July 8, 2016
(source: Wikimedia Commons)
Two weeks on, the result of the UK referendum on membership of the European Union (EU) continues to reverberate around the world. Forrester provided advice for clients needing to understand the business implications. Looking at the specific impact on public cloud deployments in Europe introduces a number of additional points. These are best considered in three separate contexts:
- that of companies wishing to serve customers in the UK
- that of companies wishing to serve customers in the remaining 27 EU member states (the EU27)
- that of companies wishing to serve customers in the EU27 from a base in the UK.
EU27 data centres may be OK for UK data, and local British options abound
The UK remains the world's fifth largest economy. As such, it's a market that UK, EU27 and global businesses will wish to serve. Pre-Brexit solutions for serving UK customers remain as valid as before the referendum. Companies only interested in serving the UK market may even find that their regulatory burden decreases. CIOs have good choices for hosting services aimed at their UK customers:
- There are lots of data centres in the UK. Cloud providers like CenturyLink, IBM, Oracle, Rackspace, and Salesforce already run from UK data centres. Hosting and colocation companies like Digital Realty and Equinix also operate multiple UK locations. Companies serving UK customers from UK data centres should continue to do so.
- The hyperscale providers said they would come, and haven't back-tracked. In late 2015, AWS and Microsoft announced plans to open UK data centres for their public clouds. Those plans have not changed. Stressing the importance of the UK market, a Microsoft spokesperson commented that "We will continue to monitor the UK regulatory landscape to ensure our investments here continue to meet the needs of our customers and partners." AWS' head of enterprise strategy remains "committed" to their investment plans for the UK.
- EU27 data centres can do everything they did pre-Brexit. Plenty of businesses run workloads related to UK customers from public cloud infrastructure in another European country. The use cases for which those EU27 data centres were chosen remain valid, and there is no pressing need to bring workloads on-shore. In any future divergence of EU27 and UK data privacy laws, it is likely that EU27 legislation will tend to be stricter than Britain's. Data centres compliant with EU27 laws will, in all likelihood, be as capable of also meeting UK requirements as they are today.
- Non-European data centres can keep doing what they did before too. Many organisations already store and process UK data in cloud data centres outside the EU. Most of that data is not sensitive or personally identifiable. The rest is probably governed by frameworks like the European Commission's model contract clauses. The non-sensitive stuff can stay where it is. The more sensitive data, because it's protected by European model contract clauses, requires closer examination. Some may be ok. Some could, conservatively, be repatriated to data centres in the UK or EU27. But you've got two years (or more) to conduct a proper data audit.
EU27 services delivered from EU27 data centres can carry on as they are
Brexit has legal and practical implications that extend far beyond the shores of the United Kingdom, and the general economic and political uncertainty may have a dampening effect on business spend and consumer confidence. But one area that is not directly – practically – affected is the provision of digital services to EU27 markets from data centres situated somewhere in the EU27.
Those services often were (and still are), also offered to the UK, and those customer records will be stored alongside records on citizens from the EU27. Despite comments, above, about the likely course of any divergence between UK and EU27 law in this area, it would be sensible to evaluate the ease with which UK customer data might be separated from that of EU27 customers. A situation requiring this separation may never arise, but take the time to prepare and work through any issues now.
Europeans relying on UK data centres need to watch the GDPR with care
By far the biggest opportunity for complexity and confusion arises when an organisation uses facilities in the UK to serve customers in the EU27:
- UK data centres operate in a European regulatory environment. Regulations such as Europe's 1995 Data Protection Directive were enacted in local legislation across member states (as the 1998 Data Protection Act in the UK, for example). Today, data from France that could be stored and processed in Belgium or Luxembourg can just as easily be stored and processed in Germany or Italy… or the UK.
- With the GDPR, regulations get stricter and even more tightly harmonised. But that 1995 Directive is being replaced by the General Data Protection Regulation (GDPR), which formally comes into force in every EU member state in 2018.
- After Brexit, the UK may no longer comply with GDPR. The UK government may enact laws that mirror the protections and penalties of the GDPR. Individual companies operating from the UK may demonstrate their technical compliance with the GDPR's requirements. But either or both would be far more complicated than simply falling under the GDPR itself. Cost, complexity, and uncertainty will rise, particularly as there is no requirement for the European Commission or EU27 states to quickly accept the assurances of the UK government or UK-based businesses that they have done what they promised.
- Rackspace, which currently runs its EMEA public cloud from English data centres, sought to reassure customers: "We meet and exceed E.U. and U.K. legal requirements on how we process any customer Personal Data, and intend to continue doing so." Simon Abrahams, Head of Market Strategy and Insight, stressed the company's portfolio of services, including support for the EU27-based public clouds of AWS and Microsoft. He concluded, "it's no secret that Rackspace is looking at its options for a direct presence in Continental Europe, which in due course would provide broader delivery capabilities within the EU."
- Using the UK as an easy gateway to the EU27 will not work. Some US companies see Brexit as an opportunity, as the UK is assumed to favour light-touch regulation. That this will make the UK an easier place for US companies to operate may be true. Extending that logic, to suggest the UK therefore makes a good base for US companies delivering services into the EU27, makes less sense. To operate in the EU27 from anywhere outside the EU27 requires compliance with relevant EU27 regulations. A US company offering EU27 services from the UK may find itself in the unenviable position of having to comply with three contradictory regulatory regimes; those of the US, the UK, and the EU27. Technically possible, but a constant drag on the sales pipeline.
WIM – Brexit brings friction, not train-wreck
At its simplest, the public cloud makes a lot of sense. A globe-spanning network of data centres, optimised for technical efficiency, able to allocate workloads based on requirements such as cost, latency, or load-balancing. The reality is more complex. Public cloud providers make pragmatic decisions that break up the neat technical uniformity of their offering. Customers demand the ability to ensure that data never leaves (or enters) particular regions of the world. Microsoft works with a local partner to deliver a 'special' version of Azure in the German market. AWS introduces additional access controls in front of a government-friendly offering in the US. Everyone compromises and partners to push services into the lucrative Chinese market. Data centres are opened in countries for reasons that are more about politics than physical proximity or network latency.
Again and again, the neatness of the model is compromised in response to the realities of the markets in which it is offered. Brexit brings just one more example of that. Most workloads will continue, largely unaffected by the political repositioning.
Brexit doesn't break most of the cloud-based usage models already in place. Companies already make decisions about where data is stored and processed, and work through audits and compliance checklists that direct some data to the server in the basement, some to a data centre in a specific country, some to a data centre in a particular region (like the EU), and some to the cheapest/ fastest/ greenest/ whatever location. For most use cases, most of the time, those decision making processes simply gain an additional wrinkle, and an additional consultation with the legal department. Those wrinkles add complexity, and that complexity adds cost. But if those cloud-based workloads are valuable enough to the business, they will survive Brexit.