The EU Safe Harbor ruling of earlier this week throws more uncertainty into the realm of data, location, and privacy. If you weren’t paying attention, the European Court of Justice effectively struck down a trade agreement that has allowed US cloud-based service providers to deliver services across Europe, with data transiting back to the US, as long as they abide by certain European privacy laws. This agreement, which has been in place for more than 15 years, provided a framework for US providers to store EU residents’ data on US servers. You can learn more about it here.Authentic8 is the second cloud-based business I’ve started. When I started Postini in 1999, the European data privacy laws created a fog of uncertainty that kept many enterprises from cloud-based vendors. The Safe Harbor decision of July 2000, where the EU courts basically considered US companies to be in compliance if they followed consistent data privacy practices, allowed vendors like us to deliver service to European customers without significant, local legal effort.
The fog cleared. Our business grew. But we had a feeling that the underpinnings of the agreement were thin. Like any other self-certified program, it was more a paperwork effort than an actual data privacy framework. Compliance was voluntary, and unlike formal certification or accreditation programs, there was no process or review boards. So we set about developing product functionality that would allow us and our customers to comply with the spirit of the agreement. We wanted our customers to be able to choose what data was stored and where their data lived.
As an enterprise software vendor, we thought it would be critical to give customers control and reassurance, regardless of the status of any trade agreement. So we built a data opt-out capability in our system, service infrastructure in various regions, we created geographical bindings for user data in the systems, and where appropriate, we had locals in-region managing resources. What we ended up delivering was a superset of the EU requirements. We gave customers in each region the ability to tune the service to meet their needs.
It is with the same global privacy perspective that we built the Authentic8 infrastructure. Silo is our browser that lives in the cloud. That cloud-based instance could be in the US, Europe or Asia. And your packets might route through your local region or a remote region. You might want some data -- like first-party cookies or site credentials -- to be stored within Silo. Or you may want to shut it off. Above all, you’ll want your user and usage data to be opaque to us as a service provider, so we let you tokenize user data and encrypt logs with an encryption key that you provide.
With these tools, not only do our customers get to abide by the requirements of the law, but we give them the peace of mind to know exactly what data we’re keeping (if any) and who has access to it.
The point is that not all US vendors are interested in collecting user data in a centralized point and performing analytics on it. This is the second time we've built global infrastructure that allows in-region execution, obfuscation of data, and ultimate control for the customer. I think more enterprise cloud vendors need to think this way. Not only for reasons of regulatory compliance -- which we’ve learned is volatile -- but as a good business practice. Building around customers’ need for control should take precedence over internal needs for efficient scale or centralized analytics.
In the coming months, the world of cloud-delivered services is going to be sucked into the data privacy malestrom. We can’t do anything about your web-based services, but you can be assured that your browser abides by stricter standards: those that you impose on us, not those that are referenced in a passage of a trade agreement.