Data Privacy – Data centre location
Whether you are a provider looking for somewhere to buy, lease or build, or a customer looking where to place your data, deciding on the best location for a data centre will involve a myriad of different considerations. The regulatory regime, overhead costs, political climate, language, tax, environmental issues and the risk of government access are just some of the factors to take into account.
In this article, we look at a few of these issues in more detail – both from a provider and a customer viewpoint. Unfortunately, there is at present no ‘data centre utopia’: a jurisdiction where all of these issues are perfectly addressed. Inevitably therefore, providers and customers will have to consider the available options, balance the various advantages and disadvantages in each case, and choose the country which best suits their business needs.
The regulatory regime: is lighter better?
A light regulatory regime (in particular thinking of data protection and environmental compliance) has obvious advantages for a provider. In addition to the actual costs of compliance, heavy regulation can also entail regulatory fees and the legal costs of identifying the obligations in the first place. A lighter touch regime will also significantly reduce the risk of any subsequent regulatory action, the disadvantages of which are self-evident.
However, choosing a country which does not provide sufficient regulatory controls may well be a double-edged sword for providers looking to attract customers to their data centre. Providers should be wary of simply fleeing to the Land of Least Regulation. Since in most cases a customer will not be able to avoid its regulatory obligations by simply outsourcing the task to a service provider, those organisations which are subject to regulatory controls in their own country are likely to want a provider who can guarantee a similar level of compliance.
A common example of this is the EU restriction on international data transfers to countries which do not ensure adequate levels of protection (other countries such as Canada and Australia also have similar rules). It may be very easy to comply with the local law in somewhere which offers only very minimal data protection (e.g. in Africa or the Middle East), but this may well discourage customers subject to stricter European requirements. There are consequently advantages to giving customers the option to keep their data within the European Economic Area. Alternatively, a provider can agree to comply with certain principles of EEA data protection law regardless of the location of the data centre, for example by using the Model Clauses, adopting Processor Binding Corporate Rules or registering with Safe Harbor in the US.
Where to get the energy?
The two most significant resources for a data centre are land and energy, and both the cost and availability will be crucial in both cases. Since a data centre can use as much energy as a small town, being in a country where energy is cheap and in a location where the power source is nearby (and reliable) will be a massive consideration.
The location of the data centre may also be a factor in the amount of power needed in the first place. Since a significant proportion of the power will be used to keep the data centre cool, choosing a country with a consistently cool climate can help to reduce these costs. Oil and gas may be cheap in the Gulf region (and certainly there is plenty of land in the desert), but keeping a facility below 22°C in an area where temperatures frequently reach over 45°C provides an additional challenge. The cold climate was one of the factors behind Facebook’s decision to utilise a data centre in northern Sweden in 2013 – its first facility outside the US.
Data centre providers are also under increasing pressure from environmentalists to reduce their dependency on fossil fuels and explore other forms of electricity generation, such as hydroelectric power and wind farms. These alternative sources of energy are often more readily available in more remote locations.
Customers will generally be happy with anything which reduces the costs of the service, so cheap resources or energy efficiency will always be a plus. However, having ‘green’ credentials may be a significant selling point for a provider operating in a competitive marketplace, notwithstanding that these alternatives may be more expensive than traditional fossil fuels.
For providers targeting customers in the banking industry, putting your data centre far from your customers may not be an option. High-frequency trading requires information to be exchanged at such rapid speeds that even the additional milliseconds required for a signal to reach the Arctic Circle rather than a location in Greater London, may make a crucial difference.
Who can access the data?
The ability for governments, regulators and the providers themselves to access the data is undoubtedly a significant (and increasing) concern to customers. It is pretty much unavoidable that by establishing a data centre in a particular country, the data stored there may be accessible by government bodies in that country. How big a risk this is depends broadly on the local political regime; it is not only a question of the ability of the government to require access the data, but also the government’s likely appetite for such action and any controls imposed by the domestic law and/or courts. Place your data in China and the risk of the government demanding access is probably higher than if you place it in Ireland, for example.
The revelations about PRISM and the US National Security Agency collecting data from internet companies only served to heighten existing concerns regarding the US Patriot Act and use of FISA Orders. Leaving aside PRISM (as perhaps rather too murky waters for this short article), any company which is located or has its headquarters in the US is at risk of receiving a FISA Order to produce any documents within its “possession, custody or control”. Critically, this could include documents to which the company’s subsidiaries overseas have the ability to access as part of their data centre services – so theoretically customer data in Europe. This means that, if you are a US provider, it may not matter where your data centre is – you are at risk of a FISA Order regardless.
For a provider headquartered outside Europe, it may therefore be more important to consider the local regulator’s view of requests from foreign law enforcement. How sympathetic are they to a company caught between the rock of a US FISA Order and the hard place of EU restrictions on data transfers? The UK ICO, for example, has said that it is unlikely to take regulatory action against a provider because it is responding to a request it is legally obliged to comply with. Interestingly however, the ICO commented that it could reconsider this position where the request came from a country which has “questionable rule of law”.
Of course it is not only the US who may seek data from outside their own jurisdiction—nor is the Patriot Act the only means the US has of doing so. A network of Mutual Legal Assistance Treaties between countries allows foreign governments to request information from local law enforcement.
For a customer which wants to limit its exposure to foreign governments looking to access documents overseas, there are certain jurisdictions which may be less co-operative with foreign requests, and less tolerant of those companies who comply. The UK ICO’s view is that regulatory action against a customer whose data has been transferred to the US by their provider would be unnecessary, because the customer has not acted wrongly by simply choosing a provider which is subject to foreign law enforcement agency requests. On perhaps the more restrictive end of the scale, the German authorities have been particularly vociferous in their response to the PRISM revelations (although we would caution how much of this may just be rhetoric).
Regulation, energy and the threat of access by the authorities are, of course, just three of a wide range of issues which providers and customers will take into account when deciding the best location for their data. One final point to bear in mind: things change; regulators, resources and regimes all change – even climates are changing. Of course it is impossible to entirely future-proof your business, but you should consider the stability of any particular location factor when weighing it up in your decision.