience with the free flow of data is ambiguous: “There are global leading companies amongst our members who would always advocate the free flow of data. At the same time, some of our member’s businesses depend on the local market and it would be in their favour to have national / regional data location restrictions in place. Such restrictions would increase their business.”
38 Institute for Infrastructure Economics & Management (IEM). 39 Their own cost relates to the more expensive services to be used when working for the German government. This might be 10 times more expensive than using a non-local provider.
The Computer & Communications Industry Association (hereinafter also referred to as “CCIA”) argued that there is an evident lack of clarity with regard to the national legal framework within the EU. For example, the results from a contracted research study in six EU Member States40 showed various legal restrictions with regard bookkeeping/accounting, tax and other financial data. Data location restrictions with regard to accounting data have a profound impact as every company (big or small) has accounting obligations. CCIA noted, however, that good practices are shown in France and Denmark, who have changed their laws so that accounting data can be stored in the cloud as long as tax authorities can gain access to these data digitally. Another concern mentioned by CCIA is a push towards data having to be stored within the bigger countries, which have a protectionist environment with regard to data location, which means that smaller countries are losing out. “… investments are being made in data centres in bigger countries (e.g. Germany), even if these are not the best countries to invest in in terms of environment (green energy) or cost, which can be seen as a misallocation of investments.” Hence, in Europe we are not reaping the benefits of the single market and are all paying a premium for storing our data. The biggest losers are suppliers of the data centres (e.g. IBM, Microsoft), as they cannot establish datacentres in the location that is the most economical or greenest etc. Regarding ICT users, CCIA stated that one can say that the more dependent a company is of data location storage, the higher a premium one pays for it. This situation will continue to expand, while we continue to use (more) cloud services. According to CCIA only a very small amount of players can potentially benefit from the currently fragmented market: local telecoms or postal services providers, which pick up contracts driven by local data location and “which are many times more expensive than when we would have a free market”. The ideal solution suggested by CCIA would be to put in place an EC Regulation, clarifying the rules and opening up data location within the EU. In addition, a strong notification process should be in place where any national rules have to be approved by the EC.
A software and services company that requested anonymization, stated that the location of data is not an issue which particularly affects their business, because hosting data is not their core activity. Our interviewee suggested that in 80% of cases, their customers’ data is located in the costumers’ infrastructures, while in the other 20% they use a local data centre in Belgium, where the company is based. The reason for choosing that location was: “not because we are legally required to keep the data locally, at least not as far as we are aware, but because a local data centre facilitates interaction with the operators. We have direct contacts with them and know them personally”. Our interviewee mentioned that recently customers had insisted on using local data centres. Our interviewee noted that the reason of those requests could concern “independence and protection against incidents. They want the data to stay under their exclusive control, and not worry about anyone else being able to get access to it. The other aspect is legacy and habits: they had appropriate solutions in place, and didn’t want to change them”.
40 ECIPE Policy brief No. 03/2016: ‘Unleashing Internal Dataflows in the EU: An Economic Assessment of Data Localisation Measures in the EU Member States’ by Matthias Bauer, Martina F. Ferracane, Hosuk Lee-Makiyama, Erik van den Marel.
A representative of E+Europe argued that is evident that local differences (e.g. national data locations restrictions) cause market failures with a negative effect on the Digital Single Market. Our interviewee reported examples of existing (direct and indirect) data location restrictions across the EU which were found through aforementioned ECIPE study on unleashing internal dataflows in the EU. For example, Luxembourg financial rules do not forbid people from storing the data outside their country; however, they make it difficult and cumbersome as storage outside Luxembourg is only permitted under strict conditions41. Germany is another example where companies may prefer or feel obliged to keep the data within the country. Indirect data location restrictions tend to originate from costumers (e.g. customer’s reticence). Additionally, E+Europe mentioned that the number of national restrictions within and outside the EU (e.g. Russia) has increased. However, there are good examples such as the USA, where such restrictions are rare. A solution suggested by E+Europe would be to abolish any restrictions with the exception of restrictions based on national security objectives, allowing storing and moving data freely within the EU. “I think at this point, we would need an EU regulation which says that MS have to justify any data location restrictions. They would thus have to explain the public policy objective that justifies the restriction”.
Financial sector The Study team interviewed stakeholders from the financial sector, representing organisations active at the European, global and national level. This group of stakeholders can be divided into two categories: a) Commercial businesses operating in the financial sector and that experience barriers in the free flow of data (i.e. a national bank with a global presence and a European banking federation; b) a national financial regulator who makes decisions on the flow of data at national level.
