The tendency for our world to get smaller may have reversed itself, if just temporarily, in 2016. With Great Britain preparing to get ready to start the initial beginnings of a first phase of an initiative to leave the European Union, and with the United States wasting no time building its bridge to the 20th century and beyond, New York-based SaaS collaboration provider Intralinks announced Wednesday its intent to build a second data center facility in Frankfurt, Germany, to help its clients navigate this rapidly growing world.
It’s no initiative, or even the beginnings of one. As Intralinks CTO Richard Anstey told Data Center Knowledge, it’s an effort to enforce the underlying connections between applications and customer data, in such a way that personally identifiable data never actually crosses borders into potentially dangerous foreign territories.
“Organizations that store and process personally identifiable information (PII) pertaining to E.U. citizens must follow a detailed set of rules, or face fines of up to 4 percent of global turnover (if their failure to follow the rules results in a breach of privacy),” Anstey told us. “The Intralinks Trust Perimeter is a set of controls, both technical and legal, that will help organizations to satisfy the regulation — especially when their business process requires them to share information beyond their own organizational boundaries.”
It’s an intriguing system that takes advantage of an emerging definition in European law, as Anstey explained to us, regarding the location of encryption. Common sense might tell you that encrypted data housed on servers located in a country, is effectively hosted in that country.
But common sense and European law are two concepts often separated by a variety of common languages. In this case, said Anstey, there is an emerging split between the concepts of logical location and physical location, the latter becoming more and more irrelevant from a legal perspective.
“The logical location is defined as the point of control of encryption,” said the CTO, “and some (including Gartner) have stated that this is the definition of location that will become more important over time.”
Under the terms of the E.U.’s General Data Protection Regulation, each member state is independently responsible for enforcing the directive, by means of its own data protection authority (DPA). It’s the DPA that has the authority to impose fines. But because Internet data may cross many European state boundaries, it may come under the scrutiny of several DPAs along the route to its final destination.
Thus the need for Trust Perimeter — a kind of “line-in-the-sand” which maintains the logical location of encrypted customer data at one central point. That point is Frankfurt, thus the need for Intralinks’ second data center. Beyond stating it’s working with Deutsche Telekom subsidiary T-Systems in the development of its Frankfurt #2 center, Anstey declined to go into further details, for what he said were security reasons.
A New World of Unsharing
With Trust Perimeter centered in what has already become the cloud nexus of Europe, Intralinks’ customers will maintain control of encryption key distribution. This offers the bonus capability, Anstey said, of “unsharing” previously distributed, encrypted information, simply by invalidating the key with which it was originally signed.
Just last Tuesday, the U.K.’s Investigatory Powers Act became official royal law, requiring UK-based ISPs to maintain customer browsing data, and other sensitive items, for at least 12 months. Some doubts have been raised that the E.U.’s regulations would be enforceable in the U.K. following the split. This while Brexit may yet get under way, and a (very) new administration sets up shop in Washington. We asked Intralinks’ Anstey, how these global tectonic shifts may effect the landscape for its own customers.
“The GDPR applies to the handling of personally identifiable data of E.U. citizens by any organization on the planet,” he responded. “U.K. being in or out of the E.U. doesn’t change the applicability of the GDPR for organizations handling this type of data. It is possible that post Brexit, the U.K. could join the U.S. on the list of countries whose laws do not satisfy the E.U. as being ‘safe’ for data storage and processing.
“This is where the legal elements of the Intralinks Trust Perimeter can help by establishing legal mechanisms by which data can be transferred beyond the ‘safe’ countries. Nobody knows how this will play out in the future. Some organizations may prefer to have data stored in the U.K. post-Brexit, while others under different regulation may feel the need to store and process data within the E.U. Either way, with the Intralinks Trust perimeter, we now have them covered.”
What are some of the options available to Intralinks clients who may be transacting with systems in the U.S., and are those options likely to be adjusted after January?
“Legal options available as part of the Trust Perimeter include a set of contractual controls known as the ‘E.U. model clauses,’” responded Anstey, “as well as adherence to the E.U./U.S. Privacy Shield framework. We are not aware of any specific changes associated with the future Trump administration, but will be watching closely to ensure we continue to provide suitable optionality to our customers.”