NetSuite: Safe Harbour Decision Was “Jarring”
But NetSuite’s CIO Doug Brown tells TechWeekEurope firm is ready to respond to Safe Harbour 2.0
CRM provider NetSuite has said that the decision last month by the CJEU to make the current Safe Harbour regulations for EU customer data transfer to the United States invalid was “jarring”.
Speaking to TechWeekEurope, NetSuite CIO Doug Brown said that it was just the day before the EU’s October 6 ruling on Safe Harbour that he was discussing with analysts how business unfriendly a ruling would potentially be. Brown also thought that in any such a ruling a significant care period would be in place to prepare businesses for the change.
“Oh boy was I wrong,” said Brown. In fact, the US and EU have just until January 31, 2016 to draft new frameworks to regulate the safe transfer of data across the Atlantic.
“If by the end of January 2016 no appropriate solution is found with US authorities, and depending on the assessment of the transfer tools by the Working Party, EU data protection authorities are committed to take all necessary and appropriate actions, which may include co-ordinated enforcement actions,” a document from the Article 29 Working Party, a group composed of representatives of the national data protection authorities (DPA), the EDPS and the European Commission, states.
Clarity
“What’s most jarring of all about it is that there are uncertainties. What I’m hoping is that Safe Harbour and GDPR (General Data Protection Regulation) are clarified soon and that we can have some certainly for folks.
“I’m optimistic we’ll have clarity really soon, and we’re watching it,” he said.
NetSuite certainly positioned themselves better than some for the change in law. It was only this summer when company CEO Zach Nelson announced plans for two European data centres: one in Dublin, Ireland, and the other in Amsterdam, Holland. But he did so with some nonchalance for EU customer data regulation.
“We’re not that worried about the compliance environment,” Zach Nelson said, as reported by V3. “Even today we have a lot of customers in Europe and they’re all using the data centre in the US. It’s frankly not about performance as we’re delivering great performance out of the data centre even though it’s miles away.”
But Brown told TechWeekEurope that Nelson simply meant that, as far as sticking to regulations is concerned, NetSuite has no worries when it comes to compliance.
“He said “not worried” and I think I agree with that – but I want to clarify that “not worried” doesn’t mean we’re not paying attention to it. It means we think that we’re well positioned to respond as the market evolves – and it definitely is.”
Data centres
With the two new data centres ready to keep EU data strictly within the EU, NetSuite shouldn’t be breaking any regulations soon.
Duncan Brown, analyst at IDC, told TechWeekEurope: “If [NetSuite] keeps its data in an EU data centre then it is compliant with EU law as it stands today. Furthermore, it is perfectly feasible, and quite common, for data centre or cloud providers to offer data separation by geography: for example, AWS offer this as standard.”
Doug Brown agrees. “If you have multinational subsidiaries, as we often do with the OneWorld product and other services that we provide, you can have a US subsidiary and a German subsidiary – in those cases what we’re expecting folks to do is make a determination as to which geographic suits their business best and then it will be housed inside of that,” he said.
No surprise
But IDC’s Brown said that there should have been no shock at the CJEU ruling. “Safe Harbour should not have been a surprise to anyone following the EU discussions on data protection and privacy. In fact, Safe Harbour was destined to be invalidated by the new EU general data protection regulation (GDPR) anyway, so the judgement just brought it forward,” he told TechWeekEurope.
For now, with its European region, NetSuite said it can allay the fears of its customers in the EU but Brown said it isn’t the same for some of its rivals.
“There are definitely some cloud providers that aren’t as well positioned because they haven’t focused on the regions and privacy or security. If you look at just data centre locations as an indicator, that’s a pretty good one,” he said.
“Even if in the case that the EU Safe Harbour 2.0 passes soon, I think that the general climate is a preference for data locality, and even if the regulations are cleared and there’s a path forward for legal transfer of data, I think that the appetite for the Europeans to have local data has increased.”