Hence, we were provided with differing perspectives on free flow of data restrictions in the EU. With regard to the first subgroup of interviewees, interview reports show that financial organisations experience various barriers with regard to the use of cloud services, which generally falls under outsourcing. For example, our interviewee at a Spanish financial institution mentioned that national financial regulations limit the free flow of data across the EU, which is amplified by the fact that these rules differ from one EU Member State to another. In Spain, banks (so no other financial organisations such as Fintechs) have to notify the national Financial Supervisory Authority each time they want to outsource a service (including a cloud service). In practice, this authorisation process can significantly increase time to market. Thus “bringing agility to this procedure and having harmonisation across EU member States is fundamental for banks to be competitive in the Digital Single Market.” In Spain, other non-legal barriers identified are related to a lack of a digital cloud culture or a lack of a data-driven culture, which can be translated in uncertainty in using new technologies such as cloud computing services.
Our interviewee in Spain declared “at the moment we use cloud computing for non-core business activities such as google apps and collaborative tools for employees; however, the bank would like to develop the use of cloud computing also to the core business (e.g. financial data, client data) in the near future”. Interviewees also stated that their organisations are working on developing the use of cloud computing to store and transfer data (e.g. financial data, client data) and strategies to make
41 See Circular CSSF 12/552 on central administration, internal governance and risk management, as reported in this report under section 2.3.2, figure 5, see also section 6, Annex II.
the outsource process more agile and less burdensome to be competitive in the Digital Single Market. Banks also increasingly make use of data analytics to develop products for their clients and find themselves restricted by data location requirements. Additionally, differences between requirements and rules on data transferring and cloud computing between the US and EU were highlighted as well as the direct impact that the more lenient requirements in the US have on the competitiveness of EU banks (e.g. when they want to transfer data outside the EU).
The manner in which national financial regulators exercise their supervisory power, can possibly have an impact on the development of use of cloud services. If a national regulator is mainly concerned with prudential supervision (as opposed to rule-based supervision), the focus is on the monitoring the solvency position, liquidity and operational risks which suggests that there is more room for national financial institutions to chart their own course to those results. In the same vein, a national regulator that follows the principle of prudential supervision, is merely concerned with ensuring that a proper risk analysis is being performed by financial institutes and that the ‘right to audit’ is being guaranteed in outsourcing contracts. The national regulator that we interviewed, mentioned that they get a lot of questions with regard to the requirement to submit a risk analysis when outsourcing in the cloud as this is perceived as a difficult requirement. To mitigate this, the regulator has created a model risk analysis, based on ENISA standards. The same regulator noted that most cloud service providers do not translate legal and regulatory requirements concerning the right to examine in their contracts (i.e; standard contracts of big service providers may include restrictions as to visiting rights of supervisory authorities).
Health sector With regard to the health sector, the Study team has interviewed two stakeholders, namely a Portuguese biomedical research centre, and a European committee operating in eHealth. They were chosen in order to represent various views as they differ in terms of size (small vs big) and area of activity (European vs national).
These stakeholders reported legal and operational requirements regarding the location of data in this sector at both national (PT) and EU level. As mentioned under section 2, the common thread which with regard to health sector data flow restrictions is that these are intended to safeguard the security and confidentiality of the data. More specifically, the Biomedical Law Centre mentioned that they encounter restrictions to the free flow of medical research data from Portugal to third countries, which mainly apply to personal (health) data. It also referred to an issue relating to genetic data which can only be accessed/processed by physicians with a specific professional formation (e.g. Professors in genetics). Other physicians or health professionals can only access genetic data if the patient has given his/her prior consent.42 The law provides that the health unit or hospital is itself responsible for keeping the genetic data secure.
Cocir submitted that most health care providers wish to retain complete control over the health records, so that data cannot be accessed by third parties without their knowledge and the patients’ consent. The main issue is not just the legal obligation to keep data in a certain location, but rather to ensure that it is confidential and secure. The establishment of secure systems across borders is
42 Lei 12/2005, Informação genética pessoal e informação de saúde provides, amongst other things, that files with genetic data regarding healthy individuals may not be accessed by, transferred to or analysed by doctors or any other health care professional(s) (Article 6 (5)) and that genetic databases which allow for an identification of ‘family members’ must be supervised by a doctor with specialisation in genetics or, in case such person is not available, by another doctor (Article 7(3)).
very difficult. Cocir furthermore explained that they are unsure if auditing rules are being commonly negotiated and exercised; this might exceed the technical capabilities of the users, and also their resources. “This is also why specialised health care cloud service providers should be preferred: not only do they know the context and the requirements, but also they will be known to local regulators and professional bodies, who can work with them to ensure that the systems are secure and useful. If that does not exist and systems can be chosen completely freely, there is no assurance of security and compliance with local requirements. That would be the biggest problem for a cross border system.”
