In January, Austria deemed Google Analytics not suitable for GDPR-standards since the tech giant can't sufficiently promise to not hand over sensitive data such as IP addresses to the US government. Once again, location matters even in the age of globalization.
Content:
Initiated by the organization Noyb and the data security activist Max Schrems, the complaint stated that Google Analytics did send sensitive data to an international organization which is not in line with the standards of the General Data Protection Regulation, a European standard that makes sure that sensitive data in European countries and by European citizens is protected from unjust usage (source: derstandard.de).
After the decision in Austria, France and Italy followed in its footsteps to proclaim Google Analytics as non-compliant (source: itechpost.com).
Many companies involved with data sharing and processing, have set up European servers and locations after the GDPR was made official in 2018.
Especially US companies tend to have problems since they can't sufficiently guarantee that they won't share data with American secret services, since it is embedded in US law that they are required to.
To ensure data security, they don't just need local servers but also additional contract clauses that can sufficiently protect the independence of EU data (read more at Reuters).
As it turns out, no matter how connected we are, localization still matters when it comes to data. This is especially important since the need of data centers is only rising. Artificial intelligence, 5G, cloud-based technology, quantum computing - nearly all digital megatrends demand more data speed, resources, and processes. In fact, as PWC points out, data centers are getting attention from real estate investors.
‘Data centers are the factories of tomorrow, the literal foundations of our increasingly interconnected, digital world’, said Thomas Veith, German Real Assets Leader, PwC.
According to PWC, Germany is an especially attractive country for data centers, a statement Statista confirms. Germany has 453 data centers, closely followed by the UK with 448 data centers. Placed third is the Netherlands with 276 centers, a steep difference to the top 2 countries.
At DIGITALL, you'll receive the right tools, training, and support for a Cyber Security strategy that is flexible, transparent, and pro-active.
But data center location is not just important when it comes to security regulations.
Data centers are physical spaces that need to be placed in countries that are both politically stable and relatively safe from climate events (such as floods, earthquakes, heat waves, etc.). The ongoing crisis in the Ukraine as well as increasingly extreme weather phenomenon indicate that this topic will become more important in the future.
Local servers can have a big impact on the overall connectivity, resulting in latency and loss of speed. Connectivity can be impacted by many things, from lack of infrastructure and interfaces to weather.
Additionally, providers often prefer connecting different centers to counter-act whenever one center has technical difficulties by creating backups and decrease "single points of failure" as Salesforce puts it on their website.
With more globally acting companies opting for localized servers to protect data and increase performance, the cost will increase, especially once data centers have become attractive real estate. Some countries will always be more cost intensive than others but might also provide more security and quality (or might be necessary to adhere to regulations). It will therefore be important to keep an overview on all data centers and measure their cost effectiveness.
Speaking of cost effectiveness: climate can also affect costs due to higher maintenance needs in countries with heat waves, high humidity, etc.
Most data centers need extra cooling measures to keep the servers at optimal temperatures. Especially colder regions are currently sought after as locations because providers can save money. However, everywhere else, the needed energy resources are not just a question of costs but also of sustainability.
With the ongoing climate crisis, more providers are looking for sustainable cooling and power sources to keep the carbon footprint of their data centers low. Personally, I expect an increase in innovative technology not only by tech leaders but also new market players in the next 5-20 years.
Here's an interesting look into Microsoft's measures which are also presented as best practices for other providers.
Usually, companies that have multiple data center locations across the globe, tie the services to the location of the customer (e.g., based on their billing address, as stated in contracts, or otherwise). Depending on your internal compliancy rules as well as general data regulations, it is important to make sure that you pick providers who can offer you fitting data center locations.
Location alone does not make a data center compliant, that's why it is important that you include all necessary requirements into the contract. For example, if a US-company has a data center in Germany, you still need to agree on additional contractual clauses and audits to make sure that sensitive data can be kept safe.
Additionally, specific industries need to meet special requirements (e.g., in healthcare, finance, or public services). Specialized vendors or global actors that cater to a vast number of different industries usually have standardized processes and contracts for these cases.
Leading tech companies such as Microsoft and Salesforce offer comprehensive lists ((here and here) of their data centers including those from third-party providers. A trustworthy provider will always be very forthcoming with any information regarding the location of your data because that is crucial if you need to check security measures.
Additionally, since you're responsible for your data even when it's being processed / accessed by third parties, you should always be able to receive all relevant information to make sure that your data is safe. This includes site access. As Kate O'Flaherty wrote in 2019, many companies will want to visit data centers in person for detailed risk assessments. Given that GDPR has put control in the data "controller's" hands, data "processors" need to be more transparent and accommodating to fulfill all necessary requirements.
At DIGITALL, we work with global technology partners that adhere to security regulations and standards in sensitive industries such as Healthcare, Finance, and Public Services. Our experts can give you the right support to evaluate and select the right technology for your digital strategy as well as your compliance requirements.