Public sector Our interview with the Ministry of Public Administration, e-Croatia Directorate, confirmed that public registries have to be stored in data centres that are located in Croatia43. Our interviewee, who was actively involved in the drafting process of that law, confirmed that this restriction was a specific requirement of the members of Parliament, for security and confidentiality reasons: the Croatian state deals with important data that defines the rights and obligations of citizens, which need to be secured. It was noted that without that data the State would have difficulties to function.
This interview further gave the study team some insight on how the Croatian government approaches the use and development of cloud by the public sector. In line with the governmental eCroatia Strategy, the government currently develops a Shared Service Centre that will provide IaaS, PaaS and SaaS services for public institutions. The aim is to have a state-owned and managed cloud (government cloud) for storage of certain types of data (such as data classified as being critical for the functioning of the State). Hence, the state owned cloud is being developed for several reasons: first, to ensure a high security and maintenance level for citizens registries; second, to ensure the reuse of software solutions by institutions and the same procedural behaviour for civil servants/users while providing/using the same processes/services; finally, to ensure a financial consolidation in ICT expenditures of public institutions.
The Danish Business Authority, which has a lot of practical experience with the application of the Danish Bookkeeping Act. The old Act provided that accounting data had to be stored in Denmark, however this is now been amended. ”The amendment of the Bookkeeping Act establishes that financial records can be stored abroad in an electronic format, provided that the authorities have access to the data. Thus, this has become a functional requirement rather than a location requirement. There is no need for approval before sending electronic data outside Denmark, whilst under the former regime, such storage abroad was only permitted, subject to a separate dispensation from the Danish Business Authority.” Interviewees further gave the study team some insight on the Danish Business Authorities’ thoughts on the benefits of getting rid of unjustified requirements: “it is good for businesses to have a choice; they should agree with service providers as they see fit and should be able to choose the service provider that delivers the best quality service for the best price. […] If you are required to have data localised in specific MSs, there is also a higher risk of hacking.”
Summarising remarks As can be deducted from the above, our interviews have given the study team further insights in the identified restrictions, in terms of practical implications (what are the implications and how do stakeholders deal with them), drivers behind such restrictions and possible solutions. Additionally,
43 In accordance with the State Information Infrastructure Act.
data location restrictions identified by our study team during desk research were often confirmed while and an additional legal compliance obligation was identified in Portugal.44
Generally, can be said that a majority of interviewees and/ or their members experience a lack of clarity or knowledge of current data location rules across Europe. The fragmentation of the legal framework was often mentioned as principal reason. In this respect, smaller companies seem to experience disadvantages the most, due to a lack of knowledge and recourses to deal with data flow restrictions. Although some interviewees suggested that national data location restrictions may create business opportunities for some industry players focussing on national markets, it was generally proffered by interviewees from the industrial, health and financial sector that such fragmentation hinders the development of cross border services within the EU and hence of the digital single market.
A common thread with regard to the justification or drivers behind data flow restrictions seems to be that these are intended to safeguard the security of data, which counts slightly stronger for the health and financial sector. Notably in the financial sector, auditing obligations / the right to examine remains an imperative feature for regulators. The manner in which national financial regulators exercise their supervisory power can possibly have an impact on the development of use of cloud services. For example, a national regulator that follows the principle of prudential supervision is merely concerned with ensuring that a proper risk analysis is being performed by financial institutes and that the ‘right to audit’ is being guaranteed in outsourcing contracts, while other regulators take a more proactive role. Such differences may thus create an un-level playing field between Member States.
The location of data centres seems to be driven by demand for high security and audit controls, mostly based on customer but also on legislative demands.
Proffered solutions included harmonisation amongst certain requirements throughout the EU, for example by aligning standards or promoting cooperation between regulators. The public sector could provide good examples by starting to take their data out of private, local clouds. Others suggested the creation of EC Regulation, clarifying the rules and opening up data location within the EU, in combination with a strong notification process where any national legal restrictions have to be approved by the EC.
44 See PT: Lei 12/2005, Informação genética pessoal and informação de saúde